Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
putty1.exe

Overview

General Information

Sample name:	putty1.exe
Analysis ID:	1525210
MD5:	f43852a976edcab5a7c82d248ce242d2
SHA1:	446ac2bb76e472c185f56b2b1246910a4438246d
SHA256:	4a38db0744930e1f5bfc0a82f63c907f7dc94270b930a3950e6a0abbc903c47f
Tags:	exeuser-timnet
Infos:

Detection

Score:	10
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

×

Process Tree

System is w10x64

putty1.exe (PID: 7828 cmdline: "C:\Users\user\Desktop\putty1.exe" MD5: F43852A976EDCAB5A7C82D248CE242D2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: putty1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: putty1.exe

Static PE information: certificate valid

Source: putty1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E2A160 GetProcAddress,FindFirstFileA,CloseHandle,		0_2_00E2A160
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E9AF52 FindFirstFileExW,		0_2_00E9AF52
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E9B003 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00E9B003
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E09240 GetWindowsDirectoryA,_strlen,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,		0_2_00E09240
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E595D0 FindFirstFileA,FindClose,FindWindowA,		0_2_00E595D0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E35590 FindFirstFileA,FindClose,		0_2_00E35590

Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then movzx eax, cl		0_2_00E1E140
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then call 00E1B740h		0_2_00E2A2E0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], edx		0_2_00E60290
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then add esp, 04h		0_2_00E3E200
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov ecx, dword ptr [esp+18h]		0_2_00E1A4A0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+ebp]		0_2_00E5E480
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov eax, dword ptr [edi+ebx*4+04h]		0_2_00E02470
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov edi, edx		0_2_00E4A440
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then cmp dword ptr [ecx], eax		0_2_00E105F0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then cmp dword ptr [ecx], eax		0_2_00E105F0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov ecx, dword ptr [edi+04h]		0_2_00E4A560
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov byte ptr [eax+esi*4+07h], 00000004h		0_2_00DE48D7
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov ebx, dword ptr [ebp+edi*4+00h]		0_2_00E408D0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov ecx, dword ptr [esp+eax*8]		0_2_00E6E800
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then sub esi, 03h		0_2_00E529E0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then push 00000000h		0_2_00E649A0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then push dword ptr [edi+10h]		0_2_00E44A90
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then push ecx		0_2_00E18B80
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov esi, 00000000h		0_2_00E50C00
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov edx, ecx		0_2_00DF2D51
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov esi, 00000000h		0_2_00E50D20
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx		0_2_00E5ED20
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then sub edx, 01h		0_2_00DFAF90
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then push 00000001h		0_2_00E2CF90
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+01h]		0_2_00E1D000
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then push ebx		0_2_00E65280
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then push 00000000h		0_2_00E395E0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx		0_2_00E5F5F0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+edx+00000220h]		0_2_00DF9500
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then add edi, 01h		0_2_00DF76B0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov eax, dword ptr [edi+ebp*4+04h]		0_2_00E03620
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov ecx, edx		0_2_00E1B790
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov ecx, dword ptr [eax-08h]		0_2_00E05720
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then cmp byte ptr [edi+ebx], 0000002Ch		0_2_00E2D700
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then push esi		0_2_00E75820
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then push ebx		0_2_00E13960
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then movzx ebp, byte ptr [edi]		0_2_00E4BA80
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov eax, dword ptr [esi+1Ch]		0_2_00E1FA50
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov edi, dword ptr [ecx+18h]		0_2_00DEFA10
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then push ecx		0_2_00E45B60
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov eax, dword ptr [00EE3768h]		0_2_00DE5B50
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then movzx ebx, word ptr [ecx+edx*2]		0_2_00E67C30
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov ecx, esi		0_2_00DEFD30
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then mov ecx, ebp		0_2_00E51D10
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then lea ecx, dword ptr [eax+01h]		0_2_00E61E40
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then push dword ptr [edi-4Ch]		0_2_00E33E10
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then movsx edi, si		0_2_00E59F80
Source: C:\Users\user\Desktop\putty1.exe	Code function: 4x nop then movzx edi, word ptr [ecx+edx*2]		0_2_00E67F20

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00E16E00 recv,accept,WSAGetLastError,closesocket,recv,ioctlsocket,WSAGetLastError,recv,WSAGetLastError,

Source: putty1.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: putty1.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: putty1.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: putty1.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: putty1.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: putty1.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: putty1.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: putty1.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: putty1.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: putty1.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: putty1.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: putty1.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: putty1.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00DE6150 GlobalAlloc,GlobalLock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageA,GlobalFree,

Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DE6150 GlobalAlloc,GlobalLock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageA,GlobalFree,		0_2_00DE6150
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DE7490 WideCharToMultiByte,GlobalAlloc,GlobalAlloc,GlobalAlloc,GlobalLock,GlobalLock,WideCharToMultiByte,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,GlobalFree,GlobalFree,WideCharToMultiByte,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,GlobalUnlock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,SetClipboardData,SetClipboardData,RegisterClipboardFormatA,SetClipboardData,CloseClipboard,GlobalFree,GlobalFree,GlobalFree,SendMessageA,		0_2_00DE7490

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00DE9D30 OpenClipboard,GetClipboardData,GetClipboardData,SendMessageA,CloseClipboard,

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00DEA960 GetKeyboardState,

Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DF2070		0_2_00DF2070
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E44000		0_2_00E44000
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E0A1F0		0_2_00E0A1F0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DFA2E0		0_2_00DFA2E0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E402A0		0_2_00E402A0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E60290		0_2_00E60290
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E7C3E0		0_2_00E7C3E0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E8839B		0_2_00E8839B
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E3E480		0_2_00E3E480
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E02470		0_2_00E02470
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E4E410		0_2_00E4E410
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E00580		0_2_00E00580
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E4C530		0_2_00E4C530
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E68530		0_2_00E68530
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DF2070		0_2_00DF2070
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DF6630		0_2_00DF6630
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DFE7C0		0_2_00DFE7C0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5E7B0		0_2_00E5E7B0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E62740		0_2_00E62740
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E408D0		0_2_00E408D0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5E9B0		0_2_00E5E9B0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DE8920		0_2_00DE8920
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E6EA90		0_2_00E6EA90
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E68A60		0_2_00E68A60
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E4EA70		0_2_00E4EA70
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E1AA30		0_2_00E1AA30
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5AB50		0_2_00E5AB50
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5EB30		0_2_00E5EB30
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E00CE0		0_2_00E00CE0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E7CCF0		0_2_00E7CCF0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E80CF0		0_2_00E80CF0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E4ACA0		0_2_00E4ACA0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DF0C00		0_2_00DF0C00
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E4ADE0		0_2_00E4ADE0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E4CDA0		0_2_00E4CDA0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E7ED80		0_2_00E7ED80
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5ED20		0_2_00E5ED20
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E84D17		0_2_00E84D17
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E60E80		0_2_00E60E80
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E44FF0		0_2_00E44FF0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DECFE0		0_2_00DECFE0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E68FA0		0_2_00E68FA0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DFAF90		0_2_00DFAF90
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5EF30		0_2_00E5EF30
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5F0F0		0_2_00E5F0F0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E6B0C0		0_2_00E6B0C0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E4D070		0_2_00E4D070
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E51020		0_2_00E51020
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5B03E		0_2_00E5B03E
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E7F010		0_2_00E7F010
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E691D0		0_2_00E691D0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5B182		0_2_00E5B182
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5B124		0_2_00E5B124
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DE1130		0_2_00DE1130
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5F2D0		0_2_00E5F2D0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E67310		0_2_00E67310
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DE7490		0_2_00DE7490
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E69460		0_2_00E69460
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DE5400		0_2_00DE5400
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E395E0		0_2_00E395E0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5F5F0		0_2_00E5F5F0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5F550		0_2_00E5F550
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E4B500		0_2_00E4B500
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E7D7B0		0_2_00E7D7B0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E6B780		0_2_00E6B780
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E1B790		0_2_00E1B790
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00EA175F		0_2_00EA175F
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E4B700		0_2_00E4B700
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E4F710		0_2_00E4F710
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E558C0		0_2_00E558C0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E4B8D0		0_2_00E4B8D0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DEB8A0		0_2_00DEB8A0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E49840		0_2_00E49840
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E8583C		0_2_00E8583C
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5F800		0_2_00E5F800
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E7F9E0		0_2_00E7F9E0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5F9D0		0_2_00E5F9D0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5B9B0		0_2_00E5B9B0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E77920		0_2_00E77920
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E35AD0		0_2_00E35AD0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E67AB0		0_2_00E67AB0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E4BA80		0_2_00E4BA80
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E87A40		0_2_00E87A40
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E59B90		0_2_00E59B90
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E61B20		0_2_00E61B20
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E6DB30		0_2_00E6DB30
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E6FCA0		0_2_00E6FCA0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E75C30		0_2_00E75C30
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E71DE0		0_2_00E71DE0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DE9D80		0_2_00DE9D80
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5FD10		0_2_00E5FD10
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E49EC0		0_2_00E49EC0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DE1E56		0_2_00DE1E56
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DEFE10		0_2_00DEFE10
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E7DE30		0_2_00E7DE30
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E59F80		0_2_00E59F80
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E83F44		0_2_00E83F44
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E5FF00		0_2_00E5FF00

Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E056D0 appears 44 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E806F0 appears 49 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E8F403 appears 678 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E18D90 appears 380 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E19340 appears 57 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E29AA0 appears 85 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E291A0 appears 39 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E49C90 appears 62 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E28C60 appears 32 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E48510 appears 40 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E48520 appears 38 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E13F60 appears 111 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E1EF00 appears 81 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E4AB20 appears 43 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00DE6A00 appears 51 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E92D70 appears 69 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E14030 appears 78 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E28DB0 appears 87 times
Source: C:\Users\user\Desktop\putty1.exe	Code function: String function: 00E199E0 appears 37 times

Source: putty1.exe, 00000000.00000000.1398037989.0000000000EEA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePuTTYd" vs putty1.exe
Source: putty1.exe	Binary or memory string: OriginalFilenamePuTTYd" vs putty1.exe

Source: putty1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean10.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00E1D3E0 FormatMessageA,_strlen,GetLastError,

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00E04450 CoCreateInstance,CoCreateInstance,CoCreateInstance,_strlen,CoCreateInstance,_strlen,CoCreateInstance,

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00DEB280 GetProcAddress,FreeLibrary,FindResourceA,SizeofResource,LoadResource,LockResource,

Source: putty1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\putty1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: putty1.exe	String found in binary or memory: config-serial-stopbits
Source: putty1.exe	String found in binary or memory: source-address
Source: putty1.exe	String found in binary or memory: config-ssh-portfwd-address-family
Source: putty1.exe	String found in binary or memory: config-address-family
Source: putty1.exe	String found in binary or memory: config-address-family
Source: putty1.exe	String found in binary or memory: config-ssh-portfwd-address-family
Source: putty1.exe	String found in binary or memory: [200~}\|\|{zconfig-proxyUnable to parse auth header from HTTP proxyConnection/Proxysshttypermit-ptyconfig-ssh-ptyServer refused to allocate ptyAllocated ptyReset scrollback on display activityidentityconfig-ssh-xauthorityPublic key of certification authoritySelect public key file of certification authorityconfig-serial-parityConfiguring %s paritySerialParityFontQualityValidityAddDllDirectoryOut of memoryCryptProtectMemoryArgon2-MemoryUnable to load any WinSock libraryprimaryconfig-selection-autocopyMouseAutocopyconfig-rtfcopyWindow/Selection/Copy&CopyFlush log file frequentlyApplyReceived invalid elliptic curve point in ECDH replyReceived invalid elliptic curve point in GSSAPI ECDH replyconfig-altonlyKey file contains public key onlyUse font in OEM mode onlyAltOnlyForwarded port opened successfullyDisconnect if authentication succeeds triviallyconfig-address-familyconfig-ssh-portfwd-address-familyNetwork error: Address family not supported by protocol familyAddressFamilyForbid resizing completelyHandles SSH-2 key re-exchange badlyValid hosts this key is trusted to certifyModifyconfig-ssh-privkey-hostkeyconfig-telnetkeyconfig-ssh-kex-rekeyconfig-ssh-bug-rekeyGssapiRekeypublickeypubkeycert_ca_keyerrors-cant-load-keyputty-private-key-file-mac-keycross-certifying new host keyNoninteractive SSH proxy cannot confirm host keyNoninteractive SSH proxy cannot confirm weak cached host keyNo validity expression configured for this keyServer refused our keyuser authentication keyEncrypted session keyssh.com SSH-2 private keynot a PuTTY SSH-2 private keynot a public key or a PuTTY SSH-2 private keySSH-1 private keyAltGr acts as Compose keyunable to identify algorithm of base keyThe Backspace keyAdd keyFull text of host's public keyOffered public keySSH-1 public keyFingerprint of signing CA keyHostKeyTelnetKeyScrollOnKeyComposeKeyPublicKeySteadycleanup after downstream went awayDisable bidirectional text displayX authority file for local displayX11Displayconfig-nodelayTCPNoDelaypublic_affine_ypublic_yLinuxaux-demo-config-boxPuTTYConfigBoxunixdisplay name '%s' has no ':number' suffixgssapi-keyexLocal\putty-connshare-mutexNTRU Prime / Curve25519 hybrid kexServer's host key did not match any used in previous GSS kexConnection/SSH/Kexhhctrl.ocxprivate_xpublic_affine_xFlashWindowExToUnicodeExPageantRequest%08x%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x%s%02x\'%02x0x-x%xunknown reason code %#x-pwconfig-sharrowANSI Yellowconfig-serial-flowOptions controlling %s's windowConfigure the behaviour of %s's windowConfigure the appearance of %s's windowHide mouse pointer when typing in windowPrint proxy diagnostics in the terminal windowFont used in the terminal windowWarn before closing windowControl the scrollback in the windowSet the size of the windowMonitorFromWindowPuTTY key format too newWriting newCourier Newconfig-utf8linedrawUTF8linedrawconfig-linedrawRaw
Source: putty1.exe	String found in binary or memory: config-serial-stopbits
Source: putty1.exe	String found in binary or memory: source-address
Source: putty1.exe	String found in binary or memory: /config-address-family.html
Source: putty1.exe	String found in binary or memory: /config-serial-stopbits.html
Source: putty1.exe	String found in binary or memory: j'/config-ssh-portfwd-address-family.html
Source: putty1.exe	String found in binary or memory: /faq-startmax.html
Source: putty1.exe	String found in binary or memory: /faq-startsess.html
Source: putty1.exe	String found in binary or memory: /faq-startssh.html
Source: putty1.exe	String found in binary or memory: /feedback-address.html
Source: putty1.exe	String found in binary or memory: /pageant-mainwin-addkey.html
Source: putty1.exe	String found in binary or memory: /pageant-start.html
Source: putty1.exe	String found in binary or memory: /plink-starting.html
Source: putty1.exe	String found in binary or memory: /pscp-starting.html
Source: putty1.exe	String found in binary or memory: /psftp-cmd-help.html
Source: putty1.exe	String found in binary or memory: /psftp-starting.html

Source: C:\Users\user\Desktop\putty1.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe	Section loaded: textshaping.dll			Jump to behavior

Source: C:\Users\user\Desktop\putty1.exe

Window detected: Number of UI elements: 20

Source: putty1.exe

Static PE information: certificate valid

Source: putty1.exe

Static file information: File size 1490208 > 1048576

Source: putty1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: putty1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: putty1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: putty1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: putty1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: putty1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: putty1.exe	Static PE information: section name: .00cfg
Source: putty1.exe	Static PE information: section name: .voltbl

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00E9B9A3 push ecx; ret

Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DE8280 IsIconic,SetWindowTextW,SetWindowTextA,		0_2_00DE8280
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DE83E0 IsIconic,ShowWindow,		0_2_00DE83E0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00DE8330 IsIconic,SetWindowTextW,SetWindowTextA,		0_2_00DE8330

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00DE4740 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoInitialize,MessageBoxA,

Source: C:\Users\user\Desktop\putty1.exe

API coverage: 4.0 %

Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E2A160 GetProcAddress,FindFirstFileA,CloseHandle,		0_2_00E2A160
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E9AF52 FindFirstFileExW,		0_2_00E9AF52
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E9B003 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00E9B003
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E09240 GetWindowsDirectoryA,_strlen,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,		0_2_00E09240
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E595D0 FindFirstFileA,FindClose,FindWindowA,		0_2_00E595D0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E35590 FindFirstFileA,FindClose,		0_2_00E35590

Source: putty1.exe, 00000000.00000002.2645566446.000000000167E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00E9612D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E8C4A2 mov ecx, dword ptr fs:[00000030h]		0_2_00E8C4A2
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E97CE0 mov eax, dword ptr fs:[00000030h]		0_2_00E97CE0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E97CAF mov eax, dword ptr fs:[00000030h]		0_2_00E97CAF
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E97D24 mov eax, dword ptr fs:[00000030h]		0_2_00E97D24

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00E94FE1 GetProcessHeap,

Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E9612D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00E9612D
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E8050E SetUnhandledExceptionFilter,		0_2_00E8050E
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E8051A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00E8051A
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E7FEBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00E7FEBD

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00E1CBD0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorDacl,GetLastError,LocalFree,LocalFree,

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00E1CD70 DeleteObject,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,GetLastError,GetLastError,

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00E80735 cpuid

Source: C:\Users\user\Desktop\putty1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		0_2_00E9A27B
Source: C:\Users\user\Desktop\putty1.exe	Code function: EnumSystemLocalesW,		0_2_00E9A4D1
Source: C:\Users\user\Desktop\putty1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		0_2_00E9A56C
Source: C:\Users\user\Desktop\putty1.exe	Code function: EnumSystemLocalesW,		0_2_00E9A7BF
Source: C:\Users\user\Desktop\putty1.exe	Code function: GetLocaleInfoW,		0_2_00E94777
Source: C:\Users\user\Desktop\putty1.exe	Code function: GetDesktopWindow,GetClientRect,CreateWindowExW,GetLastError,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetWindowRect,GetClientRect,SetWindowPos,CreateBitmap,CreateCaret,SetScrollInfo,GetDoubleClickTime,GetSystemMenu,CreatePopupMenu,AppendMenuA,AppendMenuA,AppendMenuA,CreateMenu,DeleteMenu,DeleteMenu,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,GetKeyboardLayout,GetLocaleInfoA,ShowWindow,SetForegroundWindow,GetForegroundWindow,UpdateWindow,PeekMessageW,IsWindow,PeekMessageA,GetForegroundWindow,MsgWaitForMultipleObjects,DispatchMessageW,PeekMessageW,IsWindow,IsDialogMessageA,		0_2_00DE48D7
Source: C:\Users\user\Desktop\putty1.exe	Code function: EnumSystemLocalesW,		0_2_00E9A8F3
Source: C:\Users\user\Desktop\putty1.exe	Code function: GetLocaleInfoW,		0_2_00E9A81E
Source: C:\Users\user\Desktop\putty1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		0_2_00E9A9E5
Source: C:\Users\user\Desktop\putty1.exe	Code function: GetLocaleInfoW,		0_2_00E9A93E
Source: C:\Users\user\Desktop\putty1.exe	Code function: GetLocaleInfoW,		0_2_00E9AAEB
Source: C:\Users\user\Desktop\putty1.exe	Code function: EnumSystemLocalesW,		0_2_00E94EC5
Source: C:\Users\user\Desktop\putty1.exe	Code function: GetLocaleInfoA,DefWindowProcW,		0_2_00DE1B3F

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00E70910 ___from_strstr_to_strchr,CreateNamedPipeA,CreateEventA,GetLastError,

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00E803CC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00E48350 GetProcAddress,___from_strstr_to_strchr,GetUserNameA,GetUserNameA,

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00EA5AE6 GetTimeZoneInformation,

Source: C:\Users\user\Desktop\putty1.exe

Code function: 0_2_00E1D2F0 GetVersionExA,GetProcAddress,

Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E164C0 closesocket,socket,SetHandleInformation,setsockopt,setsockopt,setsockopt,htonl,htons,bind,WSAGetLastError,WSAGetLastError,htons,htonl,htons,connect,WSAGetLastError,		0_2_00E164C0
Source: C:\Users\user\Desktop\putty1.exe	Code function: 0_2_00E169B0 socket,SetHandleInformation,_strncpy,setsockopt,inet_addr,htonl,htonl,getaddrinfo,htons,htons,bind,listen,closesocket,WSAGetLastError,closesocket,closesocket,WSAGetLastError,		0_2_00E169B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	11 Input Capture	2 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
putty1.exe	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	putty1.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	putty1.exe	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	putty1.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	putty1.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	putty1.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	putty1.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	putty1.exe	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/	putty1.exe	false		unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	putty1.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	putty1.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525210
Start date and time:	2024-10-03 21:29:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	putty1.exe
Detection:	CLEAN
Classification:	clean10.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 16 Number of non-executed functions: 239
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: putty1.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.106839841652793
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	putty1.exe
File size:	1'490'208 bytes
MD5:	f43852a976edcab5a7c82d248ce242d2
SHA1:	446ac2bb76e472c185f56b2b1246910a4438246d
SHA256:	4a38db0744930e1f5bfc0a82f63c907f7dc94270b930a3950e6a0abbc903c47f
SHA512:	3b4ab06664cb4c228ef0e85cc38d4035d4d2c0b4febd7fa410da65bbcc7b4eafbec924e8d14f02432125fa3d9fb22e50a87707b1c1028ad5d3f0bfbcd4b4075e
SSDEEP:	24576:VWzNpYIUzAcFZPVUw1L9ub0VsfMzXGk1GUzwgBaPIJdTaKIe0MStS/o6ui2OXK0:gc3vpJSMwgkk8KIeVSc/zuiV
TLSH:	2F65BF52B6D244B1F48205B506ABE73FBE39B1416721CAC7D7E0D8181D522E2EA3F35E
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......f.................r..........&.............@.......................................@........................................

File Icon


Icon Hash:	5c1d1e974b031d47

Static PE Info

General

Entrypoint:	0x4a0126
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66111AB3 [Sat Apr 6 09:49:39 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	1bcee876dfae5e68c3451c29f9217c72

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	06/11/2021 01:00:00 06/11/2024 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	6F05B370ED850ADBDA93F7D41CDDA4C2
Thumbprint SHA-1:	6026ABF61401A3A86F1A4C6D37E7A4CC4D50B3AD
Thumbprint SHA-256:	8B5D2A54B182D234CC46D2FD4D9B139610CE6D3ABF3BEEF328E3884E9B14A850
Serial:	008E3FBFB91BE6DA041BA41F7A983AD61E

Entrypoint Preview

Instruction
call 00007F0974E2520Bh
jmp 00007F0974E24E2Fh
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F0974E24FBFh
neg eax
pop ecx
sbb eax, eax
neg eax
dec eax
pop ebp
ret
push ebp
mov ebp, esp
cmp dword ptr [005058D8h], FFFFFFFFh
push dword ptr [ebp+08h]
jne 00007F0974E24FB9h
call 00007F0974E3304Ah
jmp 00007F0974E24FBDh
push 005058D8h
call 00007F0974E32FCDh
pop ecx
neg eax
pop ecx
sbb eax, eax
not eax
and eax, dword ptr [ebp+08h]
pop ebp
ret
push 00000008h
push 005016A8h
call 00007F0974E25527h
and dword ptr [ebp-04h], 00000000h
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
jne 00007F0974E2500Fh
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007F0974E24FFEh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007F0974E24FF0h
mov eax, dword ptr [ebp+08h]
mov ecx, 00400000h
sub eax, ecx
push eax
push ecx
call 00007F0974E25132h
pop ecx
pop ecx
test eax, eax
je 00007F0974E24FD9h
cmp dword ptr [eax+24h], 00000000h
jl 00007F0974E24FD3h
mov dword ptr [ebp-04h], FFFFFFFEh
mov al, 01h
jmp 00007F0974E24FD1h
mov eax, dword ptr [ebp-14h]
mov eax, dword ptr [eax]
xor ecx, ecx
cmp dword ptr [eax], C0000005h
sete cl
mov eax, ecx
ret
mov esp, dword ptr [ebp-18h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xff3f0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10a000	0x5ab40	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x166600	0x5720	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x165000	0xa118	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xdf178	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xdb300	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xff9f4	0x550	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc718a	0xc7200	ef2d6649c1d211e9e21ac85db7479828	False	0.5326894028562461	data	6.56577754807733	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc9000	0x38ea4	0x39000	bfba239cd998737d70a3ee35be906078	False	0.36755156935307015	PDP-11 UNIX/RT ldp	5.686399689822873	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x102000	0x40d8	0xc00	e6c7c4efb25863a7406b1343454e9e66	False	0.20052083333333334	data	2.3468533443553583	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg	0x107000	0x8	0x200	c6b95c9f4425789f7064a4d6031b1920	False	0.03125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x108000	0x9	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.voltbl	0x109000	0x92	0x200	03a5735da454908b67301bcd8a21faed	False	0.314453125	data	2.4564278945748805
.rsrc	0x10a000	0x5ab40	0x5ac00	9c764f4e8094f8b15d198664caad28ee	False	0.9162577479338843	data	7.8273203562602065	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x165000	0xa118	0xa200	5ba611bd8ec9464eeca1f9de434b7024	False	0.6260127314814815	data	6.6946253592370395	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x10a520	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5202702702702703
RT_ICON	0x10a648	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.3602150537634409
RT_ICON	0x10a930	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.2097560975609756
RT_ICON	0x10af98	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 64	English	United States	0.5681818181818182
RT_ICON	0x10b048	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 128	English	United States	0.5263157894736842
RT_ICON	0x10b178	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 384	English	United States	0.2928921568627451
RT_ICON	0x10b508	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.6081081081081081
RT_ICON	0x10b630	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.4771505376344086
RT_ICON	0x10b918	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.3195121951219512
RT_ICON	0x10bf80	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 64	English	United States	0.6590909090909091
RT_ICON	0x10c030	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 128	English	United States	0.7368421052631579
RT_ICON	0x10c160	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 384	English	United States	0.45465686274509803
RT_DIALOG	0x163da8	0x76	data	English	United States	0.711864406779661
RT_DIALOG	0x163e20	0xba	data	English	United States	0.7741935483870968
RT_DIALOG	0x163ca8	0xfa	data	English	United States	0.692
RT_DIALOG	0x163ee0	0x8a	data	English	United States	0.8260869565217391
RT_DIALOG	0x163f70	0x1ae	data	English	United States	0.5720930232558139
RT_DIALOG	0x164120	0xde	data	English	United States	0.7207207207207207
RT_DIALOG	0x164200	0xa8	data	English	United States	0.7023809523809523
RT_GROUP_ICON	0x10b4a8	0x5a	data	English	United States	0.7444444444444445
RT_GROUP_ICON	0x10c490	0x5a	data	English	United States	0.7666666666666667
RT_VERSION	0x1642a8	0x338	data	English	United States	0.4817961165048544
RT_MANIFEST	0x1645e0	0x559	XML 1.0 document, ASCII text	English	United States	0.4579985390796202
None	0x10c4f0	0x577b7	MS Windows HtmlHelp Data	English	United States	0.938371934015578

Imports

DLL	Import
GDI32.dll	BitBlt, CreateBitmap, CreateCompatibleBitmap, CreateCompatibleDC, CreateFontA, CreateFontIndirectA, CreatePalette, CreatePen, CreateSolidBrush, DeleteDC, DeleteObject, ExcludeClipRect, ExtTextOutA, ExtTextOutW, GetBkMode, GetCharABCWidthsFloatA, GetCharWidth32A, GetCharWidth32W, GetCharWidthA, GetCharWidthW, GetCharacterPlacementW, GetCurrentObject, GetDIBits, GetDeviceCaps, GetObjectA, GetOutlineTextMetricsA, GetPixel, GetStockObject, GetTextExtentExPointA, GetTextExtentPoint32A, GetTextMetricsA, IntersectClipRect, LineTo, MoveToEx, Polyline, RealizePalette, Rectangle, SelectObject, SelectPalette, SetBkColor, SetBkMode, SetMapMode, SetPaletteEntries, SetPixel, SetTextAlign, SetTextColor, TextOutA, TranslateCharsetInfo, UnrealizeObject, UpdateColors
IMM32.dll	ImmGetCompositionStringW, ImmGetContext, ImmReleaseContext, ImmSetCompositionFontA, ImmSetCompositionWindow
ole32.dll	CoCreateInstance, CoInitialize, CoUninitialize
USER32.dll	AppendMenuA, BeginPaint, CheckDlgButton, CheckMenuItem, CheckRadioButton, CloseClipboard, CreateCaret, CreateDialogParamA, CreateMenu, CreatePopupMenu, CreateWindowExA, CreateWindowExW, DefDlgProcA, DefWindowProcA, DefWindowProcW, DeleteMenu, DestroyCaret, DestroyIcon, DestroyWindow, DialogBoxParamA, DispatchMessageA, DispatchMessageW, DrawEdge, DrawIconEx, EmptyClipboard, EnableMenuItem, EnableWindow, EndDialog, EndPaint, FindWindowA, FlashWindow, GetCapture, GetCaretBlinkTime, GetClientRect, GetClipboardData, GetClipboardOwner, GetCursorPos, GetDC, GetDesktopWindow, GetDlgItem, GetDlgItemTextA, GetDoubleClickTime, GetForegroundWindow, GetKeyboardLayout, GetKeyboardState, GetMessageA, GetMessageTime, GetParent, GetQueueStatus, GetScrollInfo, GetSysColor, GetSysColorBrush, GetSystemMenu, GetSystemMetrics, GetWindowLongA, GetWindowPlacement, GetWindowRect, GetWindowTextA, GetWindowTextLengthA, HideCaret, InsertMenuA, InvalidateRect, IsDialogMessageA, IsDlgButtonChecked, IsIconic, IsWindow, IsZoomed, KillTimer, LoadCursorA, LoadIconA, LoadImageA, MapDialogRect, MessageBeep, MessageBoxA, MessageBoxIndirectA, MoveWindow, MsgWaitForMultipleObjects, OffsetRect, OpenClipboard, PeekMessageA, PeekMessageW, PostMessageA, PostQuitMessage, RegisterClassA, RegisterClassW, RegisterClipboardFormatA, RegisterWindowMessageA, ReleaseCapture, ReleaseDC, ScreenToClient, SendDlgItemMessageA, SendMessageA, SetActiveWindow, SetCapture, SetCaretPos, SetClassLongA, SetClipboardData, SetCursor, SetDlgItemTextA, SetFocus, SetForegroundWindow, SetKeyboardState, SetScrollInfo, SetTimer, SetWindowLongA, SetWindowPlacement, SetWindowPos, SetWindowTextA, SetWindowTextW, ShowCaret, ShowCursor, ShowWindow, SystemParametersInfoA, ToAsciiEx, TrackPopupMenu, TranslateMessage, UpdateWindow
KERNEL32.dll	Beep, ClearCommBreak, CloseHandle, CompareStringW, ConnectNamedPipe, CreateEventA, CreateFileA, CreateFileMappingA, CreateFileW, CreateMutexA, CreateNamedPipeA, CreatePipe, CreateProcessA, CreateThread, DecodePointer, DeleteCriticalSection, DeleteFileA, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileA, FindFirstFileExW, FindNextFileA, FindNextFileW, FindResourceA, FlushFileBuffers, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommState, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentDirectoryA, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDateFormatW, GetEnvironmentStringsW, GetEnvironmentVariableA, GetFileSizeEx, GetFileType, GetLastError, GetLocalTime, GetLocaleInfoA, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetProcessTimes, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDirectoryA, GetSystemTimeAsFileTime, GetTempPathA, GetThreadTimes, GetTickCount, GetTimeFormatW, GetTimeZoneInformation, GetUserDefaultLCID, GetWindowsDirectoryA, GlobalAlloc, GlobalFree, GlobalLock, GlobalMemoryStatus, GlobalUnlock, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDBCSLeadByteEx, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringW, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, LoadResource, LocalAlloc, LocalFileTimeToFileTime, LocalFree, LockResource, MapViewOfFile, MulDiv, MultiByteToWideChar, OpenProcess, OutputDebugStringW, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseMutex, RtlUnwind, SetCommBreak, SetCommState, SetCommTimeouts, SetCurrentDirectoryA, SetEndOfFile, SetEnvironmentVariableW, SetEvent, SetFilePointerEx, SetHandleInformation, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SizeofResource, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UnmapViewOfFile, WaitForSingleObject, WaitNamedPipeA, WideCharToMultiByte, WriteConsoleW, WriteFile
SHELL32.dll	ShellExecuteA
COMDLG32.dll	ChooseColorA, ChooseFontA, GetOpenFileNameA, GetSaveFileNameA
ADVAPI32.dll	AllocateAndInitializeSid, CopySid, EqualSid, GetLengthSid, GetUserNameA, InitializeSecurityDescriptor, RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegEnumKeyA, RegOpenKeyA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA, SetSecurityDescriptorDacl, SetSecurityDescriptorOwner

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: putty1.exePID: 7828, Parent PID: 4084

General

Target ID:	0
Start time:	15:29:57
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\putty1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\putty1.exe"
Imagebase:	0xde0000
File size:	1'490'208 bytes
MD5 hash:	F43852A976EDCAB5A7C82D248CE242D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: putty1.exePID: 7828, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23%
Total number of Nodes:	270
Total number of Limit Nodes:	23

Executed Functions

Function 00DE4740 Relevance: 45.6, APIs: 11, Strings: 15, Instructions: 104
libraryloaderwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E1BFB0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00E2A190,kernel32.dll), ref: 00E1BFCF

GetProcAddress.KERNEL32(00000000,FlashWindowEx), ref: 00DE479A
GetProcAddress.KERNEL32(00000000,ToUnicodeEx), ref: 00DE47A7
GetProcAddress.KERNEL32(00000000,PlaySoundA), ref: 00DE47C6
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00DE47E5
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00DE47F2
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00DE47FF
GetProcAddress.KERNEL32(00000000,GetDpiForMonitor), ref: 00DE4828
GetProcAddress.KERNEL32(00000000,GetSystemMetricsForDpi), ref: 00DE4847
GetProcAddress.KERNEL32(00000000,AdjustWindowRectExForDpi), ref: 00DE4854
CoInitialize.OLE32(00000000), ref: 00DE4875
MessageBoxA.USER32(00000000,Failed to initialize COM subsystem,00000000,00000030), ref: 00DE489F

Strings

ToUnicodeEx, xrefs: 00DE47A1
GetMonitorInfoA, xrefs: 00DE47DF
%s Fatal Error, xrefs: 00DE4886
PlaySoundA, xrefs: 00DE47C0
shcore.dll, xrefs: 00DE477B
AdjustWindowRectExForDpi, xrefs: 00DE484E
#k, xrefs: 00DE4758
user32.dll, xrefs: 00DE475D
GetDpiForMonitor, xrefs: 00DE4822
GetSystemMetricsForDpi, xrefs: 00DE4841
Failed to initialize COM subsystem, xrefs: 00DE4898
MonitorFromWindow, xrefs: 00DE47F9
MonitorFromPoint, xrefs: 00DE47EC
FlashWindowEx, xrefs: 00DE4794
winmm.dll, xrefs: 00DE476C

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: AddressProc$InitializeLibraryLoadMessage
String ID: %s Fatal Error$AdjustWindowRectExForDpi$Failed to initialize COM subsystem$FlashWindowEx$GetDpiForMonitor$GetMonitorInfoA$GetSystemMetricsForDpi$MonitorFromPoint$MonitorFromWindow$PlaySoundA$ToUnicodeEx$shcore.dll$user32.dll$winmm.dll$#k
API String ID: 2501503455-2996361279
Opcode ID: 8ce96e02ee64794f72c49ecd8409799eb739178e586877188a2921f29eecf8a6
Instruction ID: fd4139ddd5e0c8071304176ac71ac614978b525c841b47f6a22961d0ef75210e
Opcode Fuzzy Hash: 8ce96e02ee64794f72c49ecd8409799eb739178e586877188a2921f29eecf8a6
Instruction Fuzzy Hash: C8314C72E417C8AED2017B727D86F6A77A0EF51700B04103AF902BB251EB61D94687E6

Function 00E48350 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 94
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,GetUserNameExA), ref: 00E4839E
___from_strstr_to_strchr.LIBCMT ref: 00E483EE
GetUserNameA.ADVAPI32(00000000), ref: 00E48414
GetUserNameA.ADVAPI32(00000000), ref: 00E48440

Strings

GetUserNameExA, xrefs: 00E48398
secur32.dll, xrefs: 00E48378
sspicli.dll, xrefs: 00E48387
Logical name of remote host (e.g. for SSH key lookup):, xrefs: 00E48350

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: NameUser$AddressProc___from_strstr_to_strchr
String ID: GetUserNameExA$Logical name of remote host (e.g. for SSH key lookup):$secur32.dll$sspicli.dll
API String ID: 1511097851-421106942
Opcode ID: eead83aa0465c131ad791758946a2d099b5b441459fb7895df4c105aa4d4a962
Instruction ID: 136b4ff7f3adb89cad5ff7533f3c667f3d954a2de58362b5f6af4018f0c1966d
Opcode Fuzzy Hash: eead83aa0465c131ad791758946a2d099b5b441459fb7895df4c105aa4d4a962
Instruction Fuzzy Hash: FA2126716043006BE7146F22BE0AFAF36D89F41B44F05102CF956BF2C1EEA09884C3A6

Function 00E152B0 Relevance: 138.6, APIs: 40, Strings: 39, Instructions: 372
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E1BFB0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00E2A190,kernel32.dll), ref: 00E1BFCF

GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00E152EB
GetProcAddress.KERNEL32(75340000,getaddrinfo), ref: 00E15308
GetProcAddress.KERNEL32(75340000,freeaddrinfo), ref: 00E15323
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00E1534D
GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00E15367
GetProcAddress.KERNEL32(00000000,getnameinfo), ref: 00E15382
GetProcAddress.KERNEL32(75340000,WSAAddressToStringA), ref: 00E153B4
GetProcAddress.KERNEL32(75340000,WSAAsyncSelect), ref: 00E153D6
GetProcAddress.KERNEL32(75340000,WSAEventSelect), ref: 00E153F5
GetProcAddress.KERNEL32(75340000,select), ref: 00E15414
GetProcAddress.KERNEL32(75340000,WSAGetLastError), ref: 00E15433
GetProcAddress.KERNEL32(75340000,WSAEnumNetworkEvents), ref: 00E15452
GetProcAddress.KERNEL32(75340000,WSAStartup), ref: 00E15471
GetProcAddress.KERNEL32(75340000,WSACleanup), ref: 00E15490
GetProcAddress.KERNEL32(75340000,closesocket), ref: 00E154AF
GetProcAddress.KERNEL32(75340000,ntohl), ref: 00E154CE
GetProcAddress.KERNEL32(75340000,htonl), ref: 00E154ED
GetProcAddress.KERNEL32(75340000,htons), ref: 00E1550C
GetProcAddress.KERNEL32(75340000,ntohs), ref: 00E1552B
GetProcAddress.KERNEL32(75340000,gethostname), ref: 00E1554A
GetProcAddress.KERNEL32(75340000,gethostbyname), ref: 00E15569
GetProcAddress.KERNEL32(75340000,getservbyname), ref: 00E15588
GetProcAddress.KERNEL32(75340000,inet_addr), ref: 00E155A7
GetProcAddress.KERNEL32(75340000,inet_ntoa), ref: 00E155C6
GetProcAddress.KERNEL32(75340000,inet_ntop), ref: 00E155E5
GetProcAddress.KERNEL32(75340000,connect), ref: 00E15604
GetProcAddress.KERNEL32(75340000,bind), ref: 00E15623
GetProcAddress.KERNEL32(75340000,setsockopt), ref: 00E15642
GetProcAddress.KERNEL32(75340000,socket), ref: 00E15661
GetProcAddress.KERNEL32(75340000,listen), ref: 00E15680
GetProcAddress.KERNEL32(75340000,send), ref: 00E1569F
GetProcAddress.KERNEL32(75340000,shutdown), ref: 00E156BE
GetProcAddress.KERNEL32(75340000,ioctlsocket), ref: 00E156DD
GetProcAddress.KERNEL32(75340000,accept), ref: 00E156FC
GetProcAddress.KERNEL32(75340000,getpeername), ref: 00E1571B
GetProcAddress.KERNEL32(75340000,recv), ref: 00E1573A
GetProcAddress.KERNEL32(75340000,WSAIoctl), ref: 00E15759
WSAStartup.WS2_32(00000202,00EE4C54), ref: 00E15897
WSAStartup.WS2_32(00000002,00EE4C54), ref: 00E158B5
WSAStartup.WS2_32(00000101,00EE4C54), ref: 00E158D6

Strings

WSAAsyncSelect, xrefs: 00E153D0
htonl, xrefs: 00E154E7
WSAStartup, xrefs: 00E1546B
Unable to initialise WinSock, xrefs: 00E1590A
gethostname, xrefs: 00E15544
listen, xrefs: 00E1567A
WSACleanup, xrefs: 00E1548A
ntohl, xrefs: 00E154C8
select, xrefs: 00E1540E
accept, xrefs: 00E156F6
getnameinfo, xrefs: 00E1537C
bind, xrefs: 00E1561D
wsock32.dll, xrefs: 00E152CB
WSAIoctl, xrefs: 00E15753
recv, xrefs: 00E15734
htons, xrefs: 00E15506
freeaddrinfo, xrefs: 00E1531D, 00E15361
inet_addr, xrefs: 00E155A1
WSAAddressToStringA, xrefs: 00E153AE
connect, xrefs: 00E155FE
setsockopt, xrefs: 00E1563C
ioctlsocket, xrefs: 00E156D7
wship6.dll, xrefs: 00E15331
shutdown, xrefs: 00E156B8
WSAGetLastError, xrefs: 00E1542D
inet_ntop, xrefs: 00E155DF
Unable to load any WinSock library, xrefs: 00E15900
inet_ntoa, xrefs: 00E155C0
WSAEnumNetworkEvents, xrefs: 00E1544C
ntohs, xrefs: 00E15525
getaddrinfo, xrefs: 00E152E5, 00E15302, 00E15347
closesocket, xrefs: 00E154A9
socket, xrefs: 00E1565B
send, xrefs: 00E15699
getpeername, xrefs: 00E15715
WSAEventSelect, xrefs: 00E153EF
ws2_32.dll, xrefs: 00E152B0
gethostbyname, xrefs: 00E15563
getservbyname, xrefs: 00E15582

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: AddressProc$Startup$LibraryLoad
String ID: Unable to initialise WinSock$Unable to load any WinSock library$WSAAddressToStringA$WSAAsyncSelect$WSACleanup$WSAEnumNetworkEvents$WSAEventSelect$WSAGetLastError$WSAIoctl$WSAStartup$accept$bind$closesocket$connect$freeaddrinfo$getaddrinfo$gethostbyname$gethostname$getnameinfo$getpeername$getservbyname$htonl$htons$inet_addr$inet_ntoa$inet_ntop$ioctlsocket$listen$ntohl$ntohs$recv$select$send$setsockopt$shutdown$socket$ws2_32.dll$wship6.dll$wsock32.dll
API String ID: 1450042416-3487058210
Opcode ID: db2a002fce593fe45d3242df967f528b0c99d5a59a0dade329ecfc42566b6d0c
Instruction ID: 8f1f717536da8c7437bb3f1cfe30f766e16ab11069d0cf653f2fe67cf75de268
Opcode Fuzzy Hash: db2a002fce593fe45d3242df967f528b0c99d5a59a0dade329ecfc42566b6d0c
Instruction Fuzzy Hash: 85E13BF5602789DFD718CF67FDA5B5677A5AB84305B10912EF802BA2E0DBB5C4888B04

Function 00DFDE60 Relevance: 65.4, APIs: 28, Strings: 9, Instructions: 605
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(000000C9), ref: 00DFDF58
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00DFDF74
MapDialogRect.USER32(?,00000003), ref: 00DFDFAB
CreateWindowExA.USER32(00000000,STATIC,Cate&gory:,50000000,00000003,00000003,00000062,?,?,000003EF,00000000), ref: 00DFDFEE
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00DFE003
SendMessageA.USER32(00000000,00000030,00000000,00000001), ref: 00DFE00B
MapDialogRect.USER32(?,00000003), ref: 00DFE035
CreateWindowExA.USER32(00000200,SysTreeView32,00ED3707,50010037,00000003,0000000D,00000062,?,?,000003F0,00000000), ref: 00DFE082
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00DFE091
SendMessageA.USER32(00000000,00000030,00000000,00000001), ref: 00DFE099
_strrchr.LIBCMT ref: 00DFE19E
_strlen.LIBCMT ref: 00DFE1D6
SendMessageA.USER32(?,00001100,00000000,?), ref: 00DFE202
SendMessageA.USER32(?,00001102,-00000001,?), ref: 00DFE226
SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00DFE279
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00DFE286
SendMessageA.USER32(?,0000110C,00000000,00000005), ref: 00DFE2B2
GetDlgItem.USER32(?,?), ref: 00DFE365
DestroyWindow.USER32(00000000), ref: 00DFE36C
KillTimer.USER32(?,000004CE), ref: 00DFE38E
MessageBoxA.USER32(?,00000000,Demo screenshot failure,00000010), ref: 00DFE3B2
SendMessageA.USER32(?,0000110B,00000009,00000000), ref: 00DFE406
SetTimer.USER32(?,000004CE,000003E8,00000000), ref: 00DFE4ED

Part of subcall function 00DFF800: SetWindowTextA.USER32(?,?), ref: 00DFF80F
Part of subcall function 00DFF800: GetWindowLongA.USER32(?,000000EC), ref: 00DFF821
Part of subcall function 00DFF800: SetWindowLongA.USER32(?,000000EC,00000000), ref: 00DFF830

Part of subcall function 00DFFD60: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00DFFD8B
Part of subcall function 00DFFD60: GetClientRect.USER32(?,?), ref: 00DFFD9D
Part of subcall function 00DFFD60: MapDialogRect.USER32(?), ref: 00DFFDC6

SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00DFE60E
InvalidateRect.USER32(?,00000000,00000001), ref: 00DFE619
SetFocus.USER32(?), ref: 00DFE628

Strings

firstpath, xrefs: 00DFE437
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/dialog.c, xrefs: 00DFE187, 00DFE432
b, xrefs: 00DFE015
j == ctrl_path_elements(s->pathname) - 1, xrefs: 00DFE18C
STATIC, xrefs: 00DFDFE7
Demo screenshot failure, xrefs: 00DFE3AB
@, xrefs: 00DFE294
SysTreeView32, xrefs: 00DFE078
Cate&gory:, xrefs: 00DFDFE2

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Message$Send$Window$Rect$Dialog$CreateLongTimer$ClientDestroyFocusIconInvalidateItemKillLoadText_strlen_strrchr
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/dialog.c$@$Cate&gory:$Demo screenshot failure$STATIC$SysTreeView32$b$firstpath$j == ctrl_path_elements(s->pathname) - 1
API String ID: 3050031257-2401460667
Opcode ID: e2c567d263793a139045215cac9ca9c8edff87444782b28dde12c8e3c78a3276
Instruction ID: d8cb69ac53245ab512b76e68cafd032f966213ffbaf534ae3d98a59e2e737fa4
Opcode Fuzzy Hash: e2c567d263793a139045215cac9ca9c8edff87444782b28dde12c8e3c78a3276
Instruction Fuzzy Hash: 2712E4B1604348AFE7209F65DC85F6AB7E5EF84304F054429FA49AB3E1D7B1E904CB62

Function 00E28740 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 88
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 00E28799
RegisterClassA.USER32(00002808), ref: 00E287BC
CreateDialogParamA.USER32(?,?,?,00E28890,00000000), ref: 00E287FB
SetWindowLongA.USER32(00000000,0000001E,00000000), ref: 00E28807
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00E2883E
IsDialogMessageA.USER32(00000000,?,?,00000000,00000000,00000000), ref: 00E2884D
DispatchMessageA.USER32 ref: 00E28854
PostQuitMessage.USER32(?), ref: 00E28862
DestroyWindow.USER32(00000000,?,00000000,00000000,00000000), ref: 00E28869

Strings

", xrefs: 00E2877E

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Message$DialogWindow$CallbackClassCreateCursorDestroyDispatchDispatcherLoadLongParamPostQuitRegisterUser
String ID: "
API String ID: 1405747859-123907689
Opcode ID: 71666a2d61c1cd4c567d336b5fd720a1635a16fc8f2c79f241c264fa0e673400
Instruction ID: 4682299b97f64a59a40a60b6054f770fe21d06aac89c4a2baa5b4c99257af50c
Opcode Fuzzy Hash: 71666a2d61c1cd4c567d336b5fd720a1635a16fc8f2c79f241c264fa0e673400
Instruction Fuzzy Hash: 75315B7454A3549FD724CF15ED48B1ABBF4FB89744F40482EFA85A7290CB759808CF46

Function 00DFFE00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapDialogRect.USER32(?), ref: 00DFFE3D
CreateWindowExA.USER32(?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00DFFE77
SendMessageA.USER32(00000000,00000030,?,00000001), ref: 00DFFE87
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000116,?,?,BUTTON,50000007,00000000,00ED3707,?), ref: 00DFFEB3

Strings

LISTBOX, xrefs: 00DFFE8D

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Window$CreateDialogMessageRectSend
String ID: LISTBOX
API String ID: 4261271132-1812161947
Opcode ID: f2fa8fe5f7722a4337023c0bef02c3847e5696d8dbfdfc77ac9c5b96647709e5
Instruction ID: 4eaf19c5906d8b9501a6adcd1a169514a21ceb33cfda437ef110d4e85c5728f1
Opcode Fuzzy Hash: f2fa8fe5f7722a4337023c0bef02c3847e5696d8dbfdfc77ac9c5b96647709e5
Instruction Fuzzy Hash: 69212872608301AFDB119F94DC41F2BBBE5FF88740F04881DFA95A62A0C7719824DB92

Function 00DFF800 Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextA.USER32(?,?), ref: 00DFF80F
GetWindowLongA.USER32(?,000000EC), ref: 00DFF821
SetWindowLongA.USER32(?,000000EC,00000000), ref: 00DFF830
GetDlgItem.USER32(?,000003ED), ref: 00DFF83E
DestroyWindow.USER32(00000000), ref: 00DFF849

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Window$Long$DestroyItemText
String ID:
API String ID: 4119185043-0
Opcode ID: 3f55402f2e868a915399e8a1bb490b879381e264dccc1749541bdf8802b3ace4
Instruction ID: e482dd9b24d4bb23445c79550a4cd979c99bd1a9db619081ede21825a75e6353
Opcode Fuzzy Hash: 3f55402f2e868a915399e8a1bb490b879381e264dccc1749541bdf8802b3ace4
Instruction Fuzzy Hash: 2EE0E5B0102424AFDB00AB2AFC08EEB3B5CEF49362709C233F506F60E1CB2089038574

Function 00E03820 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 00E038C5
SendDlgItemMessageA.USER32(?,?,00000151,00000000,?), ref: 00E038D6

Strings

c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00E03870
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00E0386B

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-2883471717
Opcode ID: 8eeaeebceec8c0c8fe75b8699623546ee4ce04569aa6d4f571b8356a309e8f78
Instruction ID: b1817293c6d62e60003548621a9d04c94b847d5f74745dddf20e7bea7f0c2e39
Opcode Fuzzy Hash: 8eeaeebceec8c0c8fe75b8699623546ee4ce04569aa6d4f571b8356a309e8f78
Instruction Fuzzy Hash: 3C21E171604309AFE7188B24DC81F76B3AAFF89308F149169F509676E0D761AE94CBA1

Function 00E04940 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentProcessExplicitAppUserModelID.SHELL32(00000000,00DE472A), ref: 00E04958
GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 00E04980

Strings

SetCurrentProcessExplicitAppUserModelID, xrefs: 00E0497A
Shell32.dll, xrefs: 00E04964

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: AddressCurrentExplicitModelProcProcessUser
String ID: SetCurrentProcessExplicitAppUserModelID$Shell32.dll
API String ID: 3773935857-666802935
Opcode ID: e54baac0e0d078778da4617ce2d1eab621cbcf72095b105b27b62bae18d73a25
Instruction ID: c5874027e40ad750df02f0751d75cbff815ca36a4af76dd6bba29805b753ca90
Opcode Fuzzy Hash: e54baac0e0d078778da4617ce2d1eab621cbcf72095b105b27b62bae18d73a25
Instruction Fuzzy Hash: B0E065F1A003478EDB109B776E85B1772A86B597457C92079F621F51F0EB30D485CF20

Function 00E1C110 Relevance: 6.1, APIs: 4, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 00E1C182
RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019), ref: 00E1C196
RegCloseKey.ADVAPI32(?), ref: 00E1C1A6
RegCloseKey.ADVAPI32(?), ref: 00E1C1BA

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Close$CreateOpen
String ID:
API String ID: 1299239824-0
Opcode ID: 13b50b0cc12c097927609daba38db83cc2bcc793fb6d5e0a196384965cb8e461
Instruction ID: b05cea6b1d03693062386b055d3b4f11a0a29a3c49b176955123fa51672f5965
Opcode Fuzzy Hash: 13b50b0cc12c097927609daba38db83cc2bcc793fb6d5e0a196384965cb8e461
Instruction Fuzzy Hash: 4521923078A3107FE3108B11DD45BAB7BF8EB86758F24542DF94AB72C1C660AC84D696

Function 00DFDC20 Relevance: 6.0, APIs: 4, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDialogParamA.USER32(0000006F,00000000,00DFDC60,00000000,?), ref: 00DFDC32
ShowWindow.USER32(00000000,00000000), ref: 00DFDC3D
SetActiveWindow.USER32(00000000), ref: 00DFDC44
KiUserCallbackDispatcher.NTDLL(00000000), ref: 00DFDC4B

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Window$ActiveCallbackCreateDialogDispatcherParamShowUser
String ID:
API String ID: 916146323-0
Opcode ID: dfa43ada7a3bad12c66d2927be4ab3971797943f084fc8de1ec6dff1a3d5babf
Instruction ID: b2e38c9545c14e1c057bd09f26def2e689e4af08a5c6ce8df6a206b17c426bf4
Opcode Fuzzy Hash: dfa43ada7a3bad12c66d2927be4ab3971797943f084fc8de1ec6dff1a3d5babf
Instruction Fuzzy Hash: 28D0A731282218BFD6316B62FD0DF993F19EF05701F010022F703B90F08BA01919C65C

Function 00E03C70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDlgItemTextA.USER32(?,?,00000000), ref: 00E03CFC

Strings

false && "bad control type in label_change", xrefs: 00E03D38
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00E03CB5, 00E03D33

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ItemText
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$false && "bad control type in label_change"
API String ID: 3367045223-102374585
Opcode ID: f135c8ed2e3e76befeee41a2b6a4037b6e26d6a33e065612ee7b81262a83c799
Instruction ID: 165f7e7e9b35edff6a93367d3fd33975fe3477b7c4cf64f1e30b2748d295988e
Opcode Fuzzy Hash: f135c8ed2e3e76befeee41a2b6a4037b6e26d6a33e065612ee7b81262a83c799
Instruction Fuzzy Hash: CE215772604204ABD320DB35DD86B1B77E9DBC5715F19112AF51DB72C2D730ED898721

Function 00E03770 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 00E037F7

Strings

c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00E037BC
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00E037B7

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-2883471717
Opcode ID: 68e598abfcc8e05ec99a043edc7606bd481039a78528a56809b6c8c530f8c4aa
Instruction ID: 6bb4e8017c06cdb335e8923aa149b47fcd7a839981f60b76ef4581c03b3a53eb
Opcode Fuzzy Hash: 68e598abfcc8e05ec99a043edc7606bd481039a78528a56809b6c8c530f8c4aa
Instruction Fuzzy Hash: F21125F1600205AFE7208B24CC85F33B3A9EB89708F09512BE109676D0C771ADC4C791

Function 00E03510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDlgItemTextA.USER32(?,?,?), ref: 00E0358A

Strings

c && c->ctrl->type == CTRL_EDITBOX, xrefs: 00E03573
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00E0356E

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ItemText
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_EDITBOX
API String ID: 3367045223-587671386
Opcode ID: 48d8e59d86c11ad200a0d0265224d717c97577b563074c0db6ff86aa10cd4981
Instruction ID: 113d8b5aeaac219f005f5454eec4fa6b5866f08c5e54beb70630ed35cdc05987
Opcode Fuzzy Hash: 48d8e59d86c11ad200a0d0265224d717c97577b563074c0db6ff86aa10cd4981
Instruction Fuzzy Hash: 9A018F32604305AFD310CA28ED81E56B3E8FB89708F011126F944B72A1D371AD688BA1

Function 00E96961 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00E95C5B,19E850E8,?,00E95C5B,00000220,?,00E8FB84,19E850E8), ref: 00E96993

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6cc9fd46e5950ec2a5ee6b46a49054c121f6c0b8b0c39a234de02bd835310d24
Instruction ID: 0e5f2687dd1566e50e191c195d99279f54612174c409fa9c6e9640071b3a38e4
Opcode Fuzzy Hash: 6cc9fd46e5950ec2a5ee6b46a49054c121f6c0b8b0c39a234de02bd835310d24
Instruction Fuzzy Hash: A8E065312016159ADE216B669C04B9AB7989FC27A8F257173EC1DBA191DA30DC0046E5

Function 00E1BFB0 Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E48810: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00E48822
Part of subcall function 00E48810: GetSystemDirectoryA.KERNEL32(00000000), ref: 00E48866

Part of subcall function 00E18B80: _strlen.LIBCMT ref: 00E18B97
Part of subcall function 00E18B80: _strlen.LIBCMT ref: 00E18BC1
Part of subcall function 00E18B80: _strcat.LIBCMT ref: 00E18BEC
Part of subcall function 00E18B80: _strlen.LIBCMT ref: 00E18BF5
Part of subcall function 00E18B80: _strcat.LIBCMT ref: 00E18C12
Part of subcall function 00E18B80: _strlen.LIBCMT ref: 00E18C1B

LoadLibraryA.KERNELBASE(00000000,00000000,?,00E2A190,kernel32.dll), ref: 00E1BFCF

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen$DirectorySystem_strcat$LibraryLoad
String ID:
API String ID: 3346121862-0
Opcode ID: 4656fac4e82124cfa5720368a09e47f58051c2294b266e64e702a02a59761482
Instruction ID: 78c1ed1a67feb478fea3becf647e7b9c2bc9bcb1e648a7acbdaa9b331491ed2e
Opcode Fuzzy Hash: 4656fac4e82124cfa5720368a09e47f58051c2294b266e64e702a02a59761482
Instruction Fuzzy Hash: 6AD05EB6A012202BD610322A7C0EEDB279CDB827B5F491475F905F7203ED71AD4282E5

Non-executed Functions

Function 00E395E0 Relevance: 201.5, APIs: 7, Strings: 106, Instructions: 3738COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E3B93C
_strlen.LIBCMT ref: 00E3BA8A
_strlen.LIBCMT ref: 00E3C980

Strings

Sent public key signature, xrefs: 00E3BBCC
password prompt, xrefs: 00E3B599
Wrong passphrase, xrefs: 00E3BC49
expected PLUGIN_PROTOCOL_ACCEPT or PLUGIN_PROTOCOL_REJECT, xrefs: 00E3B716
Started authentication plugin: %s, xrefs: 00E39E46
Authentication was trivial! Abandoning session as specified in configuration., xrefs: 00E3B701
password-change prompt, xrefs: 00E3C9B6
Authentication plugin failed to initialise:, xrefs: 00E39FC2
<, xrefs: 00E3BFEB
%s@%s's password: , xrefs: 00E3A9D3
Reading key file "%s", xrefs: 00E397F4
GSSAPI authentication - bad server response, xrefs: 00E3BF9E
username prompt, xrefs: 00E3A388
Sent new password, xrefs: 00E3C87C
Enter new password: , xrefs: 00E3C673
Access denied, xrefs: 00E3B5D3
Authenticating with public key "%s", xrefs: 00E3B3C3
Failed to get reply from Pageant, xrefs: 00E39B99
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/userauth2-client.c, xrefs: 00E39EE5, 00E3AF96, 00E3B5A8, 00E3C31D, 00E3C38D
No supported authentication methods available, xrefs: 00E3B6B0
Server refused public-key signature despite accepting key!, xrefs: 00E3A680
publickey, xrefs: 00E3A574, 00E3A839, 00E3B2A5, 00E3B4B0, 00E3B8EF
Unable to authenticate, xrefs: 00E3B58D, 00E3BCAF, 00E3C194, 00E3C9AA
GSSAPI import name failed, xrefs: 00E3B869, 00E3B86E
Authentication plugin agreed to help with keyboard-interactive, xrefs: 00E3B0AA
Unable to load key (%s), xrefs: 00E39B42
Passwords do not match, xrefs: 00E3C792
End of keyboard-interactive prompts from server, xrefs: 00E3C233
Current password (blank for previously entered password): , xrefs: 00E3C655
Authentication plugin declined to help with keyboard-interactive, xrefs: 00E3B0D8
Access granted, xrefs: 00E3B6CE
Trying Pageant key #%zu, xrefs: 00E3A7DE
Received unexpected packet after SSH_MSG_USERAUTH_GSSAPI_ERRTOK (expected SSH_MSG_USERAUTH_FAILURE): type %d (%s), xrefs: 00E3BFE1
Pageant failed to respond to signing request, xrefs: 00E39BBC
Unable to use this certificate file (%s), xrefs: 00E39D2D
password, xrefs: 00E3A58D, 00E3AABA, 00E3C7F0
Pageant has %zu SSH-2 keys, xrefs: 00E399FA
Unable to use certificate file "%s" (%s), xrefs: 00E39D56
Server refused public-key signature despite accepting key!, xrefs: 00E3A697
Received malformed PLUGIN_PROTOCOL_REJECT from auth helper plugin, xrefs: 00E3B7E7
s->type == AUTH_TYPE_PASSWORD, xrefs: 00E3B5AD
gssapi-keyex, xrefs: 00E3A5F5, 00E3ABF4
Received unexpected packet in response to authentication request, type %d (%s), xrefs: 00E3A467
Server requested password change, xrefs: 00E3AB85, 00E3C5BE, 00E3C5D8
unrecognised certificate type '%s', xrefs: 00E3A08F
s->authplugin, xrefs: 00E39EEA, 00E3AF9B, 00E3C322, 00E3C392
Received malformed PLUGIN_INIT_RESPONSE from auth helper plugin, xrefs: 00E39F74
Sent password, xrefs: 00E3AB0A
Unable to use key file "%s" (%s), xrefs: 00E39C28
GSSAPI authentication initialised, xrefs: 00E3BD12
Trying gssapi-with-mic..., xrefs: 00E3AC78
expected PLUGIN_KI_SERVER_RESPONSE or PLUGIN_PROTOCOL_USER_REQUEST, xrefs: 00E3C5AB
New SSH password, xrefs: 00E3C622
GSSAPI authentication loop finished OK, xrefs: 00E3BF2C
GSSAPI authentication request refused, xrefs: 00E3AE5B
Authenticating with public key "%.*s" from agent, xrefs: 00E3B44E
Pageant failed to respond to signing request, xrefs: 00E39BA3
Offer of public key accepted, xrefs: 00E3B38E
SSH login name, xrefs: 00E3A1F8
Reading certificate file "%s", xrefs: 00E39C82
Configured key file not in Pageant, xrefs: 00E39A6C
Unable to load private key (%s), xrefs: 00E3BC5F
keyboard-interactive authentication prompt, xrefs: 00E3C1A0
key type '%s' is not a certificate, xrefs: 00E3A100
Using username "%s"., xrefs: 00E3A1BA
Pageant refused signing request, xrefs: 00E39B1B
login as: , xrefs: 00E3A20E
Password authentication failed, xrefs: 00E3B5BA
Confirm new password: , xrefs: 00E3C691
Authentication plugin failed to set up keyboard-interactive authentication:, xrefs: 00E3B037
Pageant's response was truncated, xrefs: 00E39DF9
GSSAPI authentication failed to get credentials, xrefs: 00E3B68B
No supported authentication methods available (server sent: %s), xrefs: 00E3B6C4
Attempting keyboard-interactive authentication, xrefs: 00E3AF29
Pageant failed to provide a signature, xrefs: 00E39B34
Auth helper plugin announced unsupported version number %u, xrefs: 00E39FB6
Further authentication required, xrefs: 00E3A4AD
Unable to load key file "%s" (%s), xrefs: 00E39B6F
passphrase prompt, xrefs: 00E3BCBB
SSH key passphrase, xrefs: 00E3B9B3
Cannot use this private key (%s), xrefs: 00E3BAD3
Passphrase for key "%s": , xrefs: 00E3B9CF
Unable to use this key file (%s), xrefs: 00E39BF4
<, xrefs: 00E3C1C3
%s, xrefs: 00E3C5D9
GSSAPI authentication - wrong response from server, xrefs: 00E3AE36
Key file contains public key only, xrefs: 00E39875
Pageant is running. Requesting keys., xrefs: 00E39DAA
Received malformed PLUGIN_INIT_FAILURE from auth helper plugin, xrefs: 00E39F96
GSSAPI authentication failed, xrefs: 00E3BE86
none, xrefs: 00E3A329
Authentication plugin declined to help with keyboard-interactive: %.*s, xrefs: 00E3B097
GSSAPI import name failed - Bad service name, xrefs: 00E3B82C
gssapi-with-mic, xrefs: 00E3A5D1, 00E3ACD3, 00E3BF47
Offered public key, xrefs: 00E3B310
Sending Pageant's response, xrefs: 00E3A098
%.*s, xrefs: 00E39FF2, 00E3B067
GSSAPI authentication initialisation failed, xrefs: 00E3BEAE
Attempting GSSAPI authentication, xrefs: 00E3ACE1
Trying gssapi-keyex..., xrefs: 00E3ABD9
Authentication plugin set username '%s', xrefs: 00E3A058
expected PLUGIN_INIT_RESPONSE or PLUGIN_INIT_FAILURE, xrefs: 00E39FA0
Further authentication required, xrefs: 00E3A496
End of keyboard-interactive prompts from plugin, xrefs: 00E3C238, 00E3C24E
Pageant key #%zu matches configured key file, xrefs: 00E3A113
Server rejected new password, xrefs: 00E3C8F5

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen
String ID: %.*s$%s$%s@%s's password: $/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/userauth2-client.c$<$<$Access denied$Access granted$Attempting GSSAPI authentication$Attempting keyboard-interactive authentication$Auth helper plugin announced unsupported version number %u$Authenticating with public key "%.*s" from agent$Authenticating with public key "%s"$Authentication plugin agreed to help with keyboard-interactive$Authentication plugin declined to help with keyboard-interactive$Authentication plugin declined to help with keyboard-interactive: %.*s$Authentication plugin failed to initialise:$Authentication plugin failed to set up keyboard-interactive authentication:$Authentication plugin set username '%s'$Authentication was trivial! Abandoning session as specified in configuration.$Cannot use this private key (%s)$Configured key file not in Pageant$Confirm new password: $Current password (blank for previously entered password): $End of keyboard-interactive prompts from plugin$End of keyboard-interactive prompts from server$Enter new password: $Failed to get reply from Pageant$Further authentication required$Further authentication required$GSSAPI authentication - bad server response$GSSAPI authentication - wrong response from server$GSSAPI authentication failed$GSSAPI authentication failed to get credentials$GSSAPI authentication initialisation failed$GSSAPI authentication initialised$GSSAPI authentication loop finished OK$GSSAPI authentication request refused$GSSAPI import name failed$GSSAPI import name failed - Bad service name$Key file contains public key only$New SSH password$No supported authentication methods available$No supported authentication methods available (server sent: %s)$Offer of public key accepted$Offered public key$Pageant failed to provide a signature$Pageant failed to respond to signing request$Pageant failed to respond to signing request$Pageant has %zu SSH-2 keys$Pageant is running. Requesting keys.$Pageant key #%zu matches configured key file$Pageant refused signing request$Pageant's response was truncated$Passphrase for key "%s": $Password authentication failed$Passwords do not match$Reading certificate file "%s"$Reading key file "%s"$Received malformed PLUGIN_INIT_FAILURE from auth helper plugin$Received malformed PLUGIN_INIT_RESPONSE from auth helper plugin$Received malformed PLUGIN_PROTOCOL_REJECT from auth helper plugin$Received unexpected packet after SSH_MSG_USERAUTH_GSSAPI_ERRTOK (expected SSH_MSG_USERAUTH_FAILURE): type %d (%s)$Received unexpected packet in response to authentication request, type %d (%s)$SSH key passphrase$SSH login name$Sending Pageant's response$Sent new password$Sent password$Sent public key signature$Server refused public-key signature despite accepting key!$Server refused public-key signature despite accepting key!$Server rejected new password$Server requested password change$Started authentication plugin: %s$Trying Pageant key #%zu$Trying gssapi-keyex...$Trying gssapi-with-mic...$Unable to authenticate$Unable to load key (%s)$Unable to load key file "%s" (%s)$Unable to load private key (%s)$Unable to use certificate file "%s" (%s)$Unable to use key file "%s" (%s)$Unable to use this certificate file (%s)$Unable to use this key file (%s)$Using username "%s".$Wrong passphrase$expected PLUGIN_INIT_RESPONSE or PLUGIN_INIT_FAILURE$expected PLUGIN_KI_SERVER_RESPONSE or PLUGIN_PROTOCOL_USER_REQUEST$expected PLUGIN_PROTOCOL_ACCEPT or PLUGIN_PROTOCOL_REJECT$gssapi-keyex$gssapi-with-mic$key type '%s' is not a certificate$keyboard-interactive authentication prompt$login as: $none$passphrase prompt$password$password prompt$password-change prompt$publickey$s->authplugin$s->type == AUTH_TYPE_PASSWORD$unrecognised certificate type '%s'$username prompt
API String ID: 4218353326-3723652342
Opcode ID: 9b2f3f27e30ead8c5acfbd3dee93867e093319baa270cd1c6452caca9bf90bcf
Instruction ID: c1cee9a3efd122b8ad54a626ec58ffa66fb8623beb70b0125d1641e3446fa6f1
Opcode Fuzzy Hash: 9b2f3f27e30ead8c5acfbd3dee93867e093319baa270cd1c6452caca9bf90bcf
Instruction Fuzzy Hash: 6153C6B59003009FD7209F64EC4AFAA7BE5AF55308F085428F94AB7353E772E994CB52

Function 00DE48D7 Relevance: 124.9, APIs: 52, Strings: 19, Instructions: 698windowtimeCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00DE49D1
GetClientRect.USER32(00000000,?), ref: 00DE49DD
CreateWindowExW.USER32(?,00000000,00EC9E26,00EC9E26,80000000,80000000,?,?,00000000,00000000,?,00000000), ref: 00DE4B01
GetLastError.KERNEL32 ref: 00DE4B10
GetDC.USER32 ref: 00DE4BC3
GetDeviceCaps.GDI32(00000000,00000058), ref: 00DE4BD4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DE4BDE
ReleaseDC.USER32(00000000), ref: 00DE4BEC
GetWindowRect.USER32(?), ref: 00DE4D65
GetClientRect.USER32(?), ref: 00DE4D76
SetWindowPos.USER32(00000000,00000000,00000000,?,?,0000000E), ref: 00DE4E00
CreateBitmap.GDI32(00000001,00000001,00000000), ref: 00DE4E4F
CreateCaret.USER32 ref: 00DE4E7B
SetScrollInfo.USER32(00000001,?,00000000), ref: 00DE4EC2
GetDoubleClickTime.USER32 ref: 00DE4EDC
GetSystemMenu.USER32(00000000), ref: 00DE4EEF
CreatePopupMenu.USER32 ref: 00DE4EFA
AppendMenuA.USER32(00000000,00000000,00000190,&Copy), ref: 00DE4F18
AppendMenuA.USER32(00000000,000001A0,&Paste), ref: 00DE4F2C
CreateMenu.USER32 ref: 00DE4F2E
DeleteMenu.USER32(00000000,00000400), ref: 00DE4F5D
AppendMenuA.USER32(00000000,00001000,?), ref: 00DE4F91
AppendMenuA.USER32(00000001,00001000,(No sessions)), ref: 00DE4FC6
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00DE502D
AppendMenuA.USER32(?,00000000,00000010,&Event Log), ref: 00DE5039
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00DE5045
AppendMenuA.USER32(?,00000000,00000020,Ne&w Session...), ref: 00DE5051
AppendMenuA.USER32(?,00000000,00000030,&Duplicate Session), ref: 00DE505D
AppendMenuA.USER32(?,00000010,Sa&ved Sessions), ref: 00DE506D
AppendMenuA.USER32(?,00000000,00000050,Chan&ge Settings...), ref: 00DE5079
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00DE5085
AppendMenuA.USER32(?,00000000,00000170,C&opy All to Clipboard), ref: 00DE5094
AppendMenuA.USER32(?,00000000,00000060,C&lear Scrollback), ref: 00DE50A0
AppendMenuA.USER32(?,00000000,00000070,Rese&t Terminal), ref: 00DE50AC
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00DE50B8

Strings

&About %s, xrefs: 00DE4FE6
&Event Log, xrefs: 00DE502F
Sa&ved Sessions, xrefs: 00DE505F
&Duplicate Session, xrefs: 00DE5053
(, xrefs: 00DE499B
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00DE4C82
Running with restricted process ACL, xrefs: 00DE511B
Ne&w Session..., xrefs: 00DE5047
Chan&ge Settings..., xrefs: 00DE506F
term->mouse_select_clipboards[0] == CLIP_LOCAL, xrefs: 00DE4C87
(No sessions), xrefs: 00DE4FB4
C&lear Scrollback, xrefs: 00DE5096
&Full Screen, xrefs: 00DE50D2
&Copy, xrefs: 00DE4F0B
&Help, xrefs: 00DE50F9
&Paste, xrefs: 00DE4F1A
Unable to create terminal window: %s, xrefs: 00DE4B20
C&opy All to Clipboard, xrefs: 00DE5087
Rese&t Terminal, xrefs: 00DE50A2

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Menu$Append$Create$Window$Rect$CapsClientDevice$BitmapCaretClickDeleteDesktopDoubleErrorInfoLastPopupReleaseScrollSystemTime
String ID: &About %s$&Copy$&Duplicate Session$&Event Log$&Full Screen$&Help$&Paste$($(No sessions)$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$C&lear Scrollback$C&opy All to Clipboard$Chan&ge Settings...$Ne&w Session...$Rese&t Terminal$Running with restricted process ACL$Sa&ved Sessions$Unable to create terminal window: %s$term->mouse_select_clipboards[0] == CLIP_LOCAL
API String ID: 662650409-3101482697
Opcode ID: 457202f941ec4c80df698f5931d5d861eb7aa81330664baa6840532dc244305c
Instruction ID: 9f7e03ecc9419ca33ec4cff8d6094e1dc5128a342fa936a1e9b5c5d0d65eb95c
Opcode Fuzzy Hash: 457202f941ec4c80df698f5931d5d861eb7aa81330664baa6840532dc244305c
Instruction Fuzzy Hash: 4132C6B1640344BFE710AF32EC8AF6A3BA5EB44B44F040429F6457F2E1D7B1A958CB65

Function 00E529E0 Relevance: 90.5, APIs: 4, Strings: 47, Instructions: 1281COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E52A93
_strlen.LIBCMT ref: 00E52AD0
_strlen.LIBCMT ref: 00E52BF3
_strlen.LIBCMT ref: 00E52C2D

Strings

Proxy username: , xrefs: 00E53AF8
%s:%d, xrefs: 00E52C8F
opaque, xrefs: 00E533CD
Basic, xrefs: 00E531EF
CONNECT, xrefs: 00E52F6A
Proxy-Authenticate, xrefs: 00E5305D
stale, xrefs: 00E533E6
quality-of-protection type '%s' not supported, xrefs: 00E53881
HTTP response %s, xrefs: 00E53A51
CONNECT %s HTTP/1.1Host: %s, xrefs: 00E52CA7
parse error in Digest qop field, xrefs: 00E538F5
HTTP response was absent or malformed, xrefs: 00E52BBD
algorithm, xrefs: 00E53418
Digest, xrefs: 00E53208
Proxy-Connection, xrefs: 00E53079
true, xrefs: 00E53703, 00E53783
auth, xrefs: 00E52F59, 00E53863
userhash, xrefs: 00E533FF
Digest authentication not supported, xrefs: 00E5388B
qop, xrefs: 00E53432
authentication type '%s' not supported, xrefs: 00E53223
nonce, xrefs: 00E533B4
realm, xrefs: 00E5339B
no Proxy-Authorization header seen in HTTP 407 Proxy Authentication Required response, xrefs: 00E52ECB
chunked, xrefs: 00E53113
Transfer-Encoding, xrefs: 00E53041
close, xrefs: 00E53246
parse error in Digest algorithm field, xrefs: 00E538EB
parse error in Digest stale field, xrefs: 00E538CE
HTTP proxy requested authentication which we do not have, xrefs: 00E53AE5
Proxy-Authorization: Digest , xrefs: 00E52D9F
HTTP/%d.%d %n%d, xrefs: 00E52BA5
HTTP proxy authentication, xrefs: 00E53AB5
Proxy-Authorization: Basic , xrefs: 00E52CCE
Content-Length, xrefs: 00E53025
parse error in Digest header, xrefs: 00E53895, 00E538C0
parse error in Digest nonce field, xrefs: 00E538B9
keep-alive, xrefs: 00E5325B
Missing CRLF after chunk during HTTP chunked transfer encoding, xrefs: 00E53A11
Proxy password: , xrefs: 00E53B1C
Received bad character 0x%02X in chunk length during HTTP chunked transfer encoding, xrefs: 00E53ADB
parse error, xrefs: 00E5327E
Digest hash algorithm '%s' not supported, xrefs: 00E53904
parse error in Digest realm field, xrefs: 00E538B2
Digest hash algorithm '%s' not recognised, xrefs: 00E53913
parse error in Digest userhash field, xrefs: 00E538D5
parse error in Digest opaque field, xrefs: 00E538C7

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen
String ID: %s:%d$Basic$CONNECT$CONNECT %s HTTP/1.1Host: %s$Content-Length$Digest$Digest authentication not supported$Digest hash algorithm '%s' not recognised$Digest hash algorithm '%s' not supported$HTTP proxy authentication$HTTP proxy requested authentication which we do not have$HTTP response %s$HTTP response was absent or malformed$HTTP/%d.%d %n%d$Missing CRLF after chunk during HTTP chunked transfer encoding$Proxy password: $Proxy username: $Proxy-Authenticate$Proxy-Authorization: Basic $Proxy-Authorization: Digest $Proxy-Connection$Received bad character 0x%02X in chunk length during HTTP chunked transfer encoding$Transfer-Encoding$algorithm$auth$authentication type '%s' not supported$chunked$close$keep-alive$no Proxy-Authorization header seen in HTTP 407 Proxy Authentication Required response$nonce$opaque$parse error$parse error in Digest algorithm field$parse error in Digest header$parse error in Digest nonce field$parse error in Digest opaque field$parse error in Digest qop field$parse error in Digest realm field$parse error in Digest stale field$parse error in Digest userhash field$qop$quality-of-protection type '%s' not supported$realm$stale$true$userhash
API String ID: 4218353326-1494668594
Opcode ID: 5436f56314f2bef1e5fb61709c9cde2f88135644bea8859c5419991956e0a41c
Instruction ID: 3e6a85f059edf3871b6d79f739ee3500b68b7b62ba20a79e6bcf36dd72cb6b27
Opcode Fuzzy Hash: 5436f56314f2bef1e5fb61709c9cde2f88135644bea8859c5419991956e0a41c
Instruction Fuzzy Hash: 82A20575A00300AFDB14DF24D842B6977E1AF45349F146868FD49BB392E732EE59CB82

Function 00DE7490 Relevance: 77.9, APIs: 28, Strings: 16, Instructions: 851clipboardmemorywindowCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00DE74D4
GlobalAlloc.KERNEL32(00002002,?), ref: 00DE74EA
GlobalAlloc.KERNEL32(00002002,00000000), ref: 00DE74F8
GlobalLock.KERNEL32(00000000), ref: 00DE750D
GlobalLock.KERNEL32(00000000), ref: 00DE751E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00DE7565
GlobalFree.KERNEL32(00000000), ref: 00DE7626
GlobalFree.KERNEL32(00000000), ref: 00DE7635
GlobalUnlock.KERNEL32(00000000), ref: 00DE76C5
GlobalFree.KERNEL32(00000000), ref: 00DE76D2
GlobalFree.KERNEL32(00000000), ref: 00DE76D5
GlobalUnlock.KERNEL32(00000000), ref: 00DE7F32
GlobalUnlock.KERNEL32(?), ref: 00DE7F39
SendMessageA.USER32(00008002,00000001,00000000), ref: 00DE7F4E
OpenClipboard.USER32 ref: 00DE7F5A
EmptyClipboard.USER32 ref: 00DE7F64
SetClipboardData.USER32(0000000D,00000000), ref: 00DE7F73
SetClipboardData.USER32(00000001,?), ref: 00DE7F78
RegisterClipboardFormatA.USER32(Rich Text Format), ref: 00DE7F86
SetClipboardData.USER32(00000000,?), ref: 00DE7F8E
CloseClipboard.USER32 ref: 00DE7F94
SendMessageA.USER32(00008002,00000000,00000000), ref: 00DE7FC2

Strings

\red%d\green%d\blue%d;, xrefs: 00DE7899, 00DE78E2
}, xrefs: 00DE7D79
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00DE7D9C
\b , xrefs: 00DE7C72, 00DE7C83
\par, xrefs: 00DE7DE2
{\rtf1\ansi\deff0{\fonttbl\f0\fmodern %s;}\f0\fs%d, xrefs: 00DE75CD
\ulnone , xrefs: 00DE7CAD
\b0 , xrefs: 00DE7C77
\'%02x, xrefs: 00DE7E46
\cf%d , xrefs: 00DE7B8B, 00DE7BBD
{\colortbl ;, xrefs: 00DE7858
tindex + multilen <= len2, xrefs: 00DE7DA1
Rich Text Format, xrefs: 00DE7F81
\ul , xrefs: 00DE7CA8, 00DE7CB6
{\uc%d\u%d, xrefs: 00DE7D62
\highlight%d , xrefs: 00DE7C14, 00DE7C42

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Global$Clipboard$Free$DataUnlock$AllocByteCharLockMessageMultiSendWide$CloseEmptyFormatOpenRegister
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$Rich Text Format$\'%02x$\b $\b0 $\cf%d $\highlight%d $\par$\red%d\green%d\blue%d;$\ul $\ulnone $tindex + multilen <= len2${\colortbl ;${\rtf1\ansi\deff0{\fonttbl\f0\fmodern %s;}\f0\fs%d${\uc%d\u%d$}
API String ID: 2045886889-120354098
Opcode ID: cc89337f186e73706b1db635f1e0137a97197d4a3a6983029526511ea1a41e0b
Instruction ID: 57295b20f7eec9f11daaedffdbf425300e570f8c51d117269e4ee9a4e122981a
Opcode Fuzzy Hash: cc89337f186e73706b1db635f1e0137a97197d4a3a6983029526511ea1a41e0b
Instruction Fuzzy Hash: 2A524471A0C380AFD760AF26DC41B6BB7E6EF84310F18492DF999672D1E7719844CB62

Function 00DE5400 Relevance: 60.5, APIs: 40, Instructions: 451windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00DE54A5
MulDiv.KERNEL32(?,00000048), ref: 00DE54CF
CreateFontA.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,?), ref: 00DE5545
SelectObject.GDI32(00000000,00000000), ref: 00DE5552
GetTextMetricsA.GDI32(00000000,?), ref: 00DE5561
GetOutlineTextMetricsA.GDI32(00000000,000000D4,?), ref: 00DE5572
GetObjectA.GDI32(0000003C,00EE3D88), ref: 00DE55B2
TranslateCharsetInfo.GDI32(?,FFFFFFFF,00000001), ref: 00DE568B
GetOEMCP.KERNEL32 ref: 00DE56A2
GetCPInfo.KERNEL32(00000000,?), ref: 00DE56C1
CreateFontA.GDI32(00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000000,00000000,00000001,00000000), ref: 00DE571D
CreateCompatibleDC.GDI32(00000000), ref: 00DE5729
CreateCompatibleBitmap.GDI32(00000000), ref: 00DE5742
SelectObject.GDI32(00000000,00000000), ref: 00DE5752
SelectObject.GDI32(00000000), ref: 00DE575D
SetTextAlign.GDI32(00000000,00000000), ref: 00DE5762
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00DE576E
SetBkColor.GDI32(00000000,00000000), ref: 00DE5777
SetBkMode.GDI32(00000000,00000002), ref: 00DE5780
ExtTextOutA.GDI32(00000000,00000000,00000000,00000002,00000000,00ED2D55,00000001,00000000), ref: 00DE5798
GetPixel.GDI32(00000000,?,00000000), ref: 00DE57D1
SelectObject.GDI32(00000000,?), ref: 00DE57EF
DeleteObject.GDI32(?), ref: 00DE57F9
DeleteDC.GDI32(00000000), ref: 00DE5800
SelectObject.GDI32(00000000,00000000), ref: 00DE5812
DeleteObject.GDI32(00000000), ref: 00DE5819
DeleteDC.GDI32(00000000), ref: 00DE5820
DeleteObject.GDI32 ref: 00DE5836
CreateFontA.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000000), ref: 00DE589E
SelectObject.GDI32(00000000,?), ref: 00DE58D7
GetTextMetricsA.GDI32(00000000,?), ref: 00DE58EA
SelectObject.GDI32(00000000,?), ref: 00DE591E
GetTextMetricsA.GDI32(00000000,?), ref: 00DE5931
SelectObject.GDI32(00000000,?), ref: 00DE5965
GetTextMetricsA.GDI32(00000000,?), ref: 00DE5978
ReleaseDC.USER32(00000000), ref: 00DE59A3
DestroyIcon.USER32(FFFFFFFF), ref: 00DE59B4
LoadImageA.USER32(000000C8,00000001,?,00000000), ref: 00DE59D7
DeleteObject.GDI32 ref: 00DE59F3
DeleteObject.GDI32 ref: 00DE5A20

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Object$SelectText$Delete$CreateMetrics$Font$ColorCompatibleInfo$AlignBitmapCharsetDestroyIconImageLoadModeOutlinePixelReleaseTranslate
String ID:
API String ID: 2568116128-0
Opcode ID: 0e4fc8309e8aa415f3af3fdee8a8708f87f5fd28e37e4866428659d8d20d0322
Instruction ID: 1ec5441a288648af78786052e9fb7dbcf667d704a82e7be09a23f20811b554c0
Opcode Fuzzy Hash: 0e4fc8309e8aa415f3af3fdee8a8708f87f5fd28e37e4866428659d8d20d0322
Instruction Fuzzy Hash: 9102F9B0204784EFE7209F36EC89B6A7BA5FB44710F04452EF54AAB2E1D7709948CF21

Function 00E44000 Relevance: 56.7, APIs: 2, Strings: 30, Instructions: 746COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E4417C
_strlen.LIBCMT ref: 00E4484E

Strings

hh, xrefs: 00E44280
Public-Lines, xrefs: 00E44341
Key-Derivation, xrefs: 00E44484
MAC failed, xrefs: 00E44A1E
Argon2i, xrefs: 00E444CE
createkey failed, xrefs: 00E44A85
ent, xrefs: 00E442AB
Argon2-Salt, xrefs: 00E44673
PuTTY-User-Key-File-2, xrefs: 00E440BE
Private-Hash, xrefs: 00E447E7
none, xrefs: 00E44264
PuTTY key format too new, xrefs: 00E440F6
PuTTY-User-Key-File-3, xrefs: 00E440A8
Encryption, xrefs: 00E4421B
PuTTY-User-Key-File-1, xrefs: 00E440D2
PuTTY-User-Key-File-, xrefs: 00E440E6
no header line found in key file, xrefs: 00E4403A
Argon2-Passes, xrefs: 00E445A1
Argon2-Memory, xrefs: 00E44538
Private-MAC, xrefs: 00E447CF
not a PuTTY SSH-2 private key, xrefs: 00E440FB
aes256-cbc, xrefs: 00E4424E
Argon2id, xrefs: 00E444E0
Argon2d, xrefs: 00E444B0
Private-Lines, xrefs: 00E44748
%02x, xrefs: 00E449E6
file format error, xrefs: 00E44168, 00E44336
Argon2-Parallelism, xrefs: 00E4460A
wrong passphrase, xrefs: 00E44A23
Comm, xrefs: 00E4429F

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen
String ID: %02x$Argon2-Memory$Argon2-Parallelism$Argon2-Passes$Argon2-Salt$Argon2d$Argon2i$Argon2id$Comm$Encryption$Key-Derivation$MAC failed$Private-Hash$Private-Lines$Private-MAC$PuTTY key format too new$PuTTY-User-Key-File-$PuTTY-User-Key-File-1$PuTTY-User-Key-File-2$PuTTY-User-Key-File-3$Public-Lines$aes256-cbc$createkey failed$ent$file format error$hh$no header line found in key file$none$not a PuTTY SSH-2 private key$wrong passphrase
API String ID: 4218353326-2099716704
Opcode ID: 08deee83402ffbbfd9863d623ce6b5d948baf29b932fd8fa38a3b17aefb725aa
Instruction ID: ed5524708c8fed9c3a3fe4b7ba4bce423c269c64ed9980b02228dcc457e45c9f
Opcode Fuzzy Hash: 08deee83402ffbbfd9863d623ce6b5d948baf29b932fd8fa38a3b17aefb725aa
Instruction Fuzzy Hash: 0B42D7F16043409BD721AF60E842BAB77D5AF85308F05682CF9897B2D2EB71D945C753

Function 00E3E480 Relevance: 54.4, APIs: 1, Strings: 29, Instructions: 1926COMMON

Download Yara Rule

Strings

ChaCha20-Poly1305, xrefs: 00E3F216, 00E3F21D
s->session_id_len <= sizeof(s->session_id), xrefs: 00E3F583
Enabling strict key exchange semantics, xrefs: 00E3EBDB
Initiating key re-exchange (%s), xrefs: 00E3E6E6
too much data received, xrefs: 00E3E6B1
client-to-server cipher, xrefs: 00E3F067, 00E3F2D1
Remote bug prevents key re-exchange (%s), xrefs: 00E3E77F
server-to-client cipher, xrefs: 00E3F138, 00E3F3A7
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/transport2.c, xrefs: 00E3F57E
server-sig-algs, xrefs: 00E3F750
cipher warning, xrefs: 00E3FB52
Received unexpected transport-layer packet outside a key exchange, type %d (%s), xrefs: 00E3E7F9
a CBC-mode cipher in OpenSSH ETM mode, xrefs: 00E3F230, 00E3F267
host key type, xrefs: 00E3EF97
populating transient host key cache, xrefs: 00E3E697
too much data sent, xrefs: 00E3E6BC
Continuing despite 'Terrapin' vulnerability, at user request, xrefs: 00E3F412
host key warning, xrefs: 00E3FED6
Server refused request to start '%s' protocol, xrefs: 00E3E56A
key-exchange algorithm, xrefs: 00E3ECEA
vulnerability warning, xrefs: 00E3FB5C
Remote side initiated key re-exchange, xrefs: 00E3E660
Received unexpected packet when expecting KEXINIT, type %d (%s), xrefs: 00E3FF27
Received a packet before KEXINIT in strict-kex mode, xrefs: 00E400CC
kex warning, xrefs: 00E3FECF
Client requested service '%.*s' when we only support '%s', xrefs: 00E400FA
SSH connection is vulnerable to 'Terrapin' attack (CVE-2023-48795), xrefs: 00E3FA2A
Received unexpected packet when expecting SERVICE_REQUEST, type %d (%s), xrefs: 00E400B4
Received unexpected packet when expecting SSH_MSG_NEWKEYS, type %d (%s), xrefs: 00E3FF4C

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/transport2.c$ChaCha20-Poly1305$Client requested service '%.*s' when we only support '%s'$Continuing despite 'Terrapin' vulnerability, at user request$Enabling strict key exchange semantics$Initiating key re-exchange (%s)$Received a packet before KEXINIT in strict-kex mode$Received unexpected packet when expecting KEXINIT, type %d (%s)$Received unexpected packet when expecting SERVICE_REQUEST, type %d (%s)$Received unexpected packet when expecting SSH_MSG_NEWKEYS, type %d (%s)$Received unexpected transport-layer packet outside a key exchange, type %d (%s)$Remote bug prevents key re-exchange (%s)$Remote side initiated key re-exchange$SSH connection is vulnerable to 'Terrapin' attack (CVE-2023-48795)$Server refused request to start '%s' protocol$a CBC-mode cipher in OpenSSH ETM mode$cipher warning$client-to-server cipher$host key type$host key warning$kex warning$key-exchange algorithm$populating transient host key cache$s->session_id_len <= sizeof(s->session_id)$server-sig-algs$server-to-client cipher$too much data received$too much data sent$vulnerability warning
API String ID: 0-1677680775
Opcode ID: 58b9d517b09f259e2a7fd53262552b06351563f8b301bbef01e1e53510985a7d
Instruction ID: d1d9ddf35190a84eadcb916b4aa62b9ba82e4e926badf42c1908d9cfb960d734
Opcode Fuzzy Hash: 58b9d517b09f259e2a7fd53262552b06351563f8b301bbef01e1e53510985a7d
Instruction Fuzzy Hash: 1CF2D371904240AFDB219F24DC89BAA7BE5AF48308F085478FD4DAF393E7729954CB61

Function 00E00CE0 Relevance: 54.1, APIs: 12, Strings: 18, Instructions: 1584COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E013B7

Strings

ret == c, xrefs: 00E00D90, 00E00E63, 00E00E91, 00E01DDA, 00E01E08
BUTTON, xrefs: 00E015DF, 00E0165D, 00E0234F
LISTBOX, xrefs: 00E01B05
STATIC, xrefs: 00E00EBD, 00E014AB, 00E01957, 00E019D4, 00E01AB5, 00E01C44, 00E01CBF, 00E020EF
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00E00D8B, 00E00E5E, 00E00E8C, 00E00F84, 00E00FBF, 00E0113B, 00E0123C, 00E012ED, 00E01596, 00E01DD5, 00E01E03, 00E01E5C, 00E01EC2, 00E01EEC, 00E01FC1, 00E01FEB, 00E02384
false && "bad control type in winctrl_layout", xrefs: 00E02389
!ctrl->delay_taborder, xrefs: 00E01140
EDIT, xrefs: 00E01A2D, 00E01D28
nshortcuts < MAX_SHORTCUTS_PER_CTRL, xrefs: 00E0159B
ntabdelays < lenof(tabdelays), xrefs: 00E01241
ncols <= lenof(columns), xrefs: 00E00FC4
COMBOBOX, xrefs: 00E0197E, 00E01D02, 00E0211A, 00E02165
win, xrefs: 00E01EF1, 00E01FF0
thisc, xrefs: 00E01EC7, 00E01FC6
i < ntabdelays, xrefs: 00E012F2
ud, xrefs: 00E016EA
!dp->shortcuts[s], xrefs: 00E01E61
(ctrl->columns.ncols == 1) ^ (ncols == 1), xrefs: 00E00F89

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen
String ID: !ctrl->delay_taborder$!dp->shortcuts[s]$(ctrl->columns.ncols == 1) ^ (ncols == 1)$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$BUTTON$COMBOBOX$EDIT$LISTBOX$STATIC$false && "bad control type in winctrl_layout"$i < ntabdelays$ncols <= lenof(columns)$nshortcuts < MAX_SHORTCUTS_PER_CTRL$ntabdelays < lenof(tabdelays)$ret == c$thisc$ud$win
API String ID: 4218353326-3897474323
Opcode ID: 13851c246ac36bde5b148f59cb76bef020a535da10dec709d7c9f5109ede39cb
Instruction ID: 35d74881c233af887c86b44239b21d9c76b2ea85f63e1cbc0cbcd8c69481461b
Opcode Fuzzy Hash: 13851c246ac36bde5b148f59cb76bef020a535da10dec709d7c9f5109ede39cb
Instruction Fuzzy Hash: B3C2DD71A08705AFD720DF14CC81B6AB7E5FF84704F04592DFA89AB392D771A985CB82

Function 00E02470 Relevance: 48.1, APIs: 21, Strings: 6, Instructions: 828windowregistryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(commctrl_DragListMsg), ref: 00E024A3
SetMapMode.GDI32(?,00000001), ref: 00E02547
_strlen.LIBCMT ref: 00E02551
GetTextExtentPoint32A.GDI32(?,?,00000000,?), ref: 00E02564
DrawEdge.USER32(?,00000006,00000006,0000200F), ref: 00E02577
_strlen.LIBCMT ref: 00E02581
TextOutA.GDI32(?,?,?,?,00000000), ref: 00E025C9
GetDC.USER32(00000000), ref: 00E02948
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E02953
MulDiv.KERNEL32(?,00000000,00000048), ref: 00E0295F
ReleaseDC.USER32(00000000,00000000), ref: 00E02971
_strncpy.LIBCMT ref: 00E029E6
ChooseFontA.COMDLG32 ref: 00E02A25
IsDlgButtonChecked.USER32(?,?), ref: 00E02B24
SendDlgItemMessageA.USER32(?,?,00000147,00000000,00000000), ref: 00E02D65
SendDlgItemMessageA.USER32(?,?,00000148,00000000,00000000), ref: 00E02DAE
SetDlgItemTextA.USER32(?,?,00000000), ref: 00E02DC5
SetCapture.USER32(?), ref: 00E02EF2
ChooseColorA.COMDLG32(00EE4294), ref: 00E02F96
GetDlgItemTextA.USER32(00000000,?,?,00000104), ref: 00E02FEA
SetDlgItemTextA.USER32(?,?), ref: 00E03093

Strings

All Files (*.*), xrefs: 00E02C29
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00E03051
!c->data, xrefs: 00E03056
gfff, xrefs: 00E02A2F
+, xrefs: 00E02511
commctrl_DragListMsg, xrefs: 00E0249E

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ItemText$ChooseMessageSend_strlen$ButtonCapsCaptureCheckedClipboardColorDeviceDrawEdgeExtentFontFormatModePoint32RegisterRelease_strncpy
String ID: !c->data$+$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$All Files (*.*)$commctrl_DragListMsg$gfff
API String ID: 1971161187-3869208345
Opcode ID: b2d0ed4b456dfb785777b5216bf14edc5d61981a93743d8a29187e8ccc64ec1b
Instruction ID: 5078b310c30c42c6822500cb815ed99ed27809412174b51a817830a8f559c762
Opcode Fuzzy Hash: b2d0ed4b456dfb785777b5216bf14edc5d61981a93743d8a29187e8ccc64ec1b
Instruction Fuzzy Hash: 2462C2706083459FDB358F25CC88BEAB7E6EB94304F54652DEA8AA73D1D77098C4CB42

Function 00E44FF0 Relevance: 47.9, APIs: 6, Strings: 21, Instructions: 668COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E450DA
___from_strstr_to_strchr.LIBCMT ref: 00E450F9
_strlen.LIBCMT ref: 00E45124
_strlen.LIBCMT ref: 00E4536B
_strlen.LIBCMT ref: 00E454A7

Strings

PuTTY-User-Key-File-, xrefs: 00E45435
---- END SSH2 PUBLIC KEY ----, xrefs: 00E45604
Public-Lines, xrefs: 00E457CD
Subject, xrefs: 00E45241
---- BEGIN SSH2 PUBLIC KEY ----, xrefs: 00E45054
invalid length for base64 data in OpenSSH public key file, xrefs: 00E45164
not a public key or a PuTTY SSH-2 private key, xrefs: 00E45177, 00E4544A
pubbloblen + 3 <= pubblobsize, xrefs: 00E45349
%.*s, xrefs: 00E45760
ent, xrefs: 00E456F5
key algorithms do not match in OpenSSH public key file, xrefs: 00E453A0
PuTTY-User-Key-File-2, xrefs: 00E45409
PuTTY key format too new, xrefs: 00E45445
PuTTY-User-Key-File-3, xrefs: 00E453F1
Encryption, xrefs: 00E456A3
no key blob in OpenSSH public key file, xrefs: 00E45183
PuTTY-User-Key-File-1, xrefs: 00E4541D
file format error, xrefs: 00E45497
Comment, xrefs: 00E4522F
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/sshpubk.c, xrefs: 00E45344
Comm, xrefs: 00E456EC

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen$___from_strstr_to_strchr
String ID: %.*s$---- BEGIN SSH2 PUBLIC KEY ----$---- END SSH2 PUBLIC KEY ----$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/sshpubk.c$Comm$Comment$Encryption$PuTTY key format too new$PuTTY-User-Key-File-$PuTTY-User-Key-File-1$PuTTY-User-Key-File-2$PuTTY-User-Key-File-3$Public-Lines$Subject$ent$file format error$invalid length for base64 data in OpenSSH public key file$key algorithms do not match in OpenSSH public key file$no key blob in OpenSSH public key file$not a public key or a PuTTY SSH-2 private key$pubbloblen + 3 <= pubblobsize
API String ID: 3974054854-1720949848
Opcode ID: 23d7e69a4e4416fe0335202fde151c5d3c33a1e3584cb306e91022462a2dcd5e
Instruction ID: b29abf340432240358b584ee0bb5ed92d3ceb0dda0c4f09596691a093d78c8ba
Opcode Fuzzy Hash: 23d7e69a4e4416fe0335202fde151c5d3c33a1e3584cb306e91022462a2dcd5e
Instruction Fuzzy Hash: C422F6B6A047049BD710AF60BC42B6B77E99B51308F082838FD5ABB343F665ED45C792

Function 00DE8920 Relevance: 43.1, APIs: 23, Strings: 1, Instructions: 1097COMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 00DE8D81
SetTextColor.GDI32(?), ref: 00DE8D92
SetBkColor.GDI32(?), ref: 00DE8D9F
SetBkMode.GDI32(-00000002), ref: 00DE8DB5

Strings

$, xrefs: 00DE96E8

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Color$ModeObjectSelectText
String ID: $
API String ID: 3594386986-3993045852
Opcode ID: 039a3d4213e99eb27f235c6221a9a6fcfc756f5a6c265cfcb79efefeb9bd1ee4
Instruction ID: 631bf92b04e711921c7116cadcb59e2a2eb7ea60ed9d7fe402788ff625199d18
Opcode Fuzzy Hash: 039a3d4213e99eb27f235c6221a9a6fcfc756f5a6c265cfcb79efefeb9bd1ee4
Instruction Fuzzy Hash: 479225B16083859FD724DF26CC95B7AB7E1FB84300F18442EF989AB2A1D7319944DB62

Function 00E164C0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 331networkCOMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00E164F0
socket.WS2_32(00000001,00000001,00000000), ref: 00E16584
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00E1659D
setsockopt.WS2_32(00000000,0000FFFF,00000100,?,00000004), ref: 00E165BF
setsockopt.WS2_32(00000000,00000006,00000001,?,00000004), ref: 00E165DB
htons.WS2_32(00000000), ref: 00E166C9
bind.WS2_32(?,?,00000010), ref: 00E166DB
WSAGetLastError.WS2_32 ref: 00E166E6
htons.WS2_32(?), ref: 00E16761
htonl.WS2_32(?), ref: 00E16803
htons.WS2_32(?), ref: 00E16835
setsockopt.WS2_32(00000000,0000FFFF,00000008,?,00000004), ref: 00E165FA

Part of subcall function 00E05D00: WSAAsyncSelect.WS2_32(?,00000000,00008005,0000003F), ref: 00E05D44

connect.WS2_32(?,?,00000010), ref: 00E168CB
WSAGetLastError.WS2_32 ref: 00E1692D

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c, xrefs: 00E167DB
sock->addr->addresses && sock->step.curraddr < sock->addr->naddresses, xrefs: 00E167E0

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: htonssetsockopt$ErrorLast$AsyncHandleInformationSelectbindclosesocketconnecthtonlsocket
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c$sock->addr->addresses && sock->step.curraddr < sock->addr->naddresses
API String ID: 115623123-386099739
Opcode ID: 5ab28cb7d3c44d999d012f17e3321cc61ad743c846c19a30bcb5e763ee73c0a0
Instruction ID: a54f61d247ffd627790946b6172d676ccf9177994e608c97c1659d43555445cf
Opcode Fuzzy Hash: 5ab28cb7d3c44d999d012f17e3321cc61ad743c846c19a30bcb5e763ee73c0a0
Instruction Fuzzy Hash: 8FD1D2B0504341AFD720DF25DD89BAAB7E4FF84318F10582CF949AB2A1D775E894CB92

Function 00E169B0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 267networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 00E16A56
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00E16A6F
_strncpy.LIBCMT ref: 00E16A90
setsockopt.WS2_32(00000000,0000FFFF,000000FB,00000001,00000004), ref: 00E16ABD
getaddrinfo.WS2_32(00000000,00000000,00000001,?), ref: 00E16C33
htons.WS2_32(?), ref: 00E16C88
bind.WS2_32(00000000,00000001,00000010), ref: 00E16CC5
listen.WS2_32(00000000,7FFFFFFF), ref: 00E16CD6
closesocket.WS2_32(00000000), ref: 00E16CF3
WSAGetLastError.WS2_32 ref: 00E16D1A

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c, xrefs: 00E16DAF
false && "bad address family in sk_newlistener_internal", xrefs: 00E16DB4

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ErrorHandleInformationLast_strncpybindclosesocketgetaddrinfohtonslistensetsockoptsocket
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c$false && "bad address family in sk_newlistener_internal"
API String ID: 1644184481-2428366578
Opcode ID: 70352ad16fa7019ddf9d247efced2ba637cb0a757c0c9e3a5ca6d27359c43f3f
Instruction ID: 06a2de15548a5bf3b7dcfde19a32c6c4e94b819d91f08188e8d99d0745966e1a
Opcode Fuzzy Hash: 70352ad16fa7019ddf9d247efced2ba637cb0a757c0c9e3a5ca6d27359c43f3f
Instruction Fuzzy Hash: 61B182B05083449FE3209F25D859B9BBBE4FF84318F14991CF489AB3D1D7B59888CB92

Function 00E05720 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 287COMMON

Download Yara Rule

APIs

Part of subcall function 00E29BE0: GetLocalTime.KERNEL32(?,?,?,?,00E050A4,?), ref: 00E29BF6

_strftime.LIBCMT ref: 00E05779

Part of subcall function 00E05AF0: _strlen.LIBCMT ref: 00E05B1D

Strings

%08zx%*s, xrefs: 00E05977
type %d / 0x%02x (%s), xrefs: 00E05807
%s raw data at %s, xrefs: 00E05792
XX, xrefs: 00E059B9
on behalf of downstream #%u, xrefs: 00E05828
(%s), xrefs: 00E0583B
(%zu byte%s omitted), xrefs: 00E0594B, 00E05AAB
%s packet , xrefs: 00E057E2
%Y-%m-%d %H:%M:%S, xrefs: 00E05771
%02x, xrefs: 00E059E3
Incoming, xrefs: 00E05783, 00E057D4
#0x%lx, , xrefs: 00E057F6
Outgoing, xrefs: 00E05788, 00E05791, 00E057D9, 00E057E1

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: LocalTime_strftime_strlen
String ID: %08zx%*s$ (%zu byte%s omitted)$ (%s)$ on behalf of downstream #%u$#0x%lx, $%02x$%Y-%m-%d %H:%M:%S$%s packet $%s raw data at %s$Incoming$Outgoing$XX$type %d / 0x%02x (%s)
API String ID: 4241967358-2889948183
Opcode ID: d3e7bbdc85f8bd9d0a47d672b293b2d6ca74f0aac18841df4cdd75f9634f433d
Instruction ID: a53a60230891ded125eb5789a616e390f5d3703bd96edb83de45a144d6b22c9a
Opcode Fuzzy Hash: d3e7bbdc85f8bd9d0a47d672b293b2d6ca74f0aac18841df4cdd75f9634f433d
Instruction Fuzzy Hash: 2CA10A727087409FDB249A14DC85BBF73E5EBC4304F48A92DE849B7382E6719D858F92

Function 00DFE7C0 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 262windowCOMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 00DFE807
SendDlgItemMessageA.USER32(?,000003E9,00000192,00000002,00EE2020), ref: 00DFE828
SendDlgItemMessageA.USER32(?,000003E9,00000180,00000000), ref: 00DFE854
SendDlgItemMessageA.USER32(?,000003E9,00000180,00000000), ref: 00DFE8AB
GetParent.USER32(?), ref: 00DFE8D2
SetActiveWindow.USER32(00000000), ref: 00DFE8D9
DestroyWindow.USER32(?), ref: 00DFE8E0
SendDlgItemMessageA.USER32(?,000003E9,00000190,00000000,00000000), ref: 00DFE91F
SendDlgItemMessageA.USER32(?,000003E9,00000191,00000000,00000000), ref: 00DFE94F
_strlen.LIBCMT ref: 00DFE996
MessageBeep.USER32(00000000), ref: 00DFE9C5
_strlen.LIBCMT ref: 00DFEA2E
SendDlgItemMessageA.USER32(?,000003E9,00000185,00000000,00000000), ref: 00DFEB01

Strings

%s Event Log, xrefs: 00DFE7F6

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Message$ItemSend$Window$_strlen$ActiveBeepDestroyParentText
String ID: %s Event Log
API String ID: 2560716093-583241876
Opcode ID: 7d597971bcd97f2b600562ff9c159600edc29f175cde7ec4d39d84a0f620e9ad
Instruction ID: 181ac0d4abb36acf3760f3a50244d75b67518a24a6085004d6fcc8c89bfff5b8
Opcode Fuzzy Hash: 7d597971bcd97f2b600562ff9c159600edc29f175cde7ec4d39d84a0f620e9ad
Instruction Fuzzy Hash: FC913871A00308AFE715EF65ECC5B7A73E4EB44700F054429FA46EB2E1D770E9089BA6

Function 00E1CBD0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E1CD70: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00EE52EC), ref: 00E1CDED
Part of subcall function 00E1CD70: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00EE52F0), ref: 00E1CE1C
Part of subcall function 00E1CD70: GetLastError.KERNEL32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00EE52F0), ref: 00E1CE26

LocalAlloc.KERNEL32(00000040,00000014,?,00000000,?), ref: 00E1CC9D
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?), ref: 00E1CCAD
SetSecurityDescriptorOwner.ADVAPI32(?,00000000,?,00000000,?), ref: 00E1CCC2
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?), ref: 00E1CCD5
GetLastError.KERNEL32(?,00000000,?), ref: 00E1CD0D
LocalFree.KERNEL32(00000000), ref: 00E1CD30
LocalFree.KERNEL32(00000000), ref: 00E1CD44

Strings

unable to initialise security descriptor: %s, xrefs: 00E1CCFA
unable to construct ACL: %s, xrefs: 00E1CC8B
unable to allocate security descriptor: %s, xrefs: 00E1CCF3, 00E1CD1D
unable to set owner in security descriptor: %s, xrefs: 00E1CD01
unable to set DACL in security descriptor: %s, xrefs: 00E1CD08

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: DescriptorInitializeLocalSecurity$AllocateErrorFreeLast$AllocDaclOwner
String ID: unable to allocate security descriptor: %s$unable to construct ACL: %s$unable to initialise security descriptor: %s$unable to set DACL in security descriptor: %s$unable to set owner in security descriptor: %s
API String ID: 436594416-3066058096
Opcode ID: c034b128efec3aef5441b450e12cba08f087b1418af488e5bfb02945d70df55d
Instruction ID: 5f60a95ae9f14f9c5eb8c2d4fdb60f68232a1e489c1ffdc0265f6e666847bab6
Opcode Fuzzy Hash: c034b128efec3aef5441b450e12cba08f087b1418af488e5bfb02945d70df55d
Instruction Fuzzy Hash: EB417EB06443409FEB108F25EC45B9ABBE4FF88704F24942DFA49EB2A0D776D845CB52

Function 00DEB280 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 00DEB2AC

Strings

hhctrl.ocx, xrefs: 00DEB293
Software\SimonTatham\PuTTY64\CHMPath, xrefs: 00DEB359
Software\SimonTatham\PuTTY\CHMPath, xrefs: 00DEB371
HtmlHelpA, xrefs: 00DEB2A6

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: AddressProc
String ID: HtmlHelpA$Software\SimonTatham\PuTTY64\CHMPath$Software\SimonTatham\PuTTY\CHMPath$hhctrl.ocx
API String ID: 190572456-509675872
Opcode ID: 95e604ba82f073819d2482b7b28db5c8dd462b6a6e334de906721b96dfb7e799
Instruction ID: a1fc097a128d7d9ac6984cc8958ecccf9ab59502167b8f6059a55b4150509c10
Opcode Fuzzy Hash: 95e604ba82f073819d2482b7b28db5c8dd462b6a6e334de906721b96dfb7e799
Instruction Fuzzy Hash: C721D6306043C55FE721A737BC8E75A7B959B15721F180026F906FB1B1E7E0E9888BA5

Function 00E04450 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 356comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00EB0784,00000000,00000001,00EB0774), ref: 00E04495
CoCreateInstance.OLE32(00EB0784,00000000,00000001,00EB0774,00000000), ref: 00E0452F
CoCreateInstance.OLE32(00EB07B4,00000000,00000001,00EB07A4,00000000), ref: 00E0458E

Strings

Pageant.exe, xrefs: 00E0472A, 00E04740
Recent Sessions, xrefs: 00E04700

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: CreateInstance
String ID: Pageant.exe$Recent Sessions
API String ID: 542301482-148644000
Opcode ID: ca4b2df2d1f071833aa88dbc2bae0a0cf62a27fbb39aa8627a2f75fa3fc7c098
Instruction ID: e214b5597a7236fbf60063a4338f07f8f508b3b88dafb804f2301b54a68ea873
Opcode Fuzzy Hash: ca4b2df2d1f071833aa88dbc2bae0a0cf62a27fbb39aa8627a2f75fa3fc7c098
Instruction Fuzzy Hash: 6BC17EB0604301AFD704DF60D989B5BB7E9AF84708F145828FA85EB2D1DB75E845CBA2

Function 00E70910 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 121pipeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E1EF00: _strlen.LIBCMT ref: 00E1EF0B
Part of subcall function 00E1EF00: _strcat.LIBCMT ref: 00E1EF27

___from_strstr_to_strchr.LIBCMT ref: 00E709A6
CreateNamedPipeA.KERNEL32(?,40080003,00000008,000000FF,00001000,00001000,00000000), ref: 00E70A19
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00E70A52
GetLastError.KERNEL32 ref: 00E70A78

Part of subcall function 00E1D3E0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00E1711E,?), ref: 00E1D46B
Part of subcall function 00E1D3E0: _strlen.LIBCMT ref: 00E1D476

Strings

\\.\pipe\, xrefs: 00E7096D
unable to create named pipe '%s': %s, xrefs: 00E70A8C
strncmp(pipename, "\\\\.\\pipe\\", 9) == 0, xrefs: 00E70989
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/named-pipe-server.c, xrefs: 00E70984, 00E709B7
strchr(pipename + 9, '\\') == NULL, xrefs: 00E709BC

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Create_strlen$ErrorEventFormatLastMessageNamedPipe___from_strstr_to_strchr_strcat
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/named-pipe-server.c$\\.\pipe\$strchr(pipename + 9, '\\') == NULL$strncmp(pipename, "\\\\.\\pipe\\", 9) == 0$unable to create named pipe '%s': %s
API String ID: 3167155451-387693737
Opcode ID: b81bf15ab3d1b96112847c5721e2f9f85c2a2cedbab7d4c5090053341313ecc6
Instruction ID: 4be54a5a7fd98553fb331ef95172c4bebbe69f12a4bd6967bb71924f717926b3
Opcode Fuzzy Hash: b81bf15ab3d1b96112847c5721e2f9f85c2a2cedbab7d4c5090053341313ecc6
Instruction Fuzzy Hash: F441A2B0A40700AFE320AF25DC06F577BE4EF84758F049929F94DBB2C2E7B1A5048B95

Function 00DE6150 Relevance: 15.1, APIs: 10, Instructions: 61clipboardwindowmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00002002,?), ref: 00DE616C
GlobalLock.KERNEL32(00000000), ref: 00DE617D
GlobalUnlock.KERNEL32(00000000), ref: 00DE61A0
SendMessageA.USER32(00008002,00000001,00000000), ref: 00DE61B9
OpenClipboard.USER32 ref: 00DE61C5
EmptyClipboard.USER32 ref: 00DE61CF
SetClipboardData.USER32(00000001,00000000), ref: 00DE61D8
CloseClipboard.USER32 ref: 00DE61DE
SendMessageA.USER32(00008002,00000000,00000000), ref: 00DE61F7
GlobalFree.KERNEL32(00000000), ref: 00DE6203

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ClipboardGlobal$MessageSend$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 1228832834-0
Opcode ID: dc554e7194ec51a7cf3a4c8a1755dc674219d7acab68d805dd2991f293d82a13
Instruction ID: e2b76ae7a68bd79655acd8c1d45fc552204dd254d3956d1a3032a6cf85dbd940
Opcode Fuzzy Hash: dc554e7194ec51a7cf3a4c8a1755dc674219d7acab68d805dd2991f293d82a13
Instruction Fuzzy Hash: F9118231242385AFE7226F73FC09F6A7B5DEF51785F084036F686A90A1DB21C908C725

Function 00E408D0 Relevance: 14.7, Strings: 11, Instructions: 904COMMON

Download Yara Rule

Strings

null, xrefs: 00E40DF9
none, xrefs: 00E40FFC, 00E41084, 00E410F9
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/transport2.c, xrefs: 00E40DBB
bo, xrefs: 00E40B07, 00E4108E, 00E4110B
@e, xrefs: 00E40F1A
kex-strict-c-v00@openssh.com, xrefs: 00E41127
ext-info-s, xrefs: 00E4111B
hk_prev, xrefs: 00E40DC0
kex-strict-s-v00@openssh.com, xrefs: 00E4112C
ext-info-c, xrefs: 00E41116
4e, xrefs: 00E40F1F

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/transport2.c$4e$@e$bo$ext-info-c$ext-info-s$hk_prev$kex-strict-c-v00@openssh.com$kex-strict-s-v00@openssh.com$none$null
API String ID: 0-1825030693
Opcode ID: 0a07f45ee22c7c7fe4db4a65d1280c44433cf7e8dacf01623c4cd5f2688fdaf3
Instruction ID: 9d0e8121d1c1949cf7bd496b2b410f973d0ab5059115589cf75f7bcb29b3713c
Opcode Fuzzy Hash: 0a07f45ee22c7c7fe4db4a65d1280c44433cf7e8dacf01623c4cd5f2688fdaf3
Instruction Fuzzy Hash: F662D270A083408FDB14DF14E845BABB7E1AFC4308F19A86DEA896B352D775DC45CB92

Function 00E1CD70 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00EE52EC), ref: 00E1CDED
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00EE52F0), ref: 00E1CE1C
GetLastError.KERNEL32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00EE52F0), ref: 00E1CE26

Part of subcall function 00E1CA80: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CAB7
Part of subcall function 00E1CA80: OpenProcess.KERNEL32(02000000,00000000,00000000,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CAC5
Part of subcall function 00E1CA80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CB04
Part of subcall function 00E1CA80: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CB21
Part of subcall function 00E1CA80: GetLengthSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CB4B
Part of subcall function 00E1CA80: CopySid.ADVAPI32(00000000,00000000,00000000), ref: 00E1CB6A
Part of subcall function 00E1CA80: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CB8B
Part of subcall function 00E1CA80: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CB9A
Part of subcall function 00E1CA80: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CBA5

GetLastError.KERNEL32 ref: 00E1CE3D
GetLastError.KERNEL32 ref: 00E1CE54

Part of subcall function 00E1D3E0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00E1711E,?), ref: 00E1D46B
Part of subcall function 00E1D3E0: _strlen.LIBCMT ref: 00E1D476

Strings

unable to construct SID for current user: %s, xrefs: 00E1CE4D
unable to construct SID for local same-user access only: %s, xrefs: 00E1CE36
unable to construct SID for world: %s, xrefs: 00E1CE64

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ErrorLast$AllocateCloseHandleInitializeLocalProcess$AllocCopyCurrentFormatFreeLengthMessageOpen_strlen
String ID: unable to construct SID for current user: %s$unable to construct SID for local same-user access only: %s$unable to construct SID for world: %s
API String ID: 3303103131-2222155745
Opcode ID: 49668c45a9166870cf79bce17999519cfb30590147f121c250cc6948ff74da48
Instruction ID: f096ae5abc5596d00e6ce3ca9b0840d5054f17e9b8ddf6f4e1a3e02f4dd278e2
Opcode Fuzzy Hash: 49668c45a9166870cf79bce17999519cfb30590147f121c250cc6948ff74da48
Instruction Fuzzy Hash: C921CB716403409FD710DF75AC86BAA77E8EF18704F14142DF646FA1A0DB74D488C756

Function 00E09240 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 71fileCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000107), ref: 00E09269
_strlen.LIBCMT ref: 00E09270
FindFirstFileA.KERNEL32(?,?), ref: 00E0928D
FindNextFileA.KERNEL32(00000000,?), ref: 00E092AD
FindClose.KERNEL32(00000000), ref: 00E092B4
GetCurrentProcessId.KERNEL32 ref: 00E092BA

Strings

p, xrefs: 00E09243
\*, xrefs: 00E09278

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Find$File$CloseCurrentDirectoryFirstNextProcessWindows_strlen
String ID: \*$p
API String ID: 4151488164-3278805917
Opcode ID: 651980348dd5c3d76b8f7529f9346416bbbaf81423bdc34a2b3f07473b4fb4b9
Instruction ID: 702b921f277a90474fecdba1d64e7279de126e0cd4fe15cad367625b296926f7
Opcode Fuzzy Hash: 651980348dd5c3d76b8f7529f9346416bbbaf81423bdc34a2b3f07473b4fb4b9
Instruction Fuzzy Hash: B81129715453046BD611BB24BC4AF9F37D8DF4A349F050034F589B62D2E735AA0987E7

Function 00E00580 Relevance: 13.9, APIs: 9, Instructions: 379windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,00000180,00000000,00ED3707), ref: 00E005D5
SetWindowLongA.USER32(?,00000000,00000001), ref: 00E005FB
SendDlgItemMessageA.USER32(?,?,00000188,00000000,00000000), ref: 00E00645
SendDlgItemMessageA.USER32(?,?,0000018B,00000000,00000000), ref: 00E00660
SendDlgItemMessageA.USER32(00000001,FFFFFFFF,00000182,?,00000000), ref: 00E008DD
SendDlgItemMessageA.USER32(?,?,00000199,00000000,00000000), ref: 00E009ED

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ItemMessageSend$LongWindow
String ID:
API String ID: 1736968133-0
Opcode ID: fb0428456421d770c5eb51801aa75adb12f8bf00f2eaf19d5852b73fddb43746
Instruction ID: 7df20dacce4ef6e2090ce5b65445c9e6c20078085e9555613b46563f39ac0f3c
Opcode Fuzzy Hash: fb0428456421d770c5eb51801aa75adb12f8bf00f2eaf19d5852b73fddb43746
Instruction Fuzzy Hash: 7ED1A472604300AFD7148F19CC84B2BB7E6EBC8720F154A29F9A5AB3D1D771EC958B91

Function 00E16E00 Relevance: 13.8, APIs: 9, Instructions: 325networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00005000,00000001), ref: 00E16FA8
accept.WS2_32(?,?,00000080), ref: 00E16FF8
WSAGetLastError.WS2_32 ref: 00E17005
closesocket.WS2_32(00000000), ref: 00E17058
recv.WS2_32(?,?,00005000,00000000), ref: 00E170EB
ioctlsocket.WS2_32(?,40047307,00000001), ref: 00E1715E
WSAGetLastError.WS2_32 ref: 00E17170
recv.WS2_32(?,?,00005000,00000000), ref: 00E17190
WSAGetLastError.WS2_32 ref: 00E171C1

Part of subcall function 00E09430: GetTickCount.KERNEL32 ref: 00E09458
Part of subcall function 00E09430: QueryPerformanceCounter.KERNEL32 ref: 00E09476

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ErrorLastrecv$CountCounterPerformanceQueryTickacceptclosesocketioctlsocket
String ID:
API String ID: 2595003436-0
Opcode ID: 7307c3abc26df49b52c42a4a95d6862bd3878110fcd5b2c55847584f01d7ffc7
Instruction ID: a207f7ba766365bacc50cf20e7f97d5dd9db98028fcff81124c69676add39e54
Opcode Fuzzy Hash: 7307c3abc26df49b52c42a4a95d6862bd3878110fcd5b2c55847584f01d7ffc7
Instruction Fuzzy Hash: 6AB1A0B1604300AFE720CF25CC85BA7B7F9AF84B08F54591CF99AAB291D771E984CB51

Function 00DE1130 Relevance: 12.3, APIs: 8, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d420af329604d6b010023bff1130f9b71c033dd78af51d915ee36eedba55eab
Instruction ID: e4781bbe736be0666e18da122646cdab663a31d26760afb3b523a98cef5b3342
Opcode Fuzzy Hash: 7d420af329604d6b010023bff1130f9b71c033dd78af51d915ee36eedba55eab
Instruction Fuzzy Hash: 03B1F2B46043849FD724AF26DC9977E77E5FB84300F48842EF8859B291DB349A48CB62

Function 00EA175F Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1406COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00EA18FE

Strings

1#IND, xrefs: 00EA181F
1#INF, xrefs: 00EA1850
1#QNAN, xrefs: 00EA182D
wG, xrefs: 00EA18F4
1#SNAN, xrefs: 00EA1826

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$wG
API String ID: 4168288129-3199026709
Opcode ID: c6c2320e76395eaff7679583c22c6824b2d2a64fcc47ab29ede6d230cf57c132
Instruction ID: ffd1fac75a17a8987fe148e1524dcbdd40af7e5a69a0454ea5aab79d453a9654
Opcode Fuzzy Hash: c6c2320e76395eaff7679583c22c6824b2d2a64fcc47ab29ede6d230cf57c132
Instruction Fuzzy Hash: F2D23A71E082298FDB65CE28CD407EAB7B5EB4A305F1451EAD54DFB240E738AE858F41

Function 00DF2070 Relevance: 11.4, APIs: 3, Strings: 3, Instructions: 853COMMON

Download Yara Rule

Strings

nchars_used < nchars_got, xrefs: 00DF21B0
chars != NULL, xrefs: 00DF2195
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/terminal.c, xrefs: 00DF2190, 00DF21AB

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/terminal.c$chars != NULL$nchars_used < nchars_got
API String ID: 0-2160977139
Opcode ID: a5c64e0455730c20a157a19fbf29428191778fb2dc34e1828d2f6759e887b203
Instruction ID: fed0a786c773e08abf260f89eaa7ad8f76437c87e96e8bb9d843eb619f7a94aa
Opcode Fuzzy Hash: a5c64e0455730c20a157a19fbf29428191778fb2dc34e1828d2f6759e887b203
Instruction Fuzzy Hash: EC6225705047488FD720DF34D884BBBB7E1AF85314F1AC92DE69A8B281D775E984CB62

Function 00E9A27B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 00E95042: GetLastError.KERNEL32(?,?,00E879D8,?,?,?,?,00E8FBB7,00E8FB84,?,?,?,?,?,00E8FB84,?), ref: 00E95046
Part of subcall function 00E95042: SetLastError.KERNEL32(00000000,00E8FB84,?,?,?,?,?,00E8FB84,?,00000000,?,00000003,00E8348B), ref: 00E950E8

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00E9A387
IsValidCodePage.KERNEL32(00000000), ref: 00E9A3D0
IsValidLocale.KERNEL32(?,00000001), ref: 00E9A3DF
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00E9A427
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00E9A446

Strings

T, xrefs: 00E9A2E0

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: T
API String ID: 415426439-2757253332
Opcode ID: a945df86f8a141a8b3b64affe931f6c83f576d564f1f16afa4369dea85abdf7d
Instruction ID: 1562854501b5806f97bec7a5f8e4944b39807fc063394504830af4019f57bcbb
Opcode Fuzzy Hash: a945df86f8a141a8b3b64affe931f6c83f576d564f1f16afa4369dea85abdf7d
Instruction Fuzzy Hash: 9F518F71A00205AFDF21DFA5DC45ABE73B8FF48704F185439E915FB191E77099448BA2

Function 00DFAF90 Relevance: 9.3, Strings: 6, Instructions: 1763COMMON

Download Yara Rule

Strings

false && "how did this get past the outer switch?", xrefs: 00DFC682
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/bidi.c, xrefs: 00DFB3B7, 00DFB43F, 00DFB564, 00DFB5F9, 00DFB6F7, 00DFB800, 00DFC67D
ctx->ds_sp < lenof(ctx->dsstack), xrefs: 00DFB5FE, 00DFB6FC
ctx->levels[j] == irslevel, xrefs: 00DFB805
ctx->ds_sp > 0, xrefs: 00DFB3BC, 00DFB444
i == ctx->textlen - 1, xrefs: 00DFB569

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/bidi.c$ctx->ds_sp < lenof(ctx->dsstack)$ctx->ds_sp > 0$ctx->levels[j] == irslevel$false && "how did this get past the outer switch?"$i == ctx->textlen - 1
API String ID: 0-756103520
Opcode ID: ed95010bf35d1777e896bdafdf35b0e46fb058ba2f654b5d7f1eec03328933e6
Instruction ID: 0050a57fe0da9d5f7c5e1fe4c0ca46831635615be7544eb80d5e73c9f4b31645
Opcode Fuzzy Hash: ed95010bf35d1777e896bdafdf35b0e46fb058ba2f654b5d7f1eec03328933e6
Instruction Fuzzy Hash: 63E2BD756083098FC724CF18C49067AB7E2AF99324F1AC92EEA968B351D731FC51CB65

Function 00E18B80 Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E18B97
_strlen.LIBCMT ref: 00E18BC1
_strcat.LIBCMT ref: 00E18BEC
_strlen.LIBCMT ref: 00E18BF5
_strcat.LIBCMT ref: 00E18C12
_strlen.LIBCMT ref: 00E18C1B

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen$_strcat
String ID:
API String ID: 1497175149-0
Opcode ID: 2d563d9d92884fffca5dd1ee114f36bda0cb55148a3534988c02284aa5752a4d
Instruction ID: 468707744f529b68f9b90e5ab3ce49376dcf06150e9d772c153c3152226364b3
Opcode Fuzzy Hash: 2d563d9d92884fffca5dd1ee114f36bda0cb55148a3534988c02284aa5752a4d
Instruction Fuzzy Hash: 811187B59052046BDF14EF25AC81A6FB3E8AF9574DF05543CFC89A7301FA31EA0586A3

Function 00E1E140 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 229COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,?), ref: 00E1E282
GetCPInfo.KERNEL32(?,?), ref: 00E1E36F
GetACP.KERNEL32 ref: 00E1E3E6
GetOEMCP.KERNEL32 ref: 00E1E3F3

Strings

UTF-8, xrefs: 00E1E179

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Info
String ID: UTF-8
API String ID: 1807457897-243350608
Opcode ID: 3f7ca791949c70b57b2598845c8b32637e711dc100554fadca0249b811defadf
Instruction ID: 3773acc862242dc06ce7bf9f096c979b1533706bc861b587fb28683265ec40db
Opcode Fuzzy Hash: 3f7ca791949c70b57b2598845c8b32637e711dc100554fadca0249b811defadf
Instruction Fuzzy Hash: A2715672A083515BDB209A3448942FF77D46F85368F186639FCA6E7392E235DDC4C382

Function 00E105F0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 144COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E10676

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/settings.c, xrefs: 00E10755
%s%s, xrefs: 00E1070A
Cipher, xrefs: 00E1076B
p - buf == maxlen, xrefs: 00E1075A

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen
String ID: %s%s$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/settings.c$Cipher$p - buf == maxlen
API String ID: 4218353326-3676115531
Opcode ID: 925ed0be87a059268a3afa0f63afd3a53d693428a40280b7f3e1ca61494b947f
Instruction ID: 52b0dffde7fbeb18188a621952fa4678927b614aa034e259aabd684da744ab79
Opcode Fuzzy Hash: 925ed0be87a059268a3afa0f63afd3a53d693428a40280b7f3e1ca61494b947f
Instruction Fuzzy Hash: 4C41F771A08304ABD7106E249C416AEB6E99BD4758F18242DF549B7392E5F2ECD086D2

Function 00E9A9E5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00E9A3C4,00000002,00000000,?,?,?,00E9A3C4,?,00000000), ref: 00E9AA7E
GetLocaleInfoW.KERNEL32(?,20001004,00E9A3C4,00000002,00000000,?,?,?,00E9A3C4,?,00000000), ref: 00E9AAA7
GetACP.KERNEL32(?,?,00E9A3C4,?,00000000), ref: 00E9AABC

Strings

ACP, xrefs: 00E9AA03
OCP, xrefs: 00E9AA39

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 1528504495bc41926feb39800c138c5a56e716ef814553859c34233e8bf09c74
Instruction ID: 9d33132cdece123ba619eb26ec18fd8a3d1eb17cc3816f03b068660f528e4108
Opcode Fuzzy Hash: 1528504495bc41926feb39800c138c5a56e716ef814553859c34233e8bf09c74
Instruction Fuzzy Hash: 0A21B232600101ABDF309B15DB00A9773A6EF54B58B5E9435E90AFB200E772DE40C3D2

Function 00E1D3E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00E1711E,?), ref: 00E1D46B
_strlen.LIBCMT ref: 00E1D476
GetLastError.KERNEL32(?,0000FFFF,00000000,?,?,?,?,00E1711E,?), ref: 00E1D490

Strings

Error %d: %s, xrefs: 00E1D4AD
(unable to format: FormatMessage returned %u), xrefs: 00E1D497

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ErrorFormatLastMessage_strlen
String ID: (unable to format: FormatMessage returned %u)$Error %d: %s
API String ID: 2706427827-1777221902
Opcode ID: 7254ec93dc753957bbb2fac0dea407e413ed3c9027f129e245b654f39f3ef7a2
Instruction ID: a6abb48c99ab5385dfbeeb982afa72bd127a0000dce2f8e49e856fc6faed2c55
Opcode Fuzzy Hash: 7254ec93dc753957bbb2fac0dea407e413ed3c9027f129e245b654f39f3ef7a2
Instruction Fuzzy Hash: 1421FF71A443416BD731EB25AC07FE737D4AF98758F04543CF559B6292EAB0A4848353

Function 00E2A160 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57libraryfileloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetFileAttributesExA), ref: 00E2A1A2
FindFirstFileA.KERNEL32(?), ref: 00E2A1D8
CloseHandle.KERNEL32(00000000), ref: 00E2A1E4

Strings

kernel32.dll, xrefs: 00E2A186
GetFileAttributesExA, xrefs: 00E2A19C

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: AddressCloseFileFindFirstHandleProc
String ID: GetFileAttributesExA$kernel32.dll
API String ID: 3854970465-595542130
Opcode ID: 51d8b1394c7df38722e6b10ca39a8dd874efa744e0d8819d103e519eaa0a70f7
Instruction ID: 1b85716460ecfa8b64b8590f31cc375bcfe34b1996cfed2a43e310f6b5b7673f
Opcode Fuzzy Hash: 51d8b1394c7df38722e6b10ca39a8dd874efa744e0d8819d103e519eaa0a70f7
Instruction Fuzzy Hash: 5011E0B13062449FD7188B36FC85B6A37E4AB48368F18043DF44ABB2E0DB719818D743

Function 00DFA2E0 Relevance: 7.9, Strings: 6, Instructions: 429COMMON

Download Yara Rule

Strings

term->selstart.x >= term->curs.x, xrefs: 00DFA41F
term->selstart.x < term->cols, xrefs: 00DFA446
term->selend.x <= term->cols, xrefs: 00DFA490
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/terminal.c, xrefs: 00DFA41A, 00DFA441, 00DFA466, 00DFA48B, 00DFA613, 00DFA780
term->selend.x > term->curs.x, xrefs: 00DFA46B
col >= 0 && col < line->cols, xrefs: 00DFA618, 00DFA785

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/terminal.c$col >= 0 && col < line->cols$term->selend.x <= term->cols$term->selend.x > term->curs.x$term->selstart.x < term->cols$term->selstart.x >= term->curs.x
API String ID: 0-3830558916
Opcode ID: 82d5b98fa3f1d3400e3895709da07f8e4181ebb878960a5a1f27767c4cd4ff8a
Instruction ID: 080488fb6b9b21ae1c3d1e2879da680185ea45aa781d6bec7a6cdfc417fb1c0f
Opcode Fuzzy Hash: 82d5b98fa3f1d3400e3895709da07f8e4181ebb878960a5a1f27767c4cd4ff8a
Instruction Fuzzy Hash: BFF15BB56047099FC718DF28C480A6AB7E2BF84304F0AC92DE99D57391E770F955CB92

Function 00E402A0 Relevance: 7.8, Strings: 6, Instructions: 293COMMON

Download Yara Rule

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/transport2.c, xrefs: 00E402B8
ppl->vt == &ssh2_transport_vtable, xrefs: 00E402BD
data limit lowered, xrefs: 00E4039C
timeout shortened, xrefs: 00E402F2
compression setting changed, xrefs: 00E403C7
cipher settings changed, xrefs: 00E40533, 00E40563

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/transport2.c$cipher settings changed$compression setting changed$data limit lowered$ppl->vt == &ssh2_transport_vtable$timeout shortened
API String ID: 0-725028720
Opcode ID: 3057ce101f48a0d198b54aee9af1448f19ab2a2688f3eb6b842d2580c7f31ff8
Instruction ID: 0c661cbcb51b2839c47ceadeb7cdbba146866160dc906feee65afd0eb27050a1
Opcode Fuzzy Hash: 3057ce101f48a0d198b54aee9af1448f19ab2a2688f3eb6b842d2580c7f31ff8
Instruction Fuzzy Hash: 0DB1B871A48301AFE7219F70EC46B5ABBE1AF94708F04543CF685AB292F7B19D54CB81

Function 00E595D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000), ref: 00E595F2
FindClose.KERNEL32(00000000), ref: 00E59609
FindWindowA.USER32(Pageant,Pageant), ref: 00E5961D

Strings

Pageant, xrefs: 00E59613, 00E59618

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Find$CloseFileFirstWindow
String ID: Pageant
API String ID: 2475344593-3220706369
Opcode ID: 1755d3777f7c01a1212b53524a6ef7cf82c7ba131acd1337bdd427e941438513
Instruction ID: 476364977110537638ea45d24da02d73d586a27066598022752b3fac0a467d38
Opcode Fuzzy Hash: 1755d3777f7c01a1212b53524a6ef7cf82c7ba131acd1337bdd427e941438513
Instruction Fuzzy Hash: 90F0B4716421009BD620673AFC4ABFB37A8DB86361F04113AF91AF62E1D634480AD1A6

Function 00E4D070 Relevance: 6.9, Strings: 5, Instructions: 664COMMON

Download Yara Rule

Strings

len <= pool->nw, xrefs: 00E4D189, 00E4D230, 00E4D31C, 00E4D37A, 00E4D448, 00E4D6C3
x->nw > 0, xrefs: 00E4D09E
p > 0, xrefs: 00E4D0E6
x->w[0] & 1, xrefs: 00E4D0C4
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c, xrefs: 00E4D099, 00E4D0BF, 00E4D0E1, 00E4D184, 00E4D22B, 00E4D317, 00E4D375, 00E4D443, 00E4D6BE

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c$len <= pool->nw$p > 0$x->nw > 0$x->w[0] & 1
API String ID: 0-820863981
Opcode ID: f5bf65f382fcf74694cceef57990d6b5ef85d9ef22c36810c30667fe9df36543
Instruction ID: d379215065a5dea63a770360a612d33022777bee2e7c865de433e7edf50e14fe
Opcode Fuzzy Hash: f5bf65f382fcf74694cceef57990d6b5ef85d9ef22c36810c30667fe9df36543
Instruction Fuzzy Hash: 9142C171A083159FC724DF28D880A6AB7E1FFC8314F14592DE99AA7391E771ED05CB82

Function 00E9B003 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E9B0F3

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 604d1b09b26fa4c524b4302197091bea28824b9f39246420c08108b77174f2d0
Instruction ID: 6665d938aa8309e81902c3a9048ad75eb39a6f7a2b37388e962c8d89e3beae3e
Opcode Fuzzy Hash: 604d1b09b26fa4c524b4302197091bea28824b9f39246420c08108b77174f2d0
Instruction Fuzzy Hash: 2C71F171905118AFDF30AF28ED89ABEB7B9EF09304F1451EAE048B7251EB355E849F50

Function 00E8051A Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E80526
IsDebuggerPresent.KERNEL32 ref: 00E805F2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E80612
UnhandledExceptionFilter.KERNEL32(?), ref: 00E8061C

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 96626a987063e439dc8a768aa4bbf69f9b28f2923509eddbe13974a7c7a84552
Instruction ID: 03f9afebf84ea5a67d157f1257c565227b657d2a41d8cf19cd53c542ec3b25e3
Opcode Fuzzy Hash: 96626a987063e439dc8a768aa4bbf69f9b28f2923509eddbe13974a7c7a84552
Instruction Fuzzy Hash: 22313875D412189FDB20EFA5D9897CDBBF8AF08304F1041EAE40DAB250EB709A89CF45

Function 00E68A60 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 348COMMON

Download Yara Rule

APIs

Part of subcall function 00E67170: __aulldiv.LIBCMT ref: 00E67190

__aulldiv.LIBCMT ref: 00E68AA5

Strings

UUUU, xrefs: 00E68B4B
UUUU, xrefs: 00E68AC3

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: __aulldiv
String ID: UUUU$UUUU
API String ID: 3732870572-2425103364
Opcode ID: e9510fd896409720bf1263ec9bf304ed7aa7ea7046a6dd4fd9b3d80b68faca2e
Instruction ID: b4b5c36b4b9b0995c233a327130fb20c475e2f482c5aecc01b5fa6e0d03ec8ca
Opcode Fuzzy Hash: e9510fd896409720bf1263ec9bf304ed7aa7ea7046a6dd4fd9b3d80b68faca2e
Instruction Fuzzy Hash: 98A14236A4421547C718CF6CED9163EB2E6EFE5314F1A963DE886A33D1EB34D81083A1

Function 00E0A1F0 Relevance: 5.6, Strings: 4, Instructions: 594COMMON

Download Yara Rule

Strings

;, xrefs: 00E0A4B2
Looking up host "%s"%s, xrefs: 00E0A2FA
(IPv6), xrefs: 00E0A2E0
(IPv4), xrefs: 00E0A2F0

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: (IPv4)$ (IPv6)$;$Looking up host "%s"%s
API String ID: 0-1440922583
Opcode ID: 4284660564126d143d956f193d47c090e74cc05a704aee078a1cd83a663d2707
Instruction ID: 6dab46ebfb068449e776fad3db550e3d9493fe62a1d93c35b7ce2d3de1e867b1
Opcode Fuzzy Hash: 4284660564126d143d956f193d47c090e74cc05a704aee078a1cd83a663d2707
Instruction Fuzzy Hash: 87229070604340AFD7209F68CC8AF57BBE5EF99708F08486CF5899B382D672E955CB52

Function 00E03620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,000000B1,?,?), ref: 00E036AA

Strings

c && c->ctrl->type == CTRL_EDITBOX, xrefs: 00E0368B
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00E03686

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_EDITBOX
API String ID: 3015471070-587671386
Opcode ID: d2728ae62a228af2964333e44d4f6114e4ca7e69bdccfa4f84d07eda12dd8c4a
Instruction ID: 2ee8ce076d62a599baa49a7d310b25e67e6ca7f8c4b61f63432898ee1f083b8f
Opcode Fuzzy Hash: d2728ae62a228af2964333e44d4f6114e4ca7e69bdccfa4f84d07eda12dd8c4a
Instruction Fuzzy Hash: EC11A176644309FFD210DF14EC81A66F3E8FB5A708F011526F948B3381D372AE648BA1

Function 00E1D2F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetVersionExA), ref: 00E1D346

Strings

kernel32.dll, xrefs: 00E1D32A
GetVersionExA, xrefs: 00E1D340

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: AddressProc
String ID: GetVersionExA$kernel32.dll
API String ID: 190572456-3521452493
Opcode ID: 01289fc1253f782445c115e200271aa139ac23a83d460dbbbb18dfb5ed198c92
Instruction ID: 332b94ee57d5b9a9496aac9145711e5f00a6dc43215b02afe4966fa8087229d6
Opcode Fuzzy Hash: 01289fc1253f782445c115e200271aa139ac23a83d460dbbbb18dfb5ed198c92
Instruction Fuzzy Hash: 6B11E1B29087848FD3209F39FC85B4977E4AB08358F00551CF569BF2EAD3709889CB52

Function 00E4EA70 Relevance: 4.8, Strings: 3, Instructions: 1089COMMON

Download Yara Rule

Strings

x0->nw == x1->nw, xrefs: 00E4ED6E, 00E4F34A, 00E4F3AD
word < x->nw, xrefs: 00E4EEAE, 00E4EEF5
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c, xrefs: 00E4EB82, 00E4EBC1, 00E4EC3E, 00E4ED69, 00E4EEA9, 00E4EEF0, 00E4F345, 00E4F3A8

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c$word < x->nw$x0->nw == x1->nw
API String ID: 0-4037912331
Opcode ID: 592c71eda163f0ec86ed68608bc9835ae41ae993bbdb5fb5a0c5d52991f54ca1
Instruction ID: 90cc1b72226e45b66fb463b2d459efd892709e4698bfabacdbaed9f6a181b631
Opcode Fuzzy Hash: 592c71eda163f0ec86ed68608bc9835ae41ae993bbdb5fb5a0c5d52991f54ca1
Instruction Fuzzy Hash: 8B82AF76A043019FD714DF28D881A2AB7E2FF89704F19996CE899AB341D731FD11CB91

Function 00E1D000 Relevance: 4.8, APIs: 3, Instructions: 259COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E1D05B
_strlen.LIBCMT ref: 00E1D076
_strlen.LIBCMT ref: 00E1D090

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: e98c16062a08d61931784a9d5afa60b32aaa408e4bd18aeda663167cc244f94c
Instruction ID: 7a97b61d93e010d40d119fd5e7bbe8536dcb2644270e094fcbd583a96571a15d
Opcode Fuzzy Hash: e98c16062a08d61931784a9d5afa60b32aaa408e4bd18aeda663167cc244f94c
Instruction Fuzzy Hash: 29713DB2A0D3046BDB205E288C417EA77D2AF96318F092528FC99773D2E275DDC6C641

Function 00E9A56C Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00E95042: GetLastError.KERNEL32(?,?,00E879D8,?,?,?,?,00E8FBB7,00E8FB84,?,?,?,?,?,00E8FB84,?), ref: 00E95046
Part of subcall function 00E95042: SetLastError.KERNEL32(00000000,00E8FB84,?,?,?,?,?,00E8FB84,?,00000000,?,00000003,00E8348B), ref: 00E950E8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E9A5C0
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E9A60A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E9A6D0

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 72f54ae254bcc3e4c1bada33f1771ac5f4adad931c7e10a3cd784dfee286ccac
Instruction ID: d938b3399d189413c665119ab262e25a7c59451c832b79c021e96abb00923215
Opcode Fuzzy Hash: 72f54ae254bcc3e4c1bada33f1771ac5f4adad931c7e10a3cd784dfee286ccac
Instruction Fuzzy Hash: 3F61A071510217AFDF299F64CC82BBA73F8EF44304F18507AE905EA282E774D985CB91

Function 00E9612D Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00E96225
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00E9622F
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00E9623C

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: db779b59b3e347e0b8b3ae8f3bc55170f3776e8d80d91a4a3133c4d15a5b2dac
Instruction ID: 0d219574f32c013311f0938c2070ab01ba82d971ff740c190d2412a4a4534c74
Opcode Fuzzy Hash: db779b59b3e347e0b8b3ae8f3bc55170f3776e8d80d91a4a3133c4d15a5b2dac
Instruction Fuzzy Hash: 4A31D4759412189BCB21DF25D98878CBBF8BF08310F5051EAE91CA72A1E7709F858F45

Function 00DE8280 Relevance: 4.6, APIs: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E18E70: _strlen.LIBCMT ref: 00E18E80

IsIconic.USER32 ref: 00DE82D7
SetWindowTextW.USER32(00000000,?), ref: 00DE82F7
SetWindowTextA.USER32(00000000,00000000), ref: 00DE8315

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: TextWindow$Iconic_strlen
String ID:
API String ID: 1204891203-0
Opcode ID: 58d244ea2c1cac46ecf0e9f3d26d0403de42488218e224dd73e26c76ffb87c3e
Instruction ID: 729c6033ea1606953346c523b76e1d7a0b035e8560aec71462e6ede23c152580
Opcode Fuzzy Hash: 58d244ea2c1cac46ecf0e9f3d26d0403de42488218e224dd73e26c76ffb87c3e
Instruction Fuzzy Hash: FA01FEF2904184BFEA106B23BD85F3737A9D700701F080465F9057A162EF214D58D6A5

Function 00DE8330 Relevance: 4.6, APIs: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E18E70: _strlen.LIBCMT ref: 00E18E80

IsIconic.USER32 ref: 00DE8387
SetWindowTextW.USER32(00000000,?), ref: 00DE83A7
SetWindowTextA.USER32(00000000,00000000), ref: 00DE83C5

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: TextWindow$Iconic_strlen
String ID:
API String ID: 1204891203-0
Opcode ID: 9773860a83237f74af240cbcb09bbfeff90801f2e486c550246c37ccb470fa29
Instruction ID: 56c8fc78a7eccd19aaeed80a39f7912e9c106be0c37d9f22a74be0ff31d5f0f3
Opcode Fuzzy Hash: 9773860a83237f74af240cbcb09bbfeff90801f2e486c550246c37ccb470fa29
Instruction Fuzzy Hash: B001FEF29041847FEA107B23BD46F273779D700701F080025F905BA1A2DF214D58D7B2

Function 00DF0C00 Relevance: 4.4, Strings: 3, Instructions: 655COMMON

Download Yara Rule

Strings

a == MA_MOVE, xrefs: 00DF0E91
braw == MBT_NOTHING && bcooked == MBT_NOTHING, xrefs: 00DF1103
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/terminal.c, xrefs: 00DF0E8C, 00DF10FE

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/terminal.c$a == MA_MOVE$braw == MBT_NOTHING && bcooked == MBT_NOTHING
API String ID: 0-524279124
Opcode ID: 686ab9fa590f1752cf1bace9494cb4207c161fd6c0099c322dfcdd0469bf1c42
Instruction ID: bc453cf41c1e2369420d3dfe9730eeefdee4207e82c2b56f39488199c4e2f9fe
Opcode Fuzzy Hash: 686ab9fa590f1752cf1bace9494cb4207c161fd6c0099c322dfcdd0469bf1c42
Instruction Fuzzy Hash: 7B428275604284CFCB14CF18C4847A97BE2AB85314F1E857DEA4DAF392D7B2AC46CB61

Function 00E4C530 Relevance: 4.3, Strings: 3, Instructions: 512COMMON

Download Yara Rule

Strings

len <= pool->nw, xrefs: 00E4C719, 00E4C8AF, 00E4C8EB, 00E4C9FB
scratch.nw >= mp_mul_scratchspace_unary(inlen), xrefs: 00E4C581
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c, xrefs: 00E4C57C, 00E4C714, 00E4C8AA, 00E4C8E6, 00E4C9F6

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c$len <= pool->nw$scratch.nw >= mp_mul_scratchspace_unary(inlen)
API String ID: 0-1079915730
Opcode ID: 5cfedcfaaacb8abbf5179d086b8ba16015a0407411e8f1fcf5a4d56ad65a3590
Instruction ID: d46e7f9646897ece74e3b21125716df605c5edba96f4e7559d8b5cd62b959d3a
Opcode Fuzzy Hash: 5cfedcfaaacb8abbf5179d086b8ba16015a0407411e8f1fcf5a4d56ad65a3590
Instruction Fuzzy Hash: AE128D71B093019FC764DF68D490A6AB7E1FFC8704F25983EE59AA7340E775A805CB82

Function 00E4ADE0 Relevance: 4.2, Strings: 3, Instructions: 471COMMON

Download Yara Rule

Strings

low_digit < 10, xrefs: 00E4B065
x->nw < (~(size_t)1) / (146 * BIGNUM_INT_BITS), xrefs: 00E4AF0B
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c, xrefs: 00E4AE0C, 00E4AE62, 00E4AEA9, 00E4AF06, 00E4B060

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c$low_digit < 10$x->nw < (~(size_t)1) / (146 * BIGNUM_INT_BITS)
API String ID: 0-3715311915
Opcode ID: 0161892955af1f53c47558005d2bd99f9d67309e22e10ef347f378bdf5dd6408
Instruction ID: a4ad576646b0eeb915f7e0b8a9efe1d5cd90842cdef7aa860527e88a4acb1839
Opcode Fuzzy Hash: 0161892955af1f53c47558005d2bd99f9d67309e22e10ef347f378bdf5dd6408
Instruction Fuzzy Hash: 71F18A71A443059FC714DF28DC91A6AB7E1EF91304F09913DE899AB392EB32EC15CB91

Function 00E6B0C0 Relevance: 4.2, Strings: 3, Instructions: 443COMMON

Download Yara Rule

Strings

part.ptr, xrefs: 00E6B32A, 00E6B55A
i < bt->nparts, xrefs: 00E6B2FF, 00E6B53D
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/openssh-certs.c, xrefs: 00E6B2FA, 00E6B325, 00E6B538, 00E6B555

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/openssh-certs.c$i < bt->nparts$part.ptr
API String ID: 0-3871387655
Opcode ID: 36ea6c03377f92a864fcc279d1c561ba8d1cd1a64665f8b8f45192ba2fc0146e
Instruction ID: a6be720125e735a3572f7a381cfed035b8bd22228fc3c8a32abae34b98e737e3
Opcode Fuzzy Hash: 36ea6c03377f92a864fcc279d1c561ba8d1cd1a64665f8b8f45192ba2fc0146e
Instruction Fuzzy Hash: A7F1B471A443009FC710DF18E89166EB7E2FF84348F15982DE999A7352E732ED95CB42

Function 00E6B780 Relevance: 4.0, Strings: 3, Instructions: 213COMMON

Download Yara Rule

Strings

part.ptr, xrefs: 00E6B96A
i < bt->nparts, xrefs: 00E6B94D
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/openssh-certs.c, xrefs: 00E6B948, 00E6B965

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/openssh-certs.c$i < bt->nparts$part.ptr
API String ID: 0-3871387655
Opcode ID: 09a57640a5914a15da3c2799731b0014780e6abcd8a2de1b03633728ee3df0dc
Instruction ID: 1f46fe3c01cee17e3570a993aac49bcb627eaf48f1aaf4899bbe9c0022849ab7
Opcode Fuzzy Hash: 09a57640a5914a15da3c2799731b0014780e6abcd8a2de1b03633728ee3df0dc
Instruction Fuzzy Hash: 53711271A443049FC714EF18E881A6BB7E5EFC4344F15882DE989A7312E732EC91CB82

Function 00DF76B0 Relevance: 3.9, Strings: 3, Instructions: 173COMMON

Download Yara Rule

Strings

tmpsize <= INT_MAX, xrefs: 00DF7817
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/terminal.c, xrefs: 00DF76D4, 00DF7769, 00DF7812
col >= 0 && col < line->cols, xrefs: 00DF76D9, 00DF776E

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/terminal.c$col >= 0 && col < line->cols$tmpsize <= INT_MAX
API String ID: 0-1128092879
Opcode ID: be7e059097deb9b0943784dcbc0198a1c3ec9d6f6bb9342492cd615ea14e2671
Instruction ID: 195f3a3a7a94b88dec6d283a52c6930b6891e5bfdea6e97f3a59b5ba35e589ba
Opcode Fuzzy Hash: be7e059097deb9b0943784dcbc0198a1c3ec9d6f6bb9342492cd615ea14e2671
Instruction Fuzzy Hash: C9519B75A047098FD724DF18E880BA6B7F2BFC0704F0A892DD65A57761EB70F909CA61

Function 00E35590 Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000), ref: 00E595F2
FindClose.KERNEL32(00000000), ref: 00E59609
FindWindowA.USER32(Pageant,Pageant), ref: 00E5961D

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Find$CloseFileFirstWindow
String ID:
API String ID: 2475344593-0
Opcode ID: e755f7cf29e0859cd98d3c2032b3b61f608a85770c0cb206f6b9c38c6e7be484
Instruction ID: 781561d33ca4800d206fdabca55404ccfc36b611c4da19a4e14c6994a9ded047
Opcode Fuzzy Hash: e755f7cf29e0859cd98d3c2032b3b61f608a85770c0cb206f6b9c38c6e7be484
Instruction Fuzzy Hash: BFF0C871A011409BC621A739FC46AEA37A5DB86322F141439FD5AAB291E7244809D2A2

Function 00E5AB50 Relevance: 3.0, Strings: 2, Instructions: 520COMMON

Download Yara Rule

Strings

!dctx->outblk, xrefs: 00E5AB71
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/zlib.c, xrefs: 00E5AB6C

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: !dctx->outblk$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/zlib.c
API String ID: 0-91873693
Opcode ID: 0705d8de5a45883be5f3ba6b7a98d5cc0a778ce969d036e5dd300b2cc242306b
Instruction ID: 2bf4ce21304bea9111c9bcc2813d18a52147e63a4f0facc770aaa6117a93551d
Opcode Fuzzy Hash: 0705d8de5a45883be5f3ba6b7a98d5cc0a778ce969d036e5dd300b2cc242306b
Instruction Fuzzy Hash: 8612AD719046108BCB24CF18C4983A5B7A6FF84315F14DABDDCD9AB389DB349C4A9FA1

Function 00DE83E0 Relevance: 3.0, APIs: 2, Instructions: 18windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 00DE83EB
ShowWindow.USER32(00000006), ref: 00DE8405

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: IconicShowWindow
String ID:
API String ID: 3061500023-0
Opcode ID: f3e86e5f7c9be08428698ac7cd07f63b475ac5168747adca1b2c748c969215f7
Instruction ID: 0a14a45dee6d5df8c206b43e5af41041f0d48798548add05ea1632b22f3cefac
Opcode Fuzzy Hash: f3e86e5f7c9be08428698ac7cd07f63b475ac5168747adca1b2c748c969215f7
Instruction Fuzzy Hash: 31D012602451C15FFB116B33FD64B663B9AEB11310F0C4425F9C99A1F0DF118C18F625

Function 00E51020 Relevance: 3.0, Strings: 2, Instructions: 487COMMON

Download Yara Rule

Strings

len <= pool->nw, xrefs: 00E510D3, 00E5117D, 00E511BF
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c, xrefs: 00E51074, 00E510CE, 00E51178, 00E511BA

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c$len <= pool->nw
API String ID: 0-1244525610
Opcode ID: 8b925e6296416f4155b8d3e4e2195f220cf56e2598fd745887e515c81bfc40b7
Instruction ID: aa868aecc83dfb89359af1125dcf3a35b4d64ee94bebbe97d9e78e54e4f95f3e
Opcode Fuzzy Hash: 8b925e6296416f4155b8d3e4e2195f220cf56e2598fd745887e515c81bfc40b7
Instruction Fuzzy Hash: A702CF72A043009FC714DF28D881A6AB7E1FF88304F15996DEDAAA7351E731ED45CB82

Function 00E5E480 Relevance: 2.6, Strings: 2, Instructions: 117COMMON

Download Yara Rule

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/rsa.c, xrefs: 00E5E51B
h->hlen <= MAX_HASH_LEN, xrefs: 00E5E520

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/rsa.c$h->hlen <= MAX_HASH_LEN
API String ID: 0-3344380525
Opcode ID: 087ff34c7c73c0da8331df05d858227d063c14deffad6f63365a0cdae60131cf
Instruction ID: 8e9bf92e12f1ca6509876dabd98246889b4ca990bae12e353f8a9ac860db11b8
Opcode Fuzzy Hash: 087ff34c7c73c0da8331df05d858227d063c14deffad6f63365a0cdae60131cf
Instruction Fuzzy Hash: 1B4108705083449BCB19EF24D845A6BBBE0AF85319F48886DF8D95B343E631EA18CB57

Function 00E65280 Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/ecc-ssh.c, xrefs: 00E65298
ek->curve->type == EC_EDWARDS, xrefs: 00E6529D

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/ecc-ssh.c$ek->curve->type == EC_EDWARDS
API String ID: 0-1731990543
Opcode ID: d2fe46a6ac8f5eff95155f6c139092a6f8f7db4d72e8450b10321836f616d4c7
Instruction ID: 224dfa73445014b439714f5f1a0c8006d229fee542be426b93404b20082aa357
Opcode Fuzzy Hash: d2fe46a6ac8f5eff95155f6c139092a6f8f7db4d72e8450b10321836f616d4c7
Instruction Fuzzy Hash: 8531AFB6900200AFDB10AF54EC42C6ABBE5EF54318F095468F94867323E732AD60CB92

Function 00E649A0 Relevance: 2.6, Strings: 2, Instructions: 50COMMON

Download Yara Rule

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/ecc-ssh.c, xrefs: 00E649B5
hash.len >= curve->fieldBytes, xrefs: 00E649BA

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/ecc-ssh.c$hash.len >= curve->fieldBytes
API String ID: 0-3091655099
Opcode ID: 5237f41cddcab32a3839f5ab3d7fca14ff84cbe22289870883a3fbde3ce1c48f
Instruction ID: 0f68596a08433b4464bb844bd6448df72f418db56e3b2a3443c4e1f25b42ab2b
Opcode Fuzzy Hash: 5237f41cddcab32a3839f5ab3d7fca14ff84cbe22289870883a3fbde3ce1c48f
Instruction Fuzzy Hash: A1F0A9F2A8161177D210AA54BC82F6AB399FF51369F092235F514B33C1E3519D1582EA

Function 00E4A560 Relevance: 2.5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

Strings

x0->nw == x1->nw, xrefs: 00E4A580
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c, xrefs: 00E4A57B

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c$x0->nw == x1->nw
API String ID: 0-3722340996
Opcode ID: 3750ad4a9790d2cfebdedc9bb779f7f301a51d452738e6935592e43a8f996ed9
Instruction ID: 3256e9660c04d1558aa2dbc0719b5f43be607de59275a0960a93eb7970c6de66
Opcode Fuzzy Hash: 3750ad4a9790d2cfebdedc9bb779f7f301a51d452738e6935592e43a8f996ed9
Instruction Fuzzy Hash: 7C0162B5A40601AFD324CF18D581E27F7F1FF9A310F185529D455A7341C331E851CA92

Function 00E67310 Relevance: 2.2, APIs: 1, Instructions: 654COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00E67330

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: c221e1240efcfe6fe149ebb607b7486d9b7e9b8bda94da2e5253d84f57741dd0
Instruction ID: 7a0a04b73f8f333c087d99b57c9ec169e2bcdafe449bf57c369b02e68582390f
Opcode Fuzzy Hash: c221e1240efcfe6fe149ebb607b7486d9b7e9b8bda94da2e5253d84f57741dd0
Instruction Fuzzy Hash: D522B0329083119BD714CF29C84166BB7E1FFD4748F169A2EE9C8A73A1E774D854CB82

Function 00E7CCF0 Relevance: 2.0, Strings: 1, Instructions: 713COMMON

Download Yara Rule

Strings

gj, xrefs: 00E7CEFF

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 59444d6e0fb3e18773f7e81362f588e491ce47b89901edf7a169d0a5bd47b2b9
Instruction ID: 10c1312e3a7ec94ac69735767cbd576d3430eaed15852ca5584ede2a52b47a40
Opcode Fuzzy Hash: 59444d6e0fb3e18773f7e81362f588e491ce47b89901edf7a169d0a5bd47b2b9
Instruction Fuzzy Hash: 4072ADB1A093408FC758CF29C490A5AFBE2BFC8314F59892EE5D9D7351DB71A8548F82

Function 00DECFE0 Relevance: 1.9, APIs: 1, Instructions: 437timeCOMMON

Download Yara Rule

APIs

GetCaretBlinkTime.USER32 ref: 00DED553

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: BlinkCaretTime
String ID:
API String ID: 1096504186-0
Opcode ID: 3d7febec27684c3a2c80b9ac9289bebc45e44bcc847ad95095b46e1bb6acd958
Instruction ID: f9165038558efdec907362d85cff4b302e0e453594fd3a62524bc0aa548a6256
Opcode Fuzzy Hash: 3d7febec27684c3a2c80b9ac9289bebc45e44bcc847ad95095b46e1bb6acd958
Instruction Fuzzy Hash: 74F1B571D0C3C46AEB316F24AC02BDE7FA25F51708F085069FDCD5E293E6B25A948762

Function 00DF6630 Relevance: 1.9, APIs: 1, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2c67cfb6af96f1b9f51b35b2399753d38b37bfdf34bb631e07d1cadfdce137
Instruction ID: 0c7b6653392cb568936fec0b362e1cee4d177ba0b8918cb004009a6b5fdf702e
Opcode Fuzzy Hash: 3b2c67cfb6af96f1b9f51b35b2399753d38b37bfdf34bb631e07d1cadfdce137
Instruction Fuzzy Hash: 92E1C071A083459FCB24DF24C4407AABBE1AF95304F1AC82DE6DA57781D770EC95CBA2

Function 00E68530 Relevance: 1.9, APIs: 1, Instructions: 361COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00E686CA

Part of subcall function 00E67170: __aulldiv.LIBCMT ref: 00E67190

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: 0dfb7d546fa8ebffab90e7544544a0985cf5ae635acd2309cb01c88852e09a1f
Instruction ID: 473ed6bb420bbade68183e444d39f0c74a7b797ccf03ea9c47baf015570d7cbc
Opcode Fuzzy Hash: 0dfb7d546fa8ebffab90e7544544a0985cf5ae635acd2309cb01c88852e09a1f
Instruction Fuzzy Hash: B8B129B2A443006BD310AF64AC42B2BB7D8AF94754F55643DFD48A7383FA71ED1483A2

Function 00E69460 Relevance: 1.8, APIs: 1, Instructions: 262COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00E695F9

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: 0c0a339ecaf5f6ea1408e78e5c8d3d179d48d216df42d812d4549f7b80bb0f68
Instruction ID: 9d35f898669665211830416695e9adc7263165595d60fe510c159fc40b7edbcf
Opcode Fuzzy Hash: 0c0a339ecaf5f6ea1408e78e5c8d3d179d48d216df42d812d4549f7b80bb0f68
Instruction Fuzzy Hash: AC7132326443119BC314CF29DC8162AB3E5FF94754F09A53CE88AEB392E735E816C792

Function 00E691D0 Relevance: 1.7, APIs: 1, Instructions: 243COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00E691EC

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: 0e8b128f51106cfb461fa419b2342d1575e2a1ddf9a9317553ff1bf96385394e
Instruction ID: b8dd71045442582d7b1e489f3665a24805ccf8307730355d2ef4b9cda225f20d
Opcode Fuzzy Hash: 0e8b128f51106cfb461fa419b2342d1575e2a1ddf9a9317553ff1bf96385394e
Instruction Fuzzy Hash: 9F611832A443056BC314DE2DDD8275AB7E8EF94310F45A529F888EF3A2E634EC10C786

Function 00E68FA0 Relevance: 1.7, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00E69126

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: dcdba2266a357405097232b7f2ff15aa1328be8400da998dbbcdbf752fe7a473
Instruction ID: 684d2a2dda85f0713bbc8e9d163e28d9fd2d22cc3d4f531480f9b102e511bf45
Opcode Fuzzy Hash: dcdba2266a357405097232b7f2ff15aa1328be8400da998dbbcdbf752fe7a473
Instruction Fuzzy Hash: 7F510172658301ABC304DE29DC81A2BB3E6FFD4354F58E52CE445E7296EB35E821C742

Function 00DF2D51 Relevance: 1.7, APIs: 1, Instructions: 210timeCOMMON

Download Yara Rule

APIs

GetCaretBlinkTime.USER32 ref: 00DF299A

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: BlinkCaretTime
String ID:
API String ID: 1096504186-0
Opcode ID: 6ebeb9f26d09709bfbaf8425468844f3ec62524d0702d5591b7d9f8f4f7caa55
Instruction ID: 25a3cfbbcf4823842b2fd2f90a9f9d5c36947a411b788d1b7907e289d76479b7
Opcode Fuzzy Hash: 6ebeb9f26d09709bfbaf8425468844f3ec62524d0702d5591b7d9f8f4f7caa55
Instruction Fuzzy Hash: B391B6705087488FD720CF34C4847BBBBE1AB86314F1A8D2DE6EA572D1D7B5A984CB61

Function 00E9AF52 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E97BC4: HeapAlloc.KERNEL32(00000008,?,?,?,00E951E0,00000001,00000364,?,00000006,000000FF,?,00E8F413,00000003,?,?,00E1B569), ref: 00E97C05

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E9B0F3
FindNextFileW.KERNEL32(00000000,?), ref: 00E9B1E7
FindClose.KERNEL32(00000000), ref: 00E9B226
FindClose.KERNEL32(00000000), ref: 00E9B259

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: 0e7c7f3ab4b94688bef70e58796e7508497f87de76b83b0a04d7aa302c3f3c45
Instruction ID: a704d3b842b31640b2c6219a8cc0f646f900ac383df5af5b74a770d04fe8b0b1
Opcode Fuzzy Hash: 0e7c7f3ab4b94688bef70e58796e7508497f87de76b83b0a04d7aa302c3f3c45
Instruction Fuzzy Hash: 815157B1A00108AFDF209F28ADC5AFFB7B9DF45318F1861A9F419B7201EB309D459B60

Function 00E4E410 Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c, xrefs: 00E4E455, 00E4E513, 00E4E548, 00E4E5C6

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c
API String ID: 0-3035396574
Opcode ID: e5bb88d5b675aa58e8f40dfbe40ac1624833745324f68fb3f7fc97bbcfc0b258
Instruction ID: 1c25fcc4f29e912f239fbac77c3275185c750cd220ef283f62c699fd9c6b7efc
Opcode Fuzzy Hash: e5bb88d5b675aa58e8f40dfbe40ac1624833745324f68fb3f7fc97bbcfc0b258
Instruction Fuzzy Hash: 60E1B072A04210ABD711DF54EC42B6AB7E5FF95304F0A9429F9486B342E731ED05CBE2

Function 00DF9500 Relevance: 1.7, APIs: 1, Instructions: 163COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00DF975E

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 3f5d2bdb8c8232ff470ee00a977f480a696e89261a25d131e94d3e29b8ac426a
Instruction ID: d96411797e0f5219a030a9629a93df4ae20996c963960632984a8db95f49c2b9
Opcode Fuzzy Hash: 3f5d2bdb8c8232ff470ee00a977f480a696e89261a25d131e94d3e29b8ac426a
Instruction Fuzzy Hash: C75168B4D00B884AC3368B3498987F3FAD19F52318F1D8A6DE5EF533A6D6706584CB61

Function 00E80735 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00E8074B

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: c5246e8be167aa8ceea500c339ce4e225c39bf861986f515eccd527144b9a0ac
Instruction ID: a5a36b4425ed4533df829482c9670d61d1037986696d10f0a65e671ff5e39e52
Opcode Fuzzy Hash: c5246e8be167aa8ceea500c339ce4e225c39bf861986f515eccd527144b9a0ac
Instruction Fuzzy Hash: FA518F72A01609CFEB18CF56D8C56AAB7F4FB84318F14842AD519FB251D375AA48CF50

Function 00E84D17 Relevance: 1.6, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

0, xrefs: 00E84EA5

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 2adcba9fc49256537c904031bde1ee6752f52f2d181636fc0c7599363eef38af
Instruction ID: 9f1c76136b3011a94b9dfd8e6d0e78c7c4067f7fe56fa42b97d8f0aa1253b3da
Opcode Fuzzy Hash: 2adcba9fc49256537c904031bde1ee6752f52f2d181636fc0c7599363eef38af
Instruction Fuzzy Hash: 0CC1BDB0600A478FCB24EF68C4906BABBF1FB45318F146A1DD59EBB2D1C731A945CB91

Function 00E9A81E Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00E95042: GetLastError.KERNEL32(?,?,00E879D8,?,?,?,?,00E8FBB7,00E8FB84,?,?,?,?,?,00E8FB84,?), ref: 00E95046
Part of subcall function 00E95042: SetLastError.KERNEL32(00000000,00E8FB84,?,?,?,?,?,00E8FB84,?,00000000,?,00000003,00E8348B), ref: 00E950E8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E9A872

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 59fa6dfcc42d72ec15e3b466435ad517a3842c43b2dc4beb9393aa899d894ca7
Instruction ID: 2bf621dcd5f41bec41f99e2b3ddbbdb4ac7836d29141ec5564e63f31a19e8705
Opcode Fuzzy Hash: 59fa6dfcc42d72ec15e3b466435ad517a3842c43b2dc4beb9393aa899d894ca7
Instruction Fuzzy Hash: 5521D372600206ABDF2CAF25DC45ABA73E8EF44304B14607AFD06E6140EB74ED02DB91

Function 00E9A4D1 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00E95042: GetLastError.KERNEL32(?,?,00E879D8,?,?,?,?,00E8FBB7,00E8FB84,?,?,?,?,?,00E8FB84,?), ref: 00E95046
Part of subcall function 00E95042: SetLastError.KERNEL32(00000000,00E8FB84,?,?,?,?,?,00E8FB84,?,00000000,?,00000003,00E8348B), ref: 00E950E8

EnumSystemLocalesW.KERNEL32(00E9A56C,00000001,00000000,?,-00000050,?,00E9A35B,00000000,-00000002,00000000,?,00000055,?), ref: 00E9A543

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ebd406390fad9019f37c6cae6fa785c6496b6a2eaf75418b8c05b695ee8837de
Instruction ID: 7cf7d919ba3c6624981d3889457caf96a9942f203fdda02952fe8419e4d54d3b
Opcode Fuzzy Hash: ebd406390fad9019f37c6cae6fa785c6496b6a2eaf75418b8c05b695ee8837de
Instruction Fuzzy Hash: F711253B2007019FDF189F39C8916BAB7A2FF80318B19443DE98797A40E371A902CB80

Function 00E9A93E Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00E95042: GetLastError.KERNEL32(?,?,00E879D8,?,?,?,?,00E8FBB7,00E8FB84,?,?,?,?,?,00E8FB84,?), ref: 00E95046
Part of subcall function 00E95042: SetLastError.KERNEL32(00000000,00E8FB84,?,?,?,?,?,00E8FB84,?,00000000,?,00000003,00E8348B), ref: 00E950E8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E9A992

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 317b171dcf67c8b9cc2b0f074e94b92929bbf2a918ddb063a442c2e42f042c1d
Instruction ID: 1d6b4d77c0a023e5be201518f12f8ec74b79ce88e5940f36903e1ab7624f3a13
Opcode Fuzzy Hash: 317b171dcf67c8b9cc2b0f074e94b92929bbf2a918ddb063a442c2e42f042c1d
Instruction Fuzzy Hash: 6E11A372611506ABDF14AF24DC42ABA77ECEF45314B14607AF905EB241EB78ED04C791

Function 00E9AAEB Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00E95042: GetLastError.KERNEL32(?,?,00E879D8,?,?,?,?,00E8FBB7,00E8FB84,?,?,?,?,?,00E8FB84,?), ref: 00E95046
Part of subcall function 00E95042: SetLastError.KERNEL32(00000000,00E8FB84,?,?,?,?,?,00E8FB84,?,00000000,?,00000003,00E8348B), ref: 00E950E8

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00E9A788,00000000,00000000,?), ref: 00E9AB17

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 0476c623ce34f9681d1b4dd73688dc26b6633055b54fe761b8341af8160a7a2f
Instruction ID: 5d2a305031ff6f808a7129620c9260dcd8354c91d6fcad63a6dcda682411ac32
Opcode Fuzzy Hash: 0476c623ce34f9681d1b4dd73688dc26b6633055b54fe761b8341af8160a7a2f
Instruction Fuzzy Hash: 68F08132640116ABDF28AA258C05BFA77AAEF80758F195439EC06B3280FA74FD41C6D1

Function 00E9A7BF Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00E95042: GetLastError.KERNEL32(?,?,00E879D8,?,?,?,?,00E8FBB7,00E8FB84,?,?,?,?,?,00E8FB84,?), ref: 00E95046
Part of subcall function 00E95042: SetLastError.KERNEL32(00000000,00E8FB84,?,?,?,?,?,00E8FB84,?,00000000,?,00000003,00E8348B), ref: 00E950E8

EnumSystemLocalesW.KERNEL32(00E9A81E,00000001,?,?,-00000050,?,00E9A31F,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00E9A809

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 78f617d52723748cfcfdef00707b449c3577015bef8223c4c80b3d89fba7aebf
Instruction ID: 651c87cb16db80fef0940fa0fc1852ac00cd3fc8a5513f1e86995ff5214b5696
Opcode Fuzzy Hash: 78f617d52723748cfcfdef00707b449c3577015bef8223c4c80b3d89fba7aebf
Instruction Fuzzy Hash: 8BF0F6363003045FDF245F759885A7A7BE1EF8036CF09843EF946ABA80D6B19C42C790

Function 00E94EC5 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00E94FB3: EnterCriticalSection.KERNEL32(?,?,00E963A5,00000000,00EE1B50,0000000C,00E9635D,?,?,00E97BF7,?,?,00E951E0,00000001,00000364,?), ref: 00E94FC2

EnumSystemLocalesW.KERNEL32(00E94EB8,00000001,00EE1A50,0000000C,00E9461C,-00000050), ref: 00E94EFD

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 19450c7600f559c17ba5346243745e21e545393d61e5d912c9384f7519bf5a60
Instruction ID: cb3ae2a18d6dc366d4698a8cacbaa985c9da1b91f3195b41a644ab2ce05044cb
Opcode Fuzzy Hash: 19450c7600f559c17ba5346243745e21e545393d61e5d912c9384f7519bf5a60
Instruction Fuzzy Hash: C2F04976A45208DFDB00EF99E842B9C77F0FB44760F10A12AF915EB2E0CB7549058F40

Function 00E9A8F3 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E95042: GetLastError.KERNEL32(?,?,00E879D8,?,?,?,?,00E8FBB7,00E8FB84,?,?,?,?,?,00E8FB84,?), ref: 00E95046
Part of subcall function 00E95042: SetLastError.KERNEL32(00000000,00E8FB84,?,?,?,?,?,00E8FB84,?,00000000,?,00000003,00E8348B), ref: 00E950E8

EnumSystemLocalesW.KERNEL32(00E9A93E,00000001,?,?,?,00E9A37D,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00E9A92A

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 0bc937ef12ef8d36442ba8e9941fc91c663f5d89475bdb9863bf8a1154683de2
Instruction ID: 832da7b21f5d3c639ddb8ff2edef8a685ddc536544d3784d9f45a286d47351ba
Opcode Fuzzy Hash: 0bc937ef12ef8d36442ba8e9941fc91c663f5d89475bdb9863bf8a1154683de2
Instruction Fuzzy Hash: 26F0553A30020557CF049F39E80566ABFA0FFC1718B0B4069EE099B280D6729C43C790

Function 00DEA960 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetKeyboardState.USER32 ref: 00DEA978

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: KeyboardState
String ID:
API String ID: 1724228437-0
Opcode ID: dd8768b75ecc4926a1ac64899c306d501ac3edf7f375cd95c6c2cec982d41436
Instruction ID: c12e30d92cfa24f1bbce37f69fa501298f747e882478b510ebe7257f8669f824
Opcode Fuzzy Hash: dd8768b75ecc4926a1ac64899c306d501ac3edf7f375cd95c6c2cec982d41436
Instruction Fuzzy Hash: FBE02BB03442C15FD7219B3EDC857973BE05719300F481429E5CD8A141C228A088D753

Function 00E94777 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00E8DBE5,?,20001004,00000000,00000002,?,?,00E8CAF8), ref: 00E947AB

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: fd706a648631322aecaf4f64eacc2a0ebaad610882352e4ebe60dd9fdbf728df
Instruction ID: 8093eeb7e500fe2e9b133bb1d6092ae6dc68430edad46da7f8e7fccea40fb3e0
Opcode Fuzzy Hash: fd706a648631322aecaf4f64eacc2a0ebaad610882352e4ebe60dd9fdbf728df
Instruction Fuzzy Hash: 52E04F7150121CBBCF126F61EC04F9E7F66EF447A0F144422FD09B61A1CB318D22AA94

Function 00E8050E Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000A0635,00E7FF9D), ref: 00E80513

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 63056e1e78408a231ad0463935b4ce7eeeec8c0db2d25a6b04219d02fcb2f163
Instruction ID: cc72ff920de209a081f0634b76e2772f2a6da6053237ae1ded2453f0fe60fb27
Opcode Fuzzy Hash: 63056e1e78408a231ad0463935b4ce7eeeec8c0db2d25a6b04219d02fcb2f163
Instruction Fuzzy Hash:

Function 00E2A2E0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

Yf, xrefs: 00E2A2E1

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: Yf
API String ID: 0-2573146275
Opcode ID: ac559af331e5c0234fc12279f4417870171d1caab3c372bfe0a43dd5921a4ce7
Instruction ID: 686204b2b591aad62ce3cdb547b08f5690c32f93ee45d21649311fb1be0f2daa
Opcode Fuzzy Hash: ac559af331e5c0234fc12279f4417870171d1caab3c372bfe0a43dd5921a4ce7
Instruction Fuzzy Hash: 4431C6F1900200A7DA217A31BC06B9A76F85F4530AF1C3438F62BBA152FA71F951965B

Function 00E7D7B0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

}, xrefs: 00E7D7BB

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-4269614235
Opcode ID: e629387ad27f40750ed1eccc4289162585d5b74bf1f39658a89ea17cafb77f17
Instruction ID: cffb3679fcddfe0282e24d22181b18eeab6724e5f97b10162a7a256409d7ca3c
Opcode Fuzzy Hash: e629387ad27f40750ed1eccc4289162585d5b74bf1f39658a89ea17cafb77f17
Instruction Fuzzy Hash: 7C4127A6ACB1D24AC7170B3888302A1BF61AC6B20E36E69DCCEC91E717D0177594F761

Function 00E50D20 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c, xrefs: 00E50D54

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c
API String ID: 0-3035396574
Opcode ID: af81bd0a1935ed05a007ebf39092c3d827c79c5e39cd9c4bbb5b40b40f2d3b45
Instruction ID: 9534a99e503f4a63df25cb14b4d228465aa1af4753b825420dd182eb9f49a7ee
Opcode Fuzzy Hash: af81bd0a1935ed05a007ebf39092c3d827c79c5e39cd9c4bbb5b40b40f2d3b45
Instruction Fuzzy Hash: E931D276A083088FD714DE90C84166AB3A1FBD5305F19982DED897B341EA32FD058B91

Function 00E50C00 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c, xrefs: 00E50C35

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c
API String ID: 0-3035396574
Opcode ID: d9460c358da6bf19a7b88e6fd8a0b68b36d22c6d45c6c3fbc5d739251faae92f
Instruction ID: 9ad11994db65856a50cbc972d6ace84c3b09b059fbc0f19194b836085047d6d0
Opcode Fuzzy Hash: d9460c358da6bf19a7b88e6fd8a0b68b36d22c6d45c6c3fbc5d739251faae92f
Instruction Fuzzy Hash: CE31D476A043098FD320DE50D88076AB3E1FBCA315F199929ED997B341E771FC098B91

Function 00E44A90 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

file format error, xrefs: 00E44A92

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: file format error
API String ID: 0-2250856019
Opcode ID: 9bb332b9a8fba8480f6ead0e90ddd2b0e9326020f2db24afd206d5456fd8f8ab
Instruction ID: e2a78631d25b976e4fb4454749b1ec51c3f0d97af2b546839fc751cd3bb302d4
Opcode Fuzzy Hash: 9bb332b9a8fba8480f6ead0e90ddd2b0e9326020f2db24afd206d5456fd8f8ab
Instruction Fuzzy Hash: D1F0F6B67C82080AC738295C78817E3F395B71231CE2A3037D195621C1F1069C86A24E

Function 00E94FE1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00E94FE1

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 8f338adf9379de3ac7e504aaa3c3fe64ceadb976a80f2a5747e2593a40789848
Instruction ID: a4219ac59e9e901f123a9b68e337a7668c98a8940560f0338675082fd235dd7d
Opcode Fuzzy Hash: 8f338adf9379de3ac7e504aaa3c3fe64ceadb976a80f2a5747e2593a40789848
Instruction Fuzzy Hash: C6A00171602645CF97808F37AE8930E3ABAAF556A5B05847BA506EA270EA3484589F05

Function 00E6EA90 Relevance: .9, Instructions: 859COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d0734947055704cdfe7d54bf8a3df0cc3e2e7c628da723240298f4e5b72f8f
Instruction ID: 9cfbfc3480245f7a63c4677492c67f5f7ebfd423538976f32a31a6bfb1c00187
Opcode Fuzzy Hash: d2d0734947055704cdfe7d54bf8a3df0cc3e2e7c628da723240298f4e5b72f8f
Instruction Fuzzy Hash: 228227759053198FC320DF4DC880615FBE5FF88328F6AC4AD95989FB12D6B2E9578B80

Function 00E60290 Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff6d6ebad1de93d4fb899774bc8d86f44fb2af04758c1128e088ca6925addad
Instruction ID: 48c038b93e3547a2feb18e7b6c3be716d67fa2a7027efdb083b1f2f768a76169
Opcode Fuzzy Hash: 4ff6d6ebad1de93d4fb899774bc8d86f44fb2af04758c1128e088ca6925addad
Instruction Fuzzy Hash: 7912BFB07083648FD341EF6EC89052ABBE2EF89601F56492DF6C987352DA31EC15DB91

Function 00E1B790 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2804403c51e157750d2287fcde7dd57b8ed0e5a056311132beea16f5df39e9
Instruction ID: a58915a24c5be83b57903b762120d817a777c7da978247997c472c6fe4f6710d
Opcode Fuzzy Hash: 7f2804403c51e157750d2287fcde7dd57b8ed0e5a056311132beea16f5df39e9
Instruction Fuzzy Hash: 57325974600A05CFCB28CF18C094AA6B7E1FF88328F55976DE99A5B395D731E891CF81

Function 00E1AA30 Relevance: .5, Instructions: 526COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8820abe9917a3755acaa4d9d7a529a287d16d09bae990d03a838faf14c8a11fe
Instruction ID: fdf66e6c17666b8d1c660239c39621144be6eec813f52182c29f2bbca3d849cd
Opcode Fuzzy Hash: 8820abe9917a3755acaa4d9d7a529a287d16d09bae990d03a838faf14c8a11fe
Instruction Fuzzy Hash: 5932F1B4605705CFC728CF19C190AA6BBF1BF88314F158A6EE89A9B751D730E984CF91

Function 00E7C3E0 Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6be8728cb8a89f28ee04139a1c4ea38e8ac4e48364bdf866797d308e5c7f70
Instruction ID: 198cde8707be1888393f52598aee0d96e773e70ed71d54a9764dca8c589d5339
Opcode Fuzzy Hash: 9f6be8728cb8a89f28ee04139a1c4ea38e8ac4e48364bdf866797d308e5c7f70
Instruction Fuzzy Hash: 2EE15E739093248BC324DF59D88029AF3E5AF88718F5B8A3DDD99E7302D675AD108BC5

Function 00E5B03E Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd3305adc2a007d167d7da54f5c21be61846b74f5b6b5c3a23b688c541d96e7
Instruction ID: 7c8bb3c2988a62d11a11208dd13dbbdb0779a4356f67436617f08290ad078b22
Opcode Fuzzy Hash: 1dd3305adc2a007d167d7da54f5c21be61846b74f5b6b5c3a23b688c541d96e7
Instruction Fuzzy Hash: 70E1A0719046118BCB64CF18C498365B7A2FF85315F18DABDCCD9AB389DB349C4A9FA0

Function 00E5B182 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0288a1cb3ecaeabd2afdb9ba1818804c1a5a7231770911cc24a8f79cc4c69c
Instruction ID: 6a9932f3371ef48cc86ae1a8fd2bd3fa6e4bc3e94810b26bbb6ef8a51ff683fc
Opcode Fuzzy Hash: 9d0288a1cb3ecaeabd2afdb9ba1818804c1a5a7231770911cc24a8f79cc4c69c
Instruction Fuzzy Hash: C4D1AF719046108BDB64CF18C498365B7A2FF85325F18DABDCCD9AB389DB349C499FA0

Function 00E5B124 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4227aa01d4e8edb5abc8114425cee4d5144688959f4ebabf7bd46acbddff7473
Instruction ID: ca07b9d390f2cf287df4d8c6a40233b9968905aef5a68fb2ffe25ce3fdef3307
Opcode Fuzzy Hash: 4227aa01d4e8edb5abc8114425cee4d5144688959f4ebabf7bd46acbddff7473
Instruction Fuzzy Hash: 9DD1A0719046108BDB68CF18C498365B7A2FF85315F18DABDCCD9AB389DB349C499F90

Function 00E7F010 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4178b5f71b7756472f00e99153e920b9a867c1c5bba99cc34d7a6912b3e681d
Instruction ID: 8a7191e63aee49e44683e8ef302122aeeb61e309a40a5f016ead61f87e1d97bd
Opcode Fuzzy Hash: e4178b5f71b7756472f00e99153e920b9a867c1c5bba99cc34d7a6912b3e681d
Instruction Fuzzy Hash: 5BB125E6C0AFA94BEB135B3E9C83252B750AFF3294B10D357FCB476A16E711E4546210

Function 00E62740 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7c875ac8f70ad859d41b4c70a3371b2fc8576a980b0bdb0ec995c59c175dbd
Instruction ID: 1b0edd3aa3861b58cd8371f8a11309463d1c08c11cce11608c163f9b34609f9c
Opcode Fuzzy Hash: ba7c875ac8f70ad859d41b4c70a3371b2fc8576a980b0bdb0ec995c59c175dbd
Instruction Fuzzy Hash: 86B1ADB29083059FC350CF19D88051AFBE1FFC8764F16991EE998A3711D770E9598F86

Function 00E60E80 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5a8f3007a41d3d33de8c5df0b5e72247f97b1d62a58ccddc8d3e70d20f8169
Instruction ID: 05d6f68574f5e08432f4170867bb4c2367dec6bddf59a35774b18534491a6846
Opcode Fuzzy Hash: 8c5a8f3007a41d3d33de8c5df0b5e72247f97b1d62a58ccddc8d3e70d20f8169
Instruction Fuzzy Hash: 59A15F71A10952ABC35ACF1DC894BB5B3A1FB44309F8A8339DE4557288CB39B935CBD4

Function 00E4CDA0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0e31248eaea0a72590c8a547e3e25e9a676ee398c6ef109200351d7e7a9fc6
Instruction ID: 228932f753e95376c3242d8133a3a20f9895ddb52adc06b2e93061ef2761c5b6
Opcode Fuzzy Hash: ed0e31248eaea0a72590c8a547e3e25e9a676ee398c6ef109200351d7e7a9fc6
Instruction Fuzzy Hash: B171D632B197159FCB58CE18E880279B3A3FB84714F6A9628DD5AAB345D735BC118BC0

Function 00E5E7B0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ae7d543425d7bc7b0a1442678e6ad74497c8409410614f4b2b969f61587c1c
Instruction ID: 10f66bf67888ae5d41bfb30860449f9d6f1976019800fab17a2e3c03dd931160
Opcode Fuzzy Hash: e7ae7d543425d7bc7b0a1442678e6ad74497c8409410614f4b2b969f61587c1c
Instruction Fuzzy Hash: 64410377E083280BCB549EA494D13A6B3C2DBD5225F0F4A6DDDD977382D9749D088AC0

Function 00E5ED20 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a61990e114109ba1b23dfc594da9a6387648e28800b994b4ac4bc7194045e12
Instruction ID: 339d0598798e7126db5a75dd067319675b94f8aaf74a72aa3201297b49d7a4ac
Opcode Fuzzy Hash: 9a61990e114109ba1b23dfc594da9a6387648e28800b994b4ac4bc7194045e12
Instruction Fuzzy Hash: 4B51C1B6D083294BCB149EB4D4D1357F3D1EBD5221F1A8A2DDDD963782E6709D148AC0

Function 00E5F5F0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f7785cc3aa0184434115c62d7eca0a6c16f15c7933c7a63593a273aaff8e123
Instruction ID: 4aa3e6e64713abc3c923af3e4fcdbdf770e3a2be6d94645180d92def563fa637
Opcode Fuzzy Hash: 9f7785cc3aa0184434115c62d7eca0a6c16f15c7933c7a63593a273aaff8e123
Instruction Fuzzy Hash: 1351C1B6D083294BCB149EB4D4D035BF3D1EFD5221F1A8A2DEDD963782E2709D148AC0

Function 00E4B500 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33afd40b7556a2c486a559c54b9df45d014f497368b18fb15644d947161c3498
Instruction ID: c71d99c17f92fbde21084a4171755a448587e86e93f08208c412209aabd03bc3
Opcode Fuzzy Hash: 33afd40b7556a2c486a559c54b9df45d014f497368b18fb15644d947161c3498
Instruction Fuzzy Hash: 065137329087955FD7058E38C4603AABBE29FD6324F0A869DC8E55B3D2D731E808C781

Function 00E5F2D0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3fc38cc0c9fd25fabbbe5da6bff7855542c83d62299c9ce8deeee52d80a83b
Instruction ID: 8d5b2c686dc12984ad7dfe99d9bd3d8381aa1ce554eae87fc615bdc406697433
Opcode Fuzzy Hash: 6e3fc38cc0c9fd25fabbbe5da6bff7855542c83d62299c9ce8deeee52d80a83b
Instruction Fuzzy Hash: 09510432B182454BE708DE398C5566FB7D3AFC8220F49C93DE986DB3C2DA709909C791

Function 00E6E800 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234c68cfe8ece2336072dbdab7043686b2efc9d19bbd018efce3d52afa418820
Instruction ID: 2f80ed1a3074c135ee41ce749122b7761da70c16ec364ee0311dc5e4c453cac6
Opcode Fuzzy Hash: 234c68cfe8ece2336072dbdab7043686b2efc9d19bbd018efce3d52afa418820
Instruction Fuzzy Hash: 7451E3B894430957D630EA50EC82F9BB3E8FB94348F508C38E585E73C2FA75A519C796

Function 00E3E200 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be783ffe324b07f1df1a71c37b7c1363f74cb006d23a91371ea8f3fc457359fb
Instruction ID: 22cb4cdb48902fbd20ffb19ded6a63a6b40a44c812667b410d3b6eb397a3f142
Opcode Fuzzy Hash: be783ffe324b07f1df1a71c37b7c1363f74cb006d23a91371ea8f3fc457359fb
Instruction Fuzzy Hash: D951F5F5D0060097EA216B31FC1ABD776E96F11318F081838F86FB6263FA22F565C656

Function 00E5EF30 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87daec2026c58a7f6f6ed4c406acc5ec9de37e5a01e1346cefce6c9311de8612
Instruction ID: 0ebf3e461e3a059fff7bba314abd2c5760eec3a82832f8678eb483303183fc1a
Opcode Fuzzy Hash: 87daec2026c58a7f6f6ed4c406acc5ec9de37e5a01e1346cefce6c9311de8612
Instruction Fuzzy Hash: 9941F332B182054BE30CEE398C5966AB3C3ABC4210F48C63DEA46D73C5EE709969C281

Function 00E8839B Relevance: .2, Instructions: 158COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82f4562c825d87db9937be0d784f959c9f6ed46b2b441a05cc9ce24cb6843e9
Instruction ID: 572e14745e86ba353f6307817fd65ab4c68c7850892ffbd1f270d264388bdc69
Opcode Fuzzy Hash: b82f4562c825d87db9937be0d784f959c9f6ed46b2b441a05cc9ce24cb6843e9
Instruction Fuzzy Hash: BA517172E00119EFDF14DF99C941AEEBBB2EF88314F598059E819BB241CB349E50CB90

Function 00E5F0F0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8c27687f2a2a1e6d513315b3b28fef39b1a012a0a5b8b67139e97d7ec3cc23
Instruction ID: 0aa5dab8d7cc0f0ee9eeb06999f98e0264e75e3652ec83952582d99bc99e05ed
Opcode Fuzzy Hash: 1d8c27687f2a2a1e6d513315b3b28fef39b1a012a0a5b8b67139e97d7ec3cc23
Instruction Fuzzy Hash: 2E41F672B182514BE71CDE38CC1566FB3D2ABC8220F49C63DE956E77C2EA709915C781

Function 00E5EB30 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d709a310d6539a7ab84d22519e105320ad01ae77bd681a478ed521ebe115504b
Instruction ID: 4ddfe983664b0c172acbb108ac197e6856e14baf1a49d179050046610c3af0b1
Opcode Fuzzy Hash: d709a310d6539a7ab84d22519e105320ad01ae77bd681a478ed521ebe115504b
Instruction Fuzzy Hash: 8B41F532B1826147E31CDA3D8C1526FB6D3ABC8220B49C73DE986E77C5EA749915C381

Function 00E5E9B0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a328411ea450acdfa46a127d5aafbf676ff44268fb3cf12707548be363ce5076
Instruction ID: cadca66180335e917a5dc33b9131c2d0d0fd5f2b04a31ce94175c869a72c5d44
Opcode Fuzzy Hash: a328411ea450acdfa46a127d5aafbf676ff44268fb3cf12707548be363ce5076
Instruction Fuzzy Hash: 3841E472B1864A0BD35CED398C5926FB3839BC4210F49C63DEA46C73C6EE749969C284

Function 00E7ED80 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50003bdb07a02e770b858c6fdc365418dbff22aba5f9bae28456bee8c9994f17
Instruction ID: c73d5afdbfd3384e7eabfbf03f2d72154a8c4b413881582ba1d432a79d391314
Opcode Fuzzy Hash: 50003bdb07a02e770b858c6fdc365418dbff22aba5f9bae28456bee8c9994f17
Instruction Fuzzy Hash: A94125A5C0AF495AE713A73AA843353F6949FF3294F00DB0FFCE8729A1E321A1546350

Function 00E4ACA0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75bfb6a5ddaf25dc7e6f65a198da53d4c5d53998e42a954547b0e4f2b213168
Instruction ID: 0555be8722c17d363f906f07ee0cef84f56d9927ec8142635e296dc91ea3d02c
Opcode Fuzzy Hash: f75bfb6a5ddaf25dc7e6f65a198da53d4c5d53998e42a954547b0e4f2b213168
Instruction Fuzzy Hash: F9310736F446204BD7249D6888C025A73D6EBC4374F5E873CE9AAAB3E1CA70EC51C6C1

Function 00E80CF0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 24744fe0c899f991e106c70ae5c6d466ed8b13f810d25de44566138ff0c274c2
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 36115B7720008187D6D4EAEDD4B46B7A395EBD633872D637AC04D6F7D8D122B94D9700

Function 00E1A4A0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2ccc8f08e0ec712bce2c529f2f90bdef9107d7e333c5064b6f1f1585fbff83
Instruction ID: 8aadd6a30a29362859c21c1caf9b2bee32fe809ac148ccd0c7ce699d7d3593b2
Opcode Fuzzy Hash: 4f2ccc8f08e0ec712bce2c529f2f90bdef9107d7e333c5064b6f1f1585fbff83
Instruction Fuzzy Hash: 0D110AB19053414FD7218B29C4845BA77D69F8231CF2C187EE499A7292D661DCC5C717

Function 00E5F550 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ba6b249f4d17a31464f27b4a53636233d1bc198646ea041dfb49c3657d1a15
Instruction ID: 908f80e46dab8242c1c8dcbf587a4e300b0659545681603fb9942dcf8ee205dd
Opcode Fuzzy Hash: 35ba6b249f4d17a31464f27b4a53636233d1bc198646ea041dfb49c3657d1a15
Instruction Fuzzy Hash: B6116572B055204BE31CDE1B885826BF3D3EFC871171AC17FDA46972A5CEB0581586D0

Function 00E4A440 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080ed082e0d655431e00534caa2d5e3ad980a1cf8d970c01362c7349ac3004f1
Instruction ID: f80ceeeeab8377fa6288b43347d1286587a6d42315b7937cbd1df39d28de951b
Opcode Fuzzy Hash: 080ed082e0d655431e00534caa2d5e3ad980a1cf8d970c01362c7349ac3004f1
Instruction Fuzzy Hash: D4F046B2A403052FE3205E64FC86B56B7D4EBE2362F045439E984A73C1E6B0A84487E1

Function 00E2CF90 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 279f7eb8e6c167c4409cab0f2abcd02a44e999263011f89c71bc761125bf0a14
Instruction ID: 373bb16ade5ca0a727adf42134dcfe70622822e6dd7c88e87c376fcc5c0eda97
Opcode Fuzzy Hash: 279f7eb8e6c167c4409cab0f2abcd02a44e999263011f89c71bc761125bf0a14
Instruction Fuzzy Hash: BAC0123090672056DA304F05BD047D7FAF95F57358F042404FC4573645D360D59885D9

Function 00E8C4A2 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab7f13b2fa88397a75655b1bd4fe4b0ba8d9f6ce3449be10a51de5468010258
Instruction ID: 9c6b5a5891d078d2871b9935e3ef39d2f3b5027bf05af3dcbf730d5e1c3eb885
Opcode Fuzzy Hash: 7ab7f13b2fa88397a75655b1bd4fe4b0ba8d9f6ce3449be10a51de5468010258
Instruction Fuzzy Hash: 8DC08C350009504ACE29A91082B13B43394A7927C6FA0288CCA5F5BB52C93E9CC6D720

Function 00E30D70 Relevance: 124.6, APIs: 42, Strings: 29, Instructions: 400libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,AddDllDirectory), ref: 00E30DBB
RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\MIT\Kerberos,?), ref: 00E30DED
RegQueryValueExA.ADVAPI32(?,InstallDir,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00E30E16
RegQueryValueExA.ADVAPI32(?,InstallDir,00000000,?,00000000,?), ref: 00E30E53
_strlen.LIBCMT ref: 00E30E6F
_strlen.LIBCMT ref: 00E30EAC
LoadLibraryExA.KERNEL32(00000000,00000000,00000D00), ref: 00E30EDA
RegCloseKey.ADVAPI32(?), ref: 00E30F46
GetProcAddress.KERNEL32(00000000,gss_delete_sec_context), ref: 00E30F88
GetProcAddress.KERNEL32(00000000,gss_display_status), ref: 00E30F94
GetProcAddress.KERNEL32(00000000,gss_get_mic), ref: 00E30FA0
GetProcAddress.KERNEL32(00000000,gss_verify_mic), ref: 00E30FAC
GetProcAddress.KERNEL32(00000000,gss_import_name), ref: 00E30FB8
GetProcAddress.KERNEL32(00000000,gss_init_sec_context), ref: 00E30FC4
GetProcAddress.KERNEL32(00000000,gss_release_buffer), ref: 00E30FD0
GetProcAddress.KERNEL32(00000000,gss_release_cred), ref: 00E30FDC
GetProcAddress.KERNEL32(00000000,gss_release_name), ref: 00E30FE8
GetProcAddress.KERNEL32(00000000,gss_acquire_cred), ref: 00E30FF4
GetProcAddress.KERNEL32(00000000,gss_inquire_cred_by_mech), ref: 00E31000
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00E07A80,?), ref: 00E3101B
FreeLibrary.KERNEL32(00000000), ref: 00E30F0E

Part of subcall function 00E1BFB0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00E2A190,kernel32.dll), ref: 00E1BFCF

GetProcAddress.KERNEL32(00000000,AcquireCredentialsHandleA), ref: 00E3106A
GetProcAddress.KERNEL32(00000000,InitializeSecurityContextA), ref: 00E31077
GetProcAddress.KERNEL32(00000000,FreeContextBuffer), ref: 00E31084
GetProcAddress.KERNEL32(00000000,FreeCredentialsHandle), ref: 00E31091
GetProcAddress.KERNEL32(00000000,DeleteSecurityContext), ref: 00E3109E
GetProcAddress.KERNEL32(00000000,QueryContextAttributesA), ref: 00E310AB
GetProcAddress.KERNEL32(00000000,MakeSignature), ref: 00E310B8
GetProcAddress.KERNEL32(00000000,VerifySignature), ref: 00E310C5
_strlen.LIBCMT ref: 00E3114C
LoadLibraryExA.KERNEL32(?,00000000,00000D00,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E311C7
GetProcAddress.KERNEL32(00000000,gss_delete_sec_context), ref: 00E31215
GetProcAddress.KERNEL32(00000000,gss_display_status), ref: 00E31221
GetProcAddress.KERNEL32(00000000,gss_get_mic), ref: 00E3122D
GetProcAddress.KERNEL32(00000000,gss_verify_mic), ref: 00E31239
GetProcAddress.KERNEL32(00000000,gss_import_name), ref: 00E31245
GetProcAddress.KERNEL32(00000000,gss_init_sec_context), ref: 00E31251
GetProcAddress.KERNEL32(00000000,gss_release_buffer), ref: 00E3125D
GetProcAddress.KERNEL32(00000000,gss_release_cred), ref: 00E31269
GetProcAddress.KERNEL32(00000000,gss_release_name), ref: 00E31275
GetProcAddress.KERNEL32(00000000,gss_acquire_cred), ref: 00E31281
GetProcAddress.KERNEL32(00000000,gss_inquire_cred_by_mech), ref: 00E3128D

Strings

secur32.dll, xrefs: 00E31025
kernel32.dll, xrefs: 00E30D9B
gss_get_mic, xrefs: 00E30F9A, 00E31227
gss_import_name, xrefs: 00E30FB2, 00E3123F
InstallDir, xrefs: 00E30E0D, 00E30E4A
SOFTWARE\MIT\Kerberos, xrefs: 00E30DE3
VerifySignature, xrefs: 00E310BF
gss_delete_sec_context, xrefs: 00E30F82, 00E3120F
FreeContextBuffer, xrefs: 00E3107E
gss_release_name, xrefs: 00E30FE2, 00E3126F
l, xrefs: 00E30ECB
Using GSSAPI from user-specified library '%s', xrefs: 00E311F4
InitializeSecurityContextA, xrefs: 00E31071
2.dl, xrefs: 00E30EC3
FreeCredentialsHandle, xrefs: 00E3108B
DeleteSecurityContext, xrefs: 00E31098
gss_release_buffer, xrefs: 00E30FCA, 00E31257
QueryContextAttributesA, xrefs: 00E310A5
gss_init_sec_context, xrefs: 00E30FBE, 00E3124B
api3, xrefs: 00E30EBB
gss_verify_mic, xrefs: 00E30FA6, 00E31233
MakeSignature, xrefs: 00E310B2
gss_display_status, xrefs: 00E30F8E, 00E3121B
AcquireCredentialsHandleA, xrefs: 00E31064
%.*s, xrefs: 00E31188
AddDllDirectory, xrefs: 00E30DB5
gss_acquire_cred, xrefs: 00E30FEE, 00E3127B
gss_inquire_cred_by_mech, xrefs: 00E30FFA, 00E31287
gss_release_cred, xrefs: 00E30FD6, 00E31263

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: AddressProc$Library$Load_strlen$CloseQueryValue$FreeOpen
String ID: %.*s$2.dl$AcquireCredentialsHandleA$AddDllDirectory$DeleteSecurityContext$FreeContextBuffer$FreeCredentialsHandle$InitializeSecurityContextA$InstallDir$MakeSignature$QueryContextAttributesA$SOFTWARE\MIT\Kerberos$Using GSSAPI from user-specified library '%s'$VerifySignature$api3$gss_acquire_cred$gss_delete_sec_context$gss_display_status$gss_get_mic$gss_import_name$gss_init_sec_context$gss_inquire_cred_by_mech$gss_release_buffer$gss_release_cred$gss_release_name$gss_verify_mic$kernel32.dll$l$secur32.dll
API String ID: 3724305165-2373097305
Opcode ID: 3e665e64e9ef0e70980ef5ac81beb45cfc4a7119cefb99709c20c3a1311fc888
Instruction ID: daf33b724946a847eb13244e7c1fcf85b1326933a1c819e858248ae770b33b8e
Opcode Fuzzy Hash: 3e665e64e9ef0e70980ef5ac81beb45cfc4a7119cefb99709c20c3a1311fc888
Instruction Fuzzy Hash: 40D1D2B0900304AFD7209F619D86F7A7BE8EF41B08F00506DFD49BA28AE7B5D905CB56

Function 00DFEC10 Relevance: 72.1, APIs: 39, Strings: 2, Instructions: 367windowCOMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32(?,00000063,?), ref: 00DFEC7E
GetWindowLongA.USER32(?,000000F4), ref: 00DFECB0
SetBkMode.GDI32(?,00000001), ref: 00DFECCC
GetStockObject.GDI32(0000000D), ref: 00DFECD4
SelectObject.GDI32(?,00000000), ref: 00DFECDC
GetObjectA.GDI32(00000000,0000003C,?), ref: 00DFECEA
CreateFontIndirectA.GDI32(?), ref: 00DFED11
SelectObject.GDI32(?,00000000), ref: 00DFED1D
GetSysColorBrush.USER32(0000000F), ref: 00DFED25
SetDlgItemTextA.USER32(?,00000064,00000000), ref: 00DFEDB4
SetWindowTextA.USER32(?,00000000), ref: 00DFEDD0
GetDlgItem.USER32(?,00000063), ref: 00DFEDDF
DestroyWindow.USER32(00000000), ref: 00DFEDEA
SendDlgItemMessageA.USER32(?,00000064,000000BA,00000000,00000000), ref: 00DFEDFC
MapDialogRect.USER32(?,00000028), ref: 00DFEE40
GetDlgItem.USER32(?,00000064), ref: 00DFEE66
GetDlgItem.USER32(?,00000002), ref: 00DFEE91
MapDialogRect.USER32(?,00000120), ref: 00DFEEBD
GetDlgItem.USER32(?,000003E9), ref: 00DFEEDD
MapDialogRect.USER32(?,000000A8), ref: 00DFEF07
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,0000000D), ref: 00DFEF1A
GetDlgItem.USER32(?,000003E8), ref: 00DFEF26
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,0000000D), ref: 00DFEF68
GetDlgItem.USER32(?,000003EC), ref: 00DFEF74
MapDialogRect.USER32(?,0000003C), ref: 00DFEF9E
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,0000000D), ref: 00DFEFB5
GetDlgItem.USER32(?,00000009), ref: 00DFEFBE
MapDialogRect.USER32(?,0000003C), ref: 00DFEFE4
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,0000000D), ref: 00DFF001
MapDialogRect.USER32(?,0000003C), ref: 00DFF029
GetWindowRect.USER32(?,0000003C), ref: 00DFF065
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,?,0000000E), ref: 00DFF088
GetSystemMetrics.USER32(0000000C), ref: 00DFF096
GetSystemMetrics.USER32(0000000B), ref: 00DFF09C
LoadImageA.USER32(00000000,?,00000001,00000000,00000000,00008000), ref: 00DFF0AD
SendDlgItemMessageA.USER32(?,00000062,00000170,00000000,00000000), ref: 00DFF0BE
GetDlgItem.USER32(?,00000009), ref: 00DFF0D0
DestroyWindow.USER32(00000000), ref: 00DFF0DB
ShowWindow.USER32(?,00000001), ref: 00DFF0E4

Strings

<, xrefs: 00DFEF7C
PuTTYHostKeyMoreInfo, xrefs: 00DFED61

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Item$Window$Rect$Dialog$Object$Text$DestroyMessageMetricsSelectSendSystem$BrushColorCreateFontImageIndirectLoadLongModeShowStock
String ID: <$PuTTYHostKeyMoreInfo
API String ID: 3197394372-974962811
Opcode ID: daed7a47f4c2a965eecf6b99bd6454d8b14056f315b91a986a802797825a01bc
Instruction ID: d46f1957c6d5f77808007c48f32655bf2556825348fea6d9014dc46f7fd8bc74
Opcode Fuzzy Hash: daed7a47f4c2a965eecf6b99bd6454d8b14056f315b91a986a802797825a01bc
Instruction Fuzzy Hash: 48D16171144305AFE710DF21EC49B2BBBE9FF88705F054829F686B62D1CB75D9088BA6

Function 00E1C580 Relevance: 56.3, APIs: 20, Strings: 12, Instructions: 267windowlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,DwmGetWindowAttribute), ref: 00E1C5B7
GetDC.USER32(00000000), ref: 00E1C5C8
GetCurrentObject.GDI32(00000000,00000007), ref: 00E1C647
GetObjectA.GDI32(00000000,00000018,00000000), ref: 00E1C655
CreateCompatibleDC.GDI32(00000000), ref: 00E1C673
CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 00E1C686
SelectObject.GDI32(00000000,00000000), ref: 00E1C6A0
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,?,?,?,00CC0020), ref: 00E1C6C7
GetDIBits.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E1C751
GetLastError.KERNEL32 ref: 00E1C75F

Part of subcall function 00E1BFB0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00E2A190,kernel32.dll), ref: 00E1BFCF

GetLastError.KERNEL32 ref: 00E1C7F9

Part of subcall function 00E1D3E0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00E1711E,?), ref: 00E1D46B
Part of subcall function 00E1D3E0: _strlen.LIBCMT ref: 00E1D476

ReleaseDC.USER32(00000000,?), ref: 00E1C8DE
DeleteObject.GDI32(?), ref: 00E1C8E8
DeleteObject.GDI32(00000000), ref: 00E1C8EF

Strings

'%s': unable to open file, xrefs: 00E1C8C9
BitBlt: %s, xrefs: 00E1C8B5
GetDC(window): %s, xrefs: 00E1C80B
GetDIBits (get data): %s, xrefs: 00E1C76F
dwmapi.dll, xrefs: 00E1C59B
DwmGetWindowAttribute, xrefs: 00E1C5B1
SelectObject: %s, xrefs: 00E1C88C
BM, xrefs: 00E1C79B
CreateCompatibleDC(desktop window dc): %s, xrefs: 00E1C82F
(, xrefs: 00E1C708
6, xrefs: 00E1C7AD
CreateCompatibleBitmap: %s, xrefs: 00E1C85E

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Object$CompatibleCreateDeleteErrorLast$AddressBitmapBitsCurrentFormatLibraryLoadMessageProcReleaseSelect_strlen
String ID: '%s': unable to open file$($6$BM$BitBlt: %s$CreateCompatibleBitmap: %s$CreateCompatibleDC(desktop window dc): %s$DwmGetWindowAttribute$GetDC(window): %s$GetDIBits (get data): %s$SelectObject: %s$dwmapi.dll
API String ID: 422774641-2800384791
Opcode ID: c8518ba323b3cda9810102653f3095655af6791047f52e7361a9dbb689914453
Instruction ID: c1b3af8a4b983e6b1fe18b5e4388b1e5c7bd0cba3c5880ed0e4ccc09f6da46a5
Opcode Fuzzy Hash: c8518ba323b3cda9810102653f3095655af6791047f52e7361a9dbb689914453
Instruction Fuzzy Hash: 5991B5B1544300AFE7109F61EC49B6F7BE8EF88744F14142CF64AFA291EB71A944CB62

Function 00E70700 Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 138filepipeCOMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E70744
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,40000000,00000000,?,?,?,?,?,00E708C8,?), ref: 00E70785
GetLastError.KERNEL32(?,?,?,?,?,00E708C8,?), ref: 00E7078C
WaitNamedPipeA.KERNEL32(?,00000000), ref: 00E7079A
GetLastError.KERNEL32(?,?,?,?,?,00E708C8,?), ref: 00E707A4

Part of subcall function 00E1CA80: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CAB7
Part of subcall function 00E1CA80: OpenProcess.KERNEL32(02000000,00000000,00000000,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CAC5
Part of subcall function 00E1CA80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CB04
Part of subcall function 00E1CA80: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CB21
Part of subcall function 00E1CA80: GetLengthSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CB4B
Part of subcall function 00E1CA80: CopySid.ADVAPI32(00000000,00000000,00000000), ref: 00E1CB6A
Part of subcall function 00E1CA80: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CB8B
Part of subcall function 00E1CA80: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CB9A
Part of subcall function 00E1CA80: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CBA5

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00E708C8,?), ref: 00E707E7
GetLastError.KERNEL32(?,?,?,?,?,?,00E708C8,?), ref: 00E707ED

Part of subcall function 00E1D3E0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00E1711E,?), ref: 00E1D46B
Part of subcall function 00E1D3E0: _strlen.LIBCMT ref: 00E1D476

CloseHandle.KERNEL32(00000000,?,?,?,?,?,00E708C8,?), ref: 00E70825
GetLastError.KERNEL32(?,?,?,?,?,00E708C8,?), ref: 00E7082B
EqualSid.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00E708C8,?), ref: 00E70847
LocalFree.KERNEL32(?,?,?,?,?,?,?,00E708C8,?), ref: 00E70854

Strings

\\.\pipe\, xrefs: 00E70718
strncmp(pipename, "\\\\.\\pipe\\", 9) == 0, xrefs: 00E70731
Unable to get user SID: %s, xrefs: 00E7083B
Unable to get named pipe security information: %s, xrefs: 00E707FD
Error waiting for named pipe '%s': %s, xrefs: 00E707B5
Unable to open named pipe '%s': %s, xrefs: 00E70815
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/named-pipe-client.c, xrefs: 00E7072C, 00E70752
strchr(pipename + 9, '\\') == NULL, xrefs: 00E70757
Owner of named pipe '%s' is not us, xrefs: 00E7086D

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ErrorLast$CloseHandle$Local$FreeProcess$AllocCopyCreateCurrentEqualFileFormatLengthMessageNamedOpenPipeWait___from_strstr_to_strchr_strlen
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/named-pipe-client.c$Error waiting for named pipe '%s': %s$Owner of named pipe '%s' is not us$Unable to get named pipe security information: %s$Unable to get user SID: %s$Unable to open named pipe '%s': %s$\\.\pipe\$strchr(pipename + 9, '\\') == NULL$strncmp(pipename, "\\\\.\\pipe\\", 9) == 0
API String ID: 1975913820-3978821697
Opcode ID: ee1c93381f584e591732091d034e8ef580be16636848894f2579120822c1c194
Instruction ID: 7965a63e286decfa17b42b5f34429814bb42d15eab40f83d9559849ee47738ab
Opcode Fuzzy Hash: ee1c93381f584e591732091d034e8ef580be16636848894f2579120822c1c194
Instruction Fuzzy Hash: E041B671641300AFE6107771BC0AF6B3798DF55758F18A039FA0AF91D2EA619905C6A2

Function 00E04E40 Relevance: 37.6, APIs: 25, Instructions: 149COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00E04E78
CreateCompatibleDC.GDI32(00000000), ref: 00E04E9E
SelectObject.GDI32(00000000), ref: 00E04EAD
_strlen.LIBCMT ref: 00E04EB4
GetTextExtentPoint32A.GDI32(00000000,?,00000000,?), ref: 00E04EC4
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000016), ref: 00E04EE3
InvalidateRect.USER32(?,00000000,00000000), ref: 00E04EEE
DeleteDC.GDI32(00000000), ref: 00E04EF5
DefWindowProcA.USER32(?,?,?,?), ref: 00E04F02
BeginPaint.USER32(?,?), ref: 00E04F15
SelectObject.GDI32(00000000), ref: 00E04F2A
GetStockObject.GDI32(00000007), ref: 00E04F2E
SelectObject.GDI32(00000000,00000000), ref: 00E04F36
CreateSolidBrush.GDI32 ref: 00E04F3E
SelectObject.GDI32(00000000,00000000), ref: 00E04F4A
GetClientRect.USER32(?,?), ref: 00E04F55
Rectangle.GDI32(00000000,?,?,?,?), ref: 00E04F6C
GetWindowTextLengthA.USER32(?), ref: 00E04F73
GetWindowTextA.USER32(?,00000000,00000001), ref: 00E04F94
SetTextColor.GDI32(00000000), ref: 00E04FA1
SetBkColor.GDI32(00000000), ref: 00E04FAE
TextOutA.GDI32(00000000,?,?,00000000,00000000), ref: 00E04FC7
SelectObject.GDI32(00000000), ref: 00E04FDA
DeleteObject.GDI32(?), ref: 00E04FE4
EndPaint.USER32(?,?), ref: 00E04FF0

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Object$SelectText$Window$Delete$ColorCreatePaintRect$BeginBrushClientCompatibleExtentInvalidateLengthPoint32ProcRectangleSolidStock_strlen
String ID:
API String ID: 2408264671-0
Opcode ID: 0ab12ea3cbbecd8e9fb7fbaddd2e15e6391feb93a30393e6778ec61dd1accf7e
Instruction ID: 483d280e5d7803518fd013c41ff1658b5039076396046325aa19194c339deaeb
Opcode Fuzzy Hash: 0ab12ea3cbbecd8e9fb7fbaddd2e15e6391feb93a30393e6778ec61dd1accf7e
Instruction Fuzzy Hash: DB5190B2105204AFD701DF61FC88F6F7BACEF49741F01442AFA46AA2A0C7319949CB62

Function 00DE84F0 Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 181windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00DE85D3
GetDeviceCaps.GDI32(00000000,00000026), ref: 00DE85DE
CreatePalette.GDI32 ref: 00DE85F5
SelectPalette.GDI32(00000000,00000000,00000000), ref: 00DE8612
RealizePalette.GDI32(00000000), ref: 00DE8615
GetStockObject.GDI32(0000000F), ref: 00DE861D
SelectPalette.GDI32(00000000,00000000,00000000), ref: 00DE8627
SetPaletteEntries.GDI32(?,?,?,?), ref: 00DE8685
GetDC.USER32(00000000), ref: 00DE8697
SelectPalette.GDI32(00000000,00000000), ref: 00DE86AC
UnrealizeObject.GDI32 ref: 00DE86BA
RealizePalette.GDI32(00000000), ref: 00DE86C1
GetStockObject.GDI32(0000000F), ref: 00DE86E9
SelectPalette.GDI32(00000000,00000000,00000000), ref: 00DE86F3
ReleaseDC.USER32(00000000), ref: 00DE8700
InvalidateRect.USER32(00000000,00000001), ref: 00DE8722
ReleaseDC.USER32(00000000), ref: 00DE8736

Strings

start <= OSC4_NCOLOURS, xrefs: 00DE850E
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00DE8509, 00DE852B, 00DE86D5
ncolours <= OSC4_NCOLOURS - start, xrefs: 00DE8530
wgs.term_hwnd, xrefs: 00DE86DA

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Palette$Select$Object$RealizeReleaseStock$CapsCreateDeviceEntriesInvalidateRectUnrealize
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$ncolours <= OSC4_NCOLOURS - start$start <= OSC4_NCOLOURS$wgs.term_hwnd
API String ID: 3328073877-2827769490
Opcode ID: ccfd5e7c53fe9f75fca35108b215524b5e0cea979354fe7afe4e0520662469ad
Instruction ID: 130e0f9b5834a562216a8e6488c2f9bd797e1f2ef5351fe0b2b829606aea0add
Opcode Fuzzy Hash: ccfd5e7c53fe9f75fca35108b215524b5e0cea979354fe7afe4e0520662469ad
Instruction Fuzzy Hash: 325108B1504384AFE710AF33EC89F667B55EB05305F08002AF64ABB2E1DF718949D725

Function 00E1F600 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E1BFB0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00E2A190,kernel32.dll), ref: 00E1BFCF

GetProcAddress.KERNEL32(00000000,EnumPrintersA), ref: 00E1F63B
GetProcAddress.KERNEL32(00000000,OpenPrinterA), ref: 00E1F648
GetProcAddress.KERNEL32(00000000,ClosePrinter), ref: 00E1F655
GetProcAddress.KERNEL32(00000000,StartDocPrinterA), ref: 00E1F662
GetProcAddress.KERNEL32(00000000,EndDocPrinter), ref: 00E1F66F
GetProcAddress.KERNEL32(00000000,StartPagePrinter), ref: 00E1F67C
GetProcAddress.KERNEL32(00000000,EndPagePrinter), ref: 00E1F689
GetProcAddress.KERNEL32(00000000,WritePrinter), ref: 00E1F696

Strings

ClosePrinter, xrefs: 00E1F64F
OpenPrinterA, xrefs: 00E1F642
StartPagePrinter, xrefs: 00E1F676
WritePrinter, xrefs: 00E1F690
winspool.drv, xrefs: 00E1F60F
EndDocPrinter, xrefs: 00E1F669
EndPagePrinter, xrefs: 00E1F683
StartDocPrinterA, xrefs: 00E1F65C
spoolss.dll, xrefs: 00E1F61E
EnumPrintersA, xrefs: 00E1F635

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: ClosePrinter$EndDocPrinter$EndPagePrinter$EnumPrintersA$OpenPrinterA$StartDocPrinterA$StartPagePrinter$WritePrinter$spoolss.dll$winspool.drv
API String ID: 2238633743-2130675966
Opcode ID: ad6dddb7a826ab94ad0b71f4471936d88bc29c8710cfa15992375f6134a01843
Instruction ID: 61d2c2e215bc0f2ad59b7bd1a3f8f9e1928fc0d1410dab89dc7721e148b8f6a4
Opcode Fuzzy Hash: ad6dddb7a826ab94ad0b71f4471936d88bc29c8710cfa15992375f6134a01843
Instruction Fuzzy Hash: 831184B2501FDC5DD300AB26BD81B6ABBD4BB5474CF18202EF4007A168D7F5054A8F81

Function 00DEAD44 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 336COMMON

Download Yara Rule

APIs

Part of subcall function 00DE5EB0: _strlen.LIBCMT ref: 00DE5EC1

__fread_nolock.LIBCMT ref: 00DEAFA1

Part of subcall function 00DE5DA0: DeleteObject.GDI32(00000000), ref: 00DE5DE1
Part of subcall function 00DE5DA0: DestroyIcon.USER32(FFFFFFFF,00000000,?,?,00DEB1A1,00000001,?,?,?,?,?,00DE5C06,?,00DE2A54), ref: 00DE5DF0
Part of subcall function 00DE5DA0: DeleteObject.GDI32(?), ref: 00DE5E18
Part of subcall function 00DE5DA0: CoUninitialize.OLE32(00000001,?,?,?,?,?,00DE5C06,?,00DE2A54), ref: 00DE5E2D

Strings

-demo-config-box, xrefs: 00DEAEE1
-demo-terminal, xrefs: 00DEAEF3
--host-ca, xrefs: 00DEAE9F
-pgpfp, xrefs: 00DEAE6A
unexpected argument "%s", xrefs: 00DEAFCC
%s expects input and output filenames, xrefs: 00DEAFE2
This procedure will remove ALL Registry entriesassociated with %s, and will also removethe random seed file. (This only affects thecurrently logged-in user.)THIS PROCESS WILL DESTROY YOUR SAVED SESSIONS.Are you really sure you want to continue?, xrefs: 00DEB09A
-cleanup, xrefs: 00DEAE54
--host_ca, xrefs: 00DEAECB
%s expects an output filename, xrefs: 00DEAFD7
demo-server.example.com, xrefs: 00DEB02C, 00DEB112
unknown option "%s", xrefs: 00DEAF0F
can't open input file '%s', xrefs: 00DEAF6F
%s Warning, xrefs: 00DEB0AA
option "%s" requires an argument, xrefs: 00DEAE01

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: DeleteObject$DestroyIconUninitialize__fread_nolock_strlen
String ID: %s Warning$%s expects an output filename$%s expects input and output filenames$--host-ca$--host_ca$-cleanup$-demo-config-box$-demo-terminal$-pgpfp$This procedure will remove ALL Registry entriesassociated with %s, and will also removethe random seed file. (This only affects thecurrently logged-in user.)THIS PROCESS WILL DESTROY YOUR SAVED SESSIONS.Are you really sure you want to continue?$can't open input file '%s'$demo-server.example.com$option "%s" requires an argument$unexpected argument "%s"$unknown option "%s"
API String ID: 3701376555-528882638
Opcode ID: 5478403c7a60369ffb4008650d484ae83d5d883a3fa274adc6019d3a18060126
Instruction ID: d9afda03a2aa77cb744e15b12cc763ce7bfe8e1842e7fce97644e3e6af9fa264
Opcode Fuzzy Hash: 5478403c7a60369ffb4008650d484ae83d5d883a3fa274adc6019d3a18060126
Instruction Fuzzy Hash: B19148B5A4438136EA3037267C43F7F36988F62759F08142CF949752C3F6A6BA9581B3

Function 00E59680 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 311filememorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00E70700: ___from_strstr_to_strchr.LIBCMT ref: 00E70744
Part of subcall function 00E70700: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,40000000,00000000,?,?,?,?,?,00E708C8,?), ref: 00E70785
Part of subcall function 00E70700: GetLastError.KERNEL32(?,?,?,?,?,00E708C8,?), ref: 00E7078C
Part of subcall function 00E70700: WaitNamedPipeA.KERNEL32(?,00000000), ref: 00E7079A
Part of subcall function 00E70700: GetLastError.KERNEL32(?,?,?,?,?,00E708C8,?), ref: 00E707A4

WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00E59715
CloseHandle.KERNEL32(00000000), ref: 00E597BD
FindWindowA.USER32(Pageant,Pageant), ref: 00E5980F
GetCurrentThreadId.KERNEL32 ref: 00E5981F
LocalAlloc.KERNEL32(00000040,00000014), ref: 00E5985C
ReadFile.KERNEL32(00000000,?,00000400,?,00000000), ref: 00E598D4
LocalFree.KERNEL32(00000000), ref: 00E59952
CreateFileMappingA.KERNEL32(000000FF,?,00000004,00000000,00040000,00000000), ref: 00E59969
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?,00000004,00000000,00040000,00000000), ref: 00E59998
_strlen.LIBCMT ref: 00E599D3
SendMessageA.USER32(00000000,0000004A,00000000,?), ref: 00E599F0
UnmapViewOfFile.KERNEL32(?,?,?,?,?,00000000), ref: 00E59A40
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00E59A47
LocalFree.KERNEL32(?,?,?,?,?,?,00000000), ref: 00E59A63

Strings

PageantRequest%08x, xrefs: 00E59826
Pageant, xrefs: 00E59805, 00E5980A

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: File$Local$CloseCreateErrorFreeHandleLastView$AllocCurrentFindMappingMessageNamedPipeReadSendThreadUnmapWaitWindowWrite___from_strstr_to_strchr_strlen
String ID: Pageant$PageantRequest%08x
API String ID: 941082645-270379698
Opcode ID: 4f3663f402d918af5af9b0d543b8bea7aa77143862ceba5cd0d0af0f19783140
Instruction ID: ca042fede19106c005b8c0cec302f491dbe1fc75eb74030fc79a7a776e11b7da
Opcode Fuzzy Hash: 4f3663f402d918af5af9b0d543b8bea7aa77143862ceba5cd0d0af0f19783140
Instruction Fuzzy Hash: A0A1E3B16043009FD7209F21EC45B9BB7E8EF84715F14592DFE49BB292E770A908CB96

Function 00DE6480 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 167windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 00DE64AC
AppendMenuA.USER32(00000000,00000000,00000400,?), ref: 00DE64E1
DeleteMenu.USER32(?,00000000), ref: 00DE6605
DeleteMenu.USER32(00000200,00000000), ref: 00DE6614
InsertMenuA.USER32(00000010,00000010,00000000,S&pecial Command), ref: 00DE6632
InsertMenuA.USER32(00000010,00000800,00000200,00000000), ref: 00DE6648
DeleteMenu.USER32(?,00000000), ref: 00DE6664
DeleteMenu.USER32(00000200,00000000), ref: 00DE6673
InsertMenuA.USER32(00000010,00000010,00000000,S&pecial Command), ref: 00DE6691
InsertMenuA.USER32(00000010,00000800,00000200,00000000), ref: 00DE66A7

Strings

nesting < 2, xrefs: 00DE6573
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00DE6515, 00DE656E
IDM_SPECIAL_MIN + 0x10 * i < IDM_SPECIAL_MAX, xrefs: 00DE651A
S&pecial Command, xrefs: 00DE6622, 00DE6681

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Menu$DeleteInsert$AppendCreatePopup
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$IDM_SPECIAL_MIN + 0x10 * i < IDM_SPECIAL_MAX$S&pecial Command$nesting < 2
API String ID: 1803796953-3159962390
Opcode ID: 47df73615990d420f6cc1d445f4ec46f5cb9ae0a1dc23f37140ebbd00056120c
Instruction ID: 6f5719926d90b8b9c8315915105525291bf8ac6bc8adf9073fdad88652718721
Opcode Fuzzy Hash: 47df73615990d420f6cc1d445f4ec46f5cb9ae0a1dc23f37140ebbd00056120c
Instruction Fuzzy Hash: 7A51E4B07003487FE714AB26EC89F2A77A6EB90740F14452EF605AF2E1DAB1E8059B54

Function 00E0CA10 Relevance: 28.1, APIs: 5, Strings: 11, Instructions: 146timeCOMMON

Download Yara Rule

APIs

GetCommState.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00E0C820,?), ref: 00E0CA2C
SetCommState.KERNEL32(00000000,?), ref: 00E0CB6F
SetCommTimeouts.KERNEL32(00000000), ref: 00E0CBA4
GetLastError.KERNEL32 ref: 00E0CBB3

Part of subcall function 00E1D3E0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00E1711E,?), ref: 00E1D46B
Part of subcall function 00E1D3E0: _strlen.LIBCMT ref: 00E1D476

GetLastError.KERNEL32 ref: 00E0CBCA

Strings

Configuring serial port: %s, xrefs: 00E0CBDA
RTS/CTS, xrefs: 00E0CB42
Configuring %s, xrefs: 00E0CAB4
Invalid number of stop bits (need 1, 1.5 or 2), xrefs: 00E0CB12
Configuring %u data bits, xrefs: 00E0CA85
DSR/DTR, xrefs: 00E0CB57
Configuring baud rate %lu, xrefs: 00E0CA62
Configuring serial timeouts: %s, xrefs: 00E0CBC3
Configuring %s parity, xrefs: 00E0CAE0
Configuring %s flow control, xrefs: 00E0CB5D
XON/XOFF, xrefs: 00E0CB29

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Comm$ErrorLastState$FormatMessageTimeouts_strlen
String ID: Configuring %s$Configuring %s flow control$Configuring %s parity$Configuring %u data bits$Configuring baud rate %lu$Configuring serial port: %s$Configuring serial timeouts: %s$DSR/DTR$Invalid number of stop bits (need 1, 1.5 or 2)$RTS/CTS$XON/XOFF
API String ID: 617136254-604002008
Opcode ID: 9a08ecf1cdec5a78496fce6ecdd84ec0e0918a660f805dc446553144eacaaea2
Instruction ID: 45dfbab7ef0dcf8816b8b4819a494d3dd0cee53237e44133824af3705ea5078a
Opcode Fuzzy Hash: 9a08ecf1cdec5a78496fce6ecdd84ec0e0918a660f805dc446553144eacaaea2
Instruction Fuzzy Hash: 1D4108719083006FD700AF20BC47B5B7BD8EF55714F181938FD99B6292E636C9588BA3

Function 00E1C920 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetSecurityInfo), ref: 00E1C956
GetProcAddress.KERNEL32(00000000,SetSecurityInfo), ref: 00E1C97C
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00E1C9A2
GetProcAddress.KERNEL32(00000000,GetTokenInformation), ref: 00E1C9C8
GetProcAddress.KERNEL32(00000000,InitializeSecurityDescriptor), ref: 00E1C9EA
GetProcAddress.KERNEL32(00000000,SetSecurityDescriptorOwner), ref: 00E1CA08
GetProcAddress.KERNEL32(00000000,SetEntriesInAclA), ref: 00E1CA2B

Strings

InitializeSecurityDescriptor, xrefs: 00E1C9E4
SetSecurityDescriptorOwner, xrefs: 00E1CA02
advapi32.dll, xrefs: 00E1C936
OpenProcessToken, xrefs: 00E1C99C
SetEntriesInAclA, xrefs: 00E1CA25
GetSecurityInfo, xrefs: 00E1C950
SetSecurityInfo, xrefs: 00E1C976
GetTokenInformation, xrefs: 00E1C9C2

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: AddressProc
String ID: GetSecurityInfo$GetTokenInformation$InitializeSecurityDescriptor$OpenProcessToken$SetEntriesInAclA$SetSecurityDescriptorOwner$SetSecurityInfo$advapi32.dll
API String ID: 190572456-1260934078
Opcode ID: 7f929d531805f2450d765c3d37146b3ba2a08a51cbdbefb90be4eeacab7b493e
Instruction ID: f5e6fee718373b6ee854c3d9bc9e6f7e45b4bc05063f61ac2dd4fc78443dd230
Opcode Fuzzy Hash: 7f929d531805f2450d765c3d37146b3ba2a08a51cbdbefb90be4eeacab7b493e
Instruction Fuzzy Hash: 5731ED75641B8A9ED702CB76AD94B653BB4BF1934CF246029F502FA2B1EB75C4C8CB10

Function 00E3CFD0 Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 338COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E3D145

Part of subcall function 00E199E0: _strlen.LIBCMT ref: 00E199EB

Strings

ssh-rsa-cert-v01@openssh.com, xrefs: 00E3D183, 00E3D190, 00E3D3EA, 00E3D3F3
Sending public key with certificate from "%s", xrefs: 00E3D111
unable to identify algorithm of base key, xrefs: 00E3D298, 00E3D2C1, 00E3D2DD
rsa-sha2-512-cert-v01@openssh.com, xrefs: 00E3D16B, 00E3D3CE
Unable to use certificate "%s" with public key "%s": %s, xrefs: 00E3D32F
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/userauth2-client.c, xrefs: 00E3D1C3, 00E3D1E4
certalg->is_certificate, xrefs: 00E3D1E9
base public key is invalid, xrefs: 00E3D2A7
Not substituting certificate "%s" for public key: %s, xrefs: 00E3D2DF
certificate key file is invalid, xrefs: 00E3D203
base public key does not match certificate, xrefs: 00E3D265
certalg, xrefs: 00E3D1C8
rsa-sha2-256-cert-v01@openssh.com, xrefs: 00E3D158, 00E3D3B7

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/userauth2-client.c$Not substituting certificate "%s" for public key: %s$Sending public key with certificate from "%s"$Unable to use certificate "%s" with public key "%s": %s$base public key does not match certificate$base public key is invalid$certalg$certalg->is_certificate$certificate key file is invalid$rsa-sha2-256-cert-v01@openssh.com$rsa-sha2-512-cert-v01@openssh.com$ssh-rsa-cert-v01@openssh.com$unable to identify algorithm of base key
API String ID: 4218353326-4172376394
Opcode ID: 401042140655fdb0f0569d371525bc9871e82f06bd2dadbfdaa996f1abec10d7
Instruction ID: 1728085e41855b73602090ebb6dbc6a3c5dba014ac326598b105cd78be03caba
Opcode Fuzzy Hash: 401042140655fdb0f0569d371525bc9871e82f06bd2dadbfdaa996f1abec10d7
Instruction Fuzzy Hash: D9B191B5A043016FD701AB20EC46F5BBBE9AF91308F085468F94977253E732ED65CB92

Function 00E04C60 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 122registryCOMMON

Download Yara Rule

APIs

RegisterClassA.USER32(00000003), ref: 00E04CFF
GetSysColor.USER32(00000018), ref: 00E04D13
GetSysColor.USER32(00000017), ref: 00E04D1C
SystemParametersInfoA.USER32(00000029,00000158,00000158,00000000), ref: 00E04D4D
CreateFontIndirectA.GDI32(?), ref: 00E04D5B
SetWindowTextA.USER32(00000000,?), ref: 00E04D85
CreateCompatibleDC.GDI32(00000000), ref: 00E04D99
_strlen.LIBCMT ref: 00E04DA2
GetTextExtentPoint32A.GDI32(00000000,?,00000000,?), ref: 00E04DB2
DeleteDC.GDI32(00000000), ref: 00E04DB9
GetWindowRect.USER32(?), ref: 00E04DC3
CreateWindowExA.USER32(00000088,00000010,?,80000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00E04E0D
ShowWindow.USER32(00000000,00000004), ref: 00E04E1B

Strings

%dx%d, xrefs: 00E04D6C

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Window$Create$ColorText$ClassCompatibleDeleteExtentFontIndirectInfoParametersPoint32RectRegisterShowSystem_strlen
String ID: %dx%d
API String ID: 816365731-2206825331
Opcode ID: eb4b736234ccb997ba335df0bfddb91eaead2795ddc5329955be9de27d68e12f
Instruction ID: b56924185b8bd2a80960f278405bd3b5439813e987813205066fc6725e96e894
Opcode Fuzzy Hash: eb4b736234ccb997ba335df0bfddb91eaead2795ddc5329955be9de27d68e12f
Instruction Fuzzy Hash: BD417FB1504344AFE721DF62ED89B6B7BE8EB84705F00481DF645AB2E0D7749948CBA2

Function 00E00060 Relevance: 24.2, APIs: 16, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00E00081
_strlen.LIBCMT ref: 00E0008A
_strlen.LIBCMT ref: 00E000A7
SetMapMode.GDI32(00000000,00000001), ref: 00E000C5
MapDialogRect.USER32(?,00000000), ref: 00E000F2
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00E00103
SelectObject.GDI32(00000000,00000000), ref: 00E0010B
_strlen.LIBCMT ref: 00E0011F
GetTextExtentExPointA.GDI32(00000000,?,00000000,?,?,?,?), ref: 00E0013E
_strlen.LIBCMT ref: 00E00169
_strncpy.LIBCMT ref: 00E001B2
_strcat.LIBCMT ref: 00E00267
SelectObject.GDI32(00000000,00000000), ref: 00E00279
ReleaseDC.USER32(?,00000000), ref: 00E00282

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen$ObjectSelect$DialogExtentMessageModePointRectReleaseSendText_strcat_strncpy
String ID:
API String ID: 3950711645-0
Opcode ID: 24b67a051be0765ef0145bc42a6392850cf48c69a234aa53909b663913be9664
Instruction ID: 35ae29438b2e55eb7df5d0eb1547a9e9070d40759976a7254deb72893a0de007
Opcode Fuzzy Hash: 24b67a051be0765ef0145bc42a6392850cf48c69a234aa53909b663913be9664
Instruction Fuzzy Hash: 44618BB1509300AFD700DF60D845B6BBBE8EF88758F04582DF889A7252E775E948CB62

Function 00E8F64F Relevance: 23.2, APIs: 2, Strings: 11, Instructions: 402COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E8F6F5
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E8F719

Strings

<program name unknown>, xrefs: 00E8F723
(, xrefs: 00E8FA41
..., xrefs: 00E8F774, 00E8F897, 00E8F8E6, 00E8FA2A, 00E8FAAD, 00E8FAE0
File: , xrefs: 00E8F7BF
Program: , xrefs: 00E8F6B7
Line: , xrefs: 00E8F936
For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts, xrefs: 00E8FA59
Expression: , xrefs: 00E8F9B0
Assertion failed!, xrefs: 00E8F673
\, xrefs: 00E8F816
(Press Retry to debug the application - JIT must be enabled), xrefs: 00E8FA83

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Module$FileHandleName
String ID: (Press Retry to debug the application - JIT must be enabled)$($...$<program name unknown>$Assertion failed!$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Program: $\
API String ID: 4146042529-754239187
Opcode ID: 6c55955650e977042a30195a5c7b73354bed99db83405e2bd957ea1fad6ec242
Instruction ID: 19f7168a09c7a0fb6a708e4de5d62e2ef6eace7ed19f2787949428932e3fe8cc
Opcode Fuzzy Hash: 6c55955650e977042a30195a5c7b73354bed99db83405e2bd957ea1fad6ec242
Instruction Fuzzy Hash: B9C1E832A402196ADF24BA65DC4AFAB73A8DFA8708F0450B9FC0DF5243F6309E55C761

Function 00DE7330 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00DE7349
MessageBeep.USER32(00000000), ref: 00DE7360
GetTickCount.KERNEL32 ref: 00DE7366
GetTickCount.KERNEL32 ref: 00DE7376
Beep.KERNEL32(00000320,00000064), ref: 00DE739F
ShowCursor.USER32(00000001), ref: 00DE73F6
MessageBoxA.USER32(00000000,00000000,00000030), ref: 00DE7433
GetTickCount.KERNEL32 ref: 00DE7467

Strings

%s Sound Error, xrefs: 00DE741A
Unable to play sound file%sUsing default sound instead, xrefs: 00DE7405

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: CountTick$BeepMessage$CursorShow
String ID: %s Sound Error$Unable to play sound file%sUsing default sound instead
API String ID: 3991535243-3498667495
Opcode ID: cdbe657dfc98ee70bebcb19de4809eec7190fa817f1efa7716b35fe314c2896d
Instruction ID: 8cfda41aa3fce63f52b6ac1b667f4b13172691d85821e328a27fd6b40919e19f
Opcode Fuzzy Hash: cdbe657dfc98ee70bebcb19de4809eec7190fa817f1efa7716b35fe314c2896d
Instruction Fuzzy Hash: D851C2709052C4EFE721BF27FC99B197BE5AB40300F184429F985BA1F5DB718948DB62

Function 00DEAAD0 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 97windowCOMMON

Download Yara Rule

APIs

IsZoomed.USER32 ref: 00DEAAE5
IsZoomed.USER32 ref: 00DEAB0C
GetWindowLongA.USER32(000000F0), ref: 00DEAB1E
GetWindowLongA.USER32(000000F0), ref: 00DEAB37
SetWindowLongA.USER32(000000F0,00200000), ref: 00DEAB69
GetDesktopWindow.USER32 ref: 00DEABC0
GetClientRect.USER32(00000000), ref: 00DEABCA
SetWindowPos.USER32(00000000,00000000,?,?,?,00000020), ref: 00DEABF1
CheckMenuItem.USER32(00000180,00000008), ref: 00DEAC11
CheckMenuItem.USER32(00000180,00000008), ref: 00DEAC20

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00DEAAF4
(, xrefs: 00DEAB8B
IsZoomed(wgs.term_hwnd), xrefs: 00DEAAF9

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Window$Long$CheckItemMenuZoomed$ClientDesktopRect
String ID: ($/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$IsZoomed(wgs.term_hwnd)
API String ID: 4021424604-1955039746
Opcode ID: 130ee97fabd12ee4639e3110f8acdb4ff2c7b9a1a88fc8c9e0be659093a28f85
Instruction ID: 1a7bf18be572eb0f507e2948ae477d7a6422c1bbab13ed476cfd5d5254e86082
Opcode Fuzzy Hash: 130ee97fabd12ee4639e3110f8acdb4ff2c7b9a1a88fc8c9e0be659093a28f85
Instruction Fuzzy Hash: 16318F70604245AFD704AF26EC5AF2A7BA5FB44750F044A2EF946BB2F0DB70AC08CB55

Function 00E495F0 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 189synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00E704A0: _strlen.LIBCMT ref: 00E704B6
Part of subcall function 00E704A0: _strcat.LIBCMT ref: 00E704EB

GetLastError.KERNEL32 ref: 00E4978B

Part of subcall function 00E48350: GetUserNameA.ADVAPI32(00000000), ref: 00E48414
Part of subcall function 00E48350: GetUserNameA.ADVAPI32(00000000), ref: 00E48440

Part of subcall function 00E70600: CreateMutexA.KERNEL32(?,00000000,?), ref: 00E7066F
Part of subcall function 00E70600: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?), ref: 00E7067E
Part of subcall function 00E70600: LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00E4963B,00000000,?), ref: 00E706B1
Part of subcall function 00E70600: LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00E4963B,00000000,?), ref: 00E706C0

ReleaseMutex.KERNEL32(00000000), ref: 00E4977C
CloseHandle.KERNEL32(00000000), ref: 00E49783
ReleaseMutex.KERNEL32(00000000), ref: 00E4981D
CloseHandle.KERNEL32(00000000), ref: 00E49824

Part of subcall function 00E48350: GetProcAddress.KERNEL32(00000000,GetUserNameExA), ref: 00E4839E
Part of subcall function 00E48350: ___from_strstr_to_strchr.LIBCMT ref: 00E483EE

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/sharing.c, xrefs: 00E49757
Local\putty-connshare-mutex, xrefs: 00E49617
Unable to call CryptProtectMemory: %s, xrefs: 00E4979B
*logtext || *ds_err || *us_err, xrefs: 00E4975C
%s: %s, xrefs: 00E496BA, 00E4971C
\\.\pipe\putty-connshare, xrefs: 00E49651
%s.%s.%s, xrefs: 00E4961C, 00E49656

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Mutex$CloseFreeHandleLocalNameReleaseUser$AddressCreateErrorLastObjectProcSingleWait___from_strstr_to_strchr_strcat_strlen
String ID: %s.%s.%s$%s: %s$*logtext || *ds_err || *us_err$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/sharing.c$Local\putty-connshare-mutex$Unable to call CryptProtectMemory: %s$\\.\pipe\putty-connshare
API String ID: 4023102869-959505643
Opcode ID: 80fcfe833908860b8cd4befd2a473a4b29c29d88281961e319828798ac912311
Instruction ID: c71458308d1778e311a91dc45abce2de2e1241b708537201cdc7512565fda65a
Opcode Fuzzy Hash: 80fcfe833908860b8cd4befd2a473a4b29c29d88281961e319828798ac912311
Instruction Fuzzy Hash: 7B5174B5900204AFD701AF65FC4AE6B37E8AF55318F081439F90ABA253EA32DE55C753

Function 00E052E0 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00E29BE0: GetLocalTime.KERNEL32(?,?,?,?,00E050A4,?), ref: 00E29BF6

_strftime.LIBCMT ref: 00E05368

Part of subcall function 00E05AF0: _strlen.LIBCMT ref: 00E05B1D

Strings

Writing new, xrefs: 00E053E8, 00E053F9
Disabled writing, xrefs: 00E053D3
ctx->state != L_OPENING, xrefs: 00E05442
Appending, xrefs: 00E053E3
Error writing, xrefs: 00E053D8
%Y.%m.%d %H:%M:%S, xrefs: 00E0535E
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/logging.c, xrefs: 00E0543D
%s session log (%s mode) to file: %s, xrefs: 00E053FA
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log %s =~=~=~=~=~=~=~=~=~=~=~=, xrefs: 00E05371
SSH raw data, xrefs: 00E053C4
unknown, xrefs: 00E053C9, 00E053F8

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: LocalTime_strftime_strlen
String ID: %Y.%m.%d %H:%M:%S$%s session log (%s mode) to file: %s$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/logging.c$=~=~=~=~=~=~=~=~=~=~=~= PuTTY log %s =~=~=~=~=~=~=~=~=~=~=~=$Appending$Disabled writing$Error writing$SSH raw data$Writing new$ctx->state != L_OPENING$unknown
API String ID: 4241967358-759394250
Opcode ID: 8a27b202d7bddbc903a43302ccdc26b74d1f455aed598b86e2c158308280bca4
Instruction ID: f235646ac9291047459fb0419e90ad6ffb354317a86303b3691fae525a1c99cd
Opcode Fuzzy Hash: 8a27b202d7bddbc903a43302ccdc26b74d1f455aed598b86e2c158308280bca4
Instruction Fuzzy Hash: 9E41DCB2A007045BDB24AB20DC46F6B72E5EFC5704F04643CE88E77282E772A995CB52

Function 00E474B0 Relevance: 21.1, APIs: 14, Instructions: 136filesynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00E474D9
ReadFile.KERNEL32(?,?,?,?,?,?), ref: 00E47555
EnterCriticalSection.KERNEL32(00EE53E0), ref: 00E475E7
SetEvent.KERNEL32 ref: 00E4760A
LeaveCriticalSection.KERNEL32(00EE53E0), ref: 00E47615
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E47624
EnterCriticalSection.KERNEL32(00EE53E0), ref: 00E47639
SetEvent.KERNEL32 ref: 00E4765C
LeaveCriticalSection.KERNEL32(00EE53E0), ref: 00E47667
CloseHandle.KERNEL32(?), ref: 00E47675

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: CriticalSection$Event$EnterLeave$CloseCreateFileHandleObjectReadSingleWait
String ID:
API String ID: 1398713650-0
Opcode ID: 852751cc1162bd144abe09201ac37975cbd80f112bf4c85e71c09bc4015880df
Instruction ID: eef90e7483f308f7e981faeeec7d620bf8f0a8d7b45510a121ecb88bfabfb82d
Opcode Fuzzy Hash: 852751cc1162bd144abe09201ac37975cbd80f112bf4c85e71c09bc4015880df
Instruction Fuzzy Hash: B8519271604745EFD700CF66E988B46BFF1FF48394F108629F889AA2A0C7B1E854CB91

Function 00E477A0 Relevance: 21.1, APIs: 14, Instructions: 116filesynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00E477CC
EnterCriticalSection.KERNEL32(00EE53E0), ref: 00E477FA
SetEvent.KERNEL32 ref: 00E47821
LeaveCriticalSection.KERNEL32(00EE53E0), ref: 00E4782C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E4783F
WriteFile.KERNEL32(?,?,?,?,?), ref: 00E47882
GetLastError.KERNEL32 ref: 00E47896
GetLastError.KERNEL32 ref: 00E4789F
GetOverlappedResult.KERNEL32(?,?,?,00000001), ref: 00E478B8
GetLastError.KERNEL32 ref: 00E478C8
EnterCriticalSection.KERNEL32(00EE53E0), ref: 00E478DF
SetEvent.KERNEL32 ref: 00E47906
LeaveCriticalSection.KERNEL32(00EE53E0), ref: 00E47911
CloseHandle.KERNEL32 ref: 00E4791E

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: CriticalSection$ErrorEventLast$EnterLeave$CloseCreateFileHandleObjectOverlappedResultSingleWaitWrite
String ID:
API String ID: 1399360170-0
Opcode ID: 9f99f7609d51ca136b3c1f2705420f4aed303c06d52c2cc671f791da149239a3
Instruction ID: cde8770858154a7e633a87361b1ef94aedbd2c9e127e0c5cc60c74f52e60ba72
Opcode Fuzzy Hash: 9f99f7609d51ca136b3c1f2705420f4aed303c06d52c2cc671f791da149239a3
Instruction Fuzzy Hash: 17418F31108348EFC700CF65ED88B5A7BF1FF48358F10952AF949AB260D7B19944DB81

Function 00E14B80 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 195libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E1C110: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 00E1C182
Part of subcall function 00E1C110: RegCloseKey.ADVAPI32(?), ref: 00E1C1BA

GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 00E14C2B

Part of subcall function 00E15220: CreateFileA.KERNEL32(00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000,?,00E14D9B), ref: 00E1525B

GetEnvironmentVariableA.KERNEL32(HOMEDRIVE,?,00000104), ref: 00E14CF5
GetEnvironmentVariableA.KERNEL32(HOMEPATH,?,00000104), ref: 00E14D08
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00E14D70

Part of subcall function 00E1C340: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00E14BC3,00000000,RandSeedFile), ref: 00E1C367
Part of subcall function 00E1C340: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000), ref: 00E1C39F

Part of subcall function 00E1C1E0: RegCloseKey.ADVAPI32(00000000,00E14BCE,00000000), ref: 00E1C1E4

Strings

RandSeedFile, xrefs: 00E14BB8
\PUTTY.RND, xrefs: 00E14C64, 00E14CAB, 00E14D2B, 00E14D7F
shell32.dll, xrefs: 00E14C0F
SHGetFolderPathA, xrefs: 00E14C25
HOMEPATH, xrefs: 00E14D03
Software\SimonTatham\PuTTY, xrefs: 00E14B9C
HOMEDRIVE, xrefs: 00E14CF0

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: CloseCreateEnvironmentQueryValueVariable$AddressDirectoryFileProcWindows
String ID: HOMEDRIVE$HOMEPATH$RandSeedFile$SHGetFolderPathA$Software\SimonTatham\PuTTY$\PUTTY.RND$shell32.dll
API String ID: 1153880102-1528239033
Opcode ID: b21cb9d80db96b6167b41db2cb66c6d9aa6bda4bd137b02a397f26057d46e637
Instruction ID: e7d6c57ad4d93a0801923052c6f4204620fa748dc63a1ec0659632152204f614
Opcode Fuzzy Hash: b21cb9d80db96b6167b41db2cb66c6d9aa6bda4bd137b02a397f26057d46e637
Instruction Fuzzy Hash: E7510BF6B8434427FA2462357C57FEB32D94BA1748F181034F94ABB3C2F9A199858292

Function 00E049C4 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 204comCOMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E049DC
_strrchr.LIBCMT ref: 00E049EF
CoCreateInstance.OLE32(00EB07D4,00000000,00000001,00EB07C4,?), ref: 00E04A96

Strings

Connect to PuTTY session ', xrefs: 00E04B03
%.*s%s, xrefs: 00E04A08
j\h, xrefs: 00E049D5
Run %.*s, xrefs: 00E04B40, 00E04BEF
Qhp#, xrefs: 00E04A07
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/jump-list.c, xrefs: 00E04B1E, 00E04BCD
appname, xrefs: 00E04B23, 00E04BD2

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strrchr$CreateInstance
String ID: %.*s%s$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/jump-list.c$Connect to PuTTY session '$Qhp#$Run %.*s$appname$j\h
API String ID: 3526010480-980186273
Opcode ID: aa559fb07576e9f1ba9f984806b95612d1e0bab9da07636a2738fe6f51374773
Instruction ID: 491de2e295c6076d2c8e4e2571630d9fc290288c2cd6b37e47c8aa8938eea712
Opcode Fuzzy Hash: aa559fb07576e9f1ba9f984806b95612d1e0bab9da07636a2738fe6f51374773
Instruction Fuzzy Hash: 4B51DBF1B443006BD700EF61AD4AF6B77A89F95708F04642CF905B72C2EA71E946C6A3

Function 00DEB400 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 159fileCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000106,?), ref: 00DEB452
GetCurrentProcessId.KERNEL32 ref: 00DEB460
CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00DEB490
GetLastError.KERNEL32 ref: 00DEB4B0
CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00DEB4FB
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00DEB532
DeleteFileA.KERNEL32(00000000,?,?,?,00000000), ref: 00DEB541
CloseHandle.KERNEL32(00000000), ref: 00DEB5E6

Strings

%s::/%s.html>main, xrefs: 00DEB572
%s\putty_%lu_%llu.chm, xrefs: 00DEB46E, 00DEB4D9

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: File$Create$CloseCurrentDeleteErrorHandleLastPathProcessTempWrite
String ID: %s::/%s.html>main$%s\putty_%lu_%llu.chm
API String ID: 4085685679-1808412575
Opcode ID: 246de82afa71f67ee337590092f12cf033c8cb1b589d9a860f376962dfa44da0
Instruction ID: 8fd5f6776106129d251b0d33e6578efea22b9472fb9d472a71e6cade76f58775
Opcode Fuzzy Hash: 246de82afa71f67ee337590092f12cf033c8cb1b589d9a860f376962dfa44da0
Instruction Fuzzy Hash: 9941DA716003847FE220AB36AC4AFAB77A9DB41714F080129F546BA1D1E7B1AD48C7A5

Function 00E42280 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 117COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E42351

Strings

ost, xrefs: 00E423AE
len >= 2, xrefs: 00E42367
Connected to %s, xrefs: 00E423C8
%s, xrefs: 00E42341
Failed to connect to %s: %s, xrefs: 00E42302
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/utils/backend_socket_log.c, xrefs: 00E42362
te h, xrefs: 00E423B6
Connecting to %s port %d, xrefs: 00E422E8
Connecting to %s, xrefs: 00E423A7

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen
String ID: %s$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/utils/backend_socket_log.c$Connected to %s$Connecting to %s$Connecting to %s port %d$Failed to connect to %s: %s$len >= 2$ost$te h
API String ID: 4218353326-965769772
Opcode ID: 0093ebad1f8dc9dee2c8afc0e4250bffaee91e77054f7fedfa86157423bcf3a4
Instruction ID: 28b7eaae6a029623aff1acf214443a68ff2754bd8baeae1b4b7236b938c130ca
Opcode Fuzzy Hash: 0093ebad1f8dc9dee2c8afc0e4250bffaee91e77054f7fedfa86157423bcf3a4
Instruction Fuzzy Hash: C2313CB2E0434077D5316A117C07FEF3AB8DB96744F44142CFA897A282E6769954C6A3

Function 00E46480 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 63COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E464A8
_strrchr.LIBCMT ref: 00E464D4

Strings

false && "ssh_fptype_from_cert ruled out the other values", xrefs: 00E46468
%.*s , xrefs: 00E4644B
%.*s %d , xrefs: 00E463BF
p, xrefs: 00E461EF
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/sshpubk.c, xrefs: 00E46463
%02x%s, xrefs: 00E4605B, 00E46074, 00E4608D, 00E460A6, 00E460BF, 00E460D8, 00E460F1, 00E4610A, 00E46123, 00E4613C, 00E46155, 00E4616E, 00E46187, 00E461A0, 00E461B9, 00E461D2
SHA256:, xrefs: 00E46203
%s (with certificate: %s), xrefs: 00E464F4

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strrchr
String ID: %.*s $%.*s %d $%02x%s$%s (with certificate: %s)$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/sshpubk.c$SHA256:$false && "ssh_fptype_from_cert ruled out the other values"$p
API String ID: 3213747228-1270566597
Opcode ID: ae2399aa6c6f9739652e1dfa5814b5db8f00a82abf31f77b7121a8244ba6260d
Instruction ID: 95043540ac52ec2cf4af6e316164685e442d4123b16e7a23d92f5c7947c6514b
Opcode Fuzzy Hash: ae2399aa6c6f9739652e1dfa5814b5db8f00a82abf31f77b7121a8244ba6260d
Instruction Fuzzy Hash: 9E0184F2B003086FEA10AA617C8AD6BB6DDDED1758F040434FD09D7253F621DE1986B2

Function 00DE6D10 Relevance: 16.7, APIs: 11, Instructions: 181COMMON

Download Yara Rule

APIs

CreatePen.GDI32(00000000,00000000), ref: 00DE6DF8
SelectObject.GDI32(00000000), ref: 00DE6E05
MoveToEx.GDI32(?,?,00000000), ref: 00DE6E18
LineTo.GDI32(00000000,00000001), ref: 00DE6E34
SelectObject.GDI32 ref: 00DE6E43
CreatePen.GDI32(00000000,00000000), ref: 00DE6EA1
SelectObject.GDI32(00000000), ref: 00DE6EB4
Polyline.GDI32(?,00000005), ref: 00DE6EC5
SelectObject.GDI32(00000000), ref: 00DE6ED2
DeleteObject.GDI32(00000000), ref: 00DE6ED5
SetPixel.GDI32(?,?), ref: 00DE6F78

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Object$Select$Create$DeleteLineMovePixelPolyline
String ID:
API String ID: 1020918164-0
Opcode ID: 30ea1847261b24a5170e74ed9d3d4f9163a0d393e867508c6bf3576ce654f250
Instruction ID: e053485c4dcb7930a1313152ebaec9780a67d9762f986f685ad023e7bd19b49f
Opcode Fuzzy Hash: 30ea1847261b24a5170e74ed9d3d4f9163a0d393e867508c6bf3576ce654f250
Instruction Fuzzy Hash: 1F61D0B1504388AFD310DF26EC89B6BBBE9EF94350F08452AF955AB260D371DD48CB51

Function 00E271A0 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 312COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E273BE

Strings

%s%s, xrefs: 00E27352
`, xrefs: 00E273EE
%s, xrefs: 00E273AC
LRD, xrefs: 00E272B2, 00E272BA, 00E272FC
You need to specify a destination addressin the form "host.name:port", xrefs: 00E274E8
You need to specify a source port number, xrefs: 00E2745E
A46, xrefs: 00E2723F, 00E2724E
Specified forwarding already exists, xrefs: 00E274CB

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: %s$%s%s$A46$LRD$Specified forwarding already exists$You need to specify a destination addressin the form "host.name:port"$You need to specify a source port number$`
API String ID: 601868998-173871474
Opcode ID: bfc8049590d7b1eb922883a4289fa66e402b49a3d526dab6d7394c2aaaa8084d
Instruction ID: 63dc0b7dfe2c19affc4b1df68e54967af4901e4c7da0826afd935843b46fc178
Opcode Fuzzy Hash: bfc8049590d7b1eb922883a4289fa66e402b49a3d526dab6d7394c2aaaa8084d
Instruction Fuzzy Hash: 3991C9F5A043007BD6117A21BC43F2B7ADDDF91748F086438FD89B6293F522AE958263

Function 00E14790 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00E1C110: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 00E1C182
Part of subcall function 00E1C110: RegCloseKey.ADVAPI32(?), ref: 00E1C1BA

Part of subcall function 00E1EF00: _strlen.LIBCMT ref: 00E1EF0B
Part of subcall function 00E1EF00: _strcat.LIBCMT ref: 00E1EF27

Part of subcall function 00E1C340: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00E14BC3,00000000,RandSeedFile), ref: 00E1C367
Part of subcall function 00E1C340: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000), ref: 00E1C39F

_strlen.LIBCMT ref: 00E14806

Part of subcall function 00E1C440: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00E14E93,00000000,Recent sessions), ref: 00E1C466
Part of subcall function 00E1C440: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000), ref: 00E1C49D

Part of subcall function 00E42990: _strlen.LIBCMT ref: 00E429A6

_strlen.LIBCMT ref: 00E14830

Strings

PublicKey, xrefs: 00E147F1
PermitRSASHA256, xrefs: 00E148F5
Software\SimonTatham\PuTTY\SshHostCAs, xrefs: 00E147BA
Validity, xrefs: 00E1481B
MatchHosts, xrefs: 00E1485A
PermitRSASHA1, xrefs: 00E148DA
PermitRSASHA512, xrefs: 00E14910

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: QueryValue_strlen$CloseCreate_strcat
String ID: MatchHosts$PermitRSASHA1$PermitRSASHA256$PermitRSASHA512$PublicKey$Software\SimonTatham\PuTTY\SshHostCAs$Validity
API String ID: 1841596437-2091482613
Opcode ID: 1202efba11c05c77cffab9e07f9d08bb21be4d4200c1c5d7fb2fa6c7afaf8702
Instruction ID: 9a907c62ee2740c21340a29d63cefdc8b935593fe730259785ab637d900cb7ae
Opcode Fuzzy Hash: 1202efba11c05c77cffab9e07f9d08bb21be4d4200c1c5d7fb2fa6c7afaf8702
Instruction Fuzzy Hash: 8C41B1F5E403406BE6107B30AC42BBB76D89F50749F08682CFD89B6383E635D995C6A3

Function 00E14950 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 00E1C110: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 00E1C182
Part of subcall function 00E1C110: RegCloseKey.ADVAPI32(?), ref: 00E1C1BA

Part of subcall function 00E1C400: _strlen.LIBCMT ref: 00E1C410
Part of subcall function 00E1C400: RegSetValueExA.ADVAPI32(.G,?,00000000,00000001,00000000,-00000001,?,?,?,?,?,?,?,?,?,?), ref: 00E1C423

_strlen.LIBCMT ref: 00E149D3

Part of subcall function 00E48750: ___from_strstr_to_strchr.LIBCMT ref: 00E487A5

Part of subcall function 00E1C300: RegSetValueExA.ADVAPI32(00000000,00E14A12,00000000,00000004,00000000,00000004,?,00000000,00E14A12,00000000,PermitRSASHA1,?), ref: 00E1C322

Part of subcall function 00E1C1E0: RegCloseKey.ADVAPI32(00000000,00E14BCE,00000000), ref: 00E1C1E4

Strings

PublicKey, xrefs: 00E149B8
PermitRSASHA256, xrefs: 00E14A1A
CA record must have a name, xrefs: 00E14A48
Software\SimonTatham\PuTTY\SshHostCAs, xrefs: 00E14978, 00E14A59
Unable to create registry keyHKEY_CURRENT_USER\%s\%s, xrefs: 00E14A5E
Validity, xrefs: 00E149EB
PermitRSASHA1, xrefs: 00E14A07
PermitRSASHA512, xrefs: 00E14A2D

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: CloseValue_strlen$Create___from_strstr_to_strchr
String ID: CA record must have a name$PermitRSASHA1$PermitRSASHA256$PermitRSASHA512$PublicKey$Software\SimonTatham\PuTTY\SshHostCAs$Unable to create registry keyHKEY_CURRENT_USER\%s\%s$Validity
API String ID: 1175142446-1463427279
Opcode ID: 67516efc51aeb6461822989bfd20e38df39870f3de3ffea6fc61961588ed5129
Instruction ID: f5cc8a8f1ec517928f20eb5b73b418c45be05325744ce398524a73ddf4928c04
Opcode Fuzzy Hash: 67516efc51aeb6461822989bfd20e38df39870f3de3ffea6fc61961588ed5129
Instruction Fuzzy Hash: F621B4FAE802107BE70276207C43FBE3AD94F51705F192074FD08B9293F6469AA596A3

Function 00E09320 Relevance: 15.1, APIs: 10, Instructions: 92threadtimeclipboardCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00E09332
GetCapture.USER32 ref: 00E0934D
GetClipboardOwner.USER32 ref: 00E09364
GetQueueStatus.USER32(00001CBF), ref: 00E09380
GetCursorPos.USER32(?), ref: 00E093A0
GlobalMemoryStatus.KERNEL32 ref: 00E093B6
GetCurrentThread.KERNEL32 ref: 00E093D5
GetThreadTimes.KERNEL32(00000000,?,?,?,?), ref: 00E093E4
GetCurrentProcess.KERNEL32 ref: 00E093F7
GetProcessTimes.KERNEL32(00000000,?,?,?,?), ref: 00E09402

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: CurrentProcessStatusThreadTimes$CaptureClipboardCursorForegroundGlobalMemoryOwnerQueueWindow
String ID:
API String ID: 3596705544-0
Opcode ID: 6669909a497a30c413a1d0f0e08b0472ffc1c6f9bceae5fdd6e72338efe522ba
Instruction ID: 5ea9c6086ddec0ddac22a18685ae54c8da66c14c4e2d97f1da3fb0fb3d19ebbe
Opcode Fuzzy Hash: 6669909a497a30c413a1d0f0e08b0472ffc1c6f9bceae5fdd6e72338efe522ba
Instruction Fuzzy Hash: FA2193729413407FE210ABA2FC0EF4B3FA9EF45768F041426F789B61C1DA619509CBA2

Function 00E030B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 95COMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32(00000000,?,00000000), ref: 00E03195

Strings

Font: %s, %sdefault height, xrefs: 00E0317C
bold, , xrefs: 00E03140, 00E03165, 00E03178
Font: %s, %s%d-%s, xrefs: 00E03169
c && c->ctrl->type == CTRL_FONTSELECT, xrefs: 00E03113
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00E0310E
point, xrefs: 00E03154, 00E03163
pixel, xrefs: 00E0314F

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ItemText
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$Font: %s, %s%d-%s$Font: %s, %sdefault height$bold, $c && c->ctrl->type == CTRL_FONTSELECT$pixel$point
API String ID: 3367045223-1831221297
Opcode ID: a7e21c4318d8285d63999e943c7c76ae47e948e7772efe49f0ef429e059aabd4
Instruction ID: fc80d0452cdbe85e2c57428768611e3717c5d4e8dedd835c0a67dc9a7efc7fdf
Opcode Fuzzy Hash: a7e21c4318d8285d63999e943c7c76ae47e948e7772efe49f0ef429e059aabd4
Instruction Fuzzy Hash: CF21FCB2A00204AFD7009A24ED42E2B37E9EBD9304F052039F809BB253E632EE558752

Function 00EA4C87 Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EA5072: CreateFileW.KERNEL32(00EC9BA5,00000000,?,00EA4D30,?,?,00000000,?,00EA4D30,00EC9BA5,0000000C), ref: 00EA508F

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00EA4D9B
__dosmaperr.LIBCMT ref: 00EA4DA2
GetFileType.KERNEL32(00000000), ref: 00EA4DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00EA4DB8
__dosmaperr.LIBCMT ref: 00EA4DC1
CloseHandle.KERNEL32(00000000), ref: 00EA4DE1
CloseHandle.KERNEL32(00E9DFF4), ref: 00EA4F2E
GetLastError.KERNEL32 ref: 00EA4F60
__dosmaperr.LIBCMT ref: 00EA4F67

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 664d3a27315253d2223a7039674daf9e2541ed0679dec79113643b169fc1b688
Instruction ID: 5dbf1a5a227e381c1d3dcabb0b25297cb573141eb3d0fc1056a0fac49ea4706a
Opcode Fuzzy Hash: 664d3a27315253d2223a7039674daf9e2541ed0679dec79113643b169fc1b688
Instruction Fuzzy Hash: CFA15572A105488FCF19AF68DC81BAE3BE1AB4B324F181159F816BF3D1C771A916CB41

Function 00E1CA80 Relevance: 13.6, APIs: 9, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CAB7
OpenProcess.KERNEL32(02000000,00000000,00000000,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CAC5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CB04
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CB21
GetLengthSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CB4B
CopySid.ADVAPI32(00000000,00000000,00000000), ref: 00E1CB6A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CB8B
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CB9A
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75755780,00E1CEC7), ref: 00E1CBA5

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: CloseHandleLocalProcess$AllocCopyCurrentErrorFreeLastLengthOpen
String ID:
API String ID: 621491157-0
Opcode ID: 34bddef1054de3fc4e25070517128238a1fcc78233746296f9a6c602249de6f2
Instruction ID: 2945446964ae84cf9a89bd454794a3b7322750e3d6209eaea745337b0d97d385
Opcode Fuzzy Hash: 34bddef1054de3fc4e25070517128238a1fcc78233746296f9a6c602249de6f2
Instruction Fuzzy Hash: 6E31C8312483046FE7205FB1EC8AF6B77A8EF44754F145839FA46FA1A0DB71C8849791

Function 00E087C0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 302COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E08D32

Part of subcall function 00E036C0: SendDlgItemMessageA.USER32(?,?,0000014B,00000000,00000000), ref: 00E03744

Part of subcall function 00E03770: SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 00E037F7

Strings

Unable to load host CA record '%s', xrefs: 00E08CDC
Cannot decode key: %s, xrefs: 00E08E0B
Invalid '%.*s' key data, xrefs: 00E08E7B
Invalid key (no key type), xrefs: 00E08DF5
CA key may not be a certificate (type is '%.*s'), xrefs: 00E08DEB
Unrecognised key type '%.*s', xrefs: 00E08E25

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ItemMessageSend$_strlen
String ID: CA key may not be a certificate (type is '%.*s')$Cannot decode key: %s$Invalid '%.*s' key data$Invalid key (no key type)$Unable to load host CA record '%s'$Unrecognised key type '%.*s'
API String ID: 706372605-3650709019
Opcode ID: 15e258ceee5e941ca89e585ed5396fecb62940568b6f95452d72ddbaea72ad3e
Instruction ID: af898d939b40bc7fd0ac45377e000138bdfb3b4ca4b12da71a47576b7e036f20
Opcode Fuzzy Hash: 15e258ceee5e941ca89e585ed5396fecb62940568b6f95452d72ddbaea72ad3e
Instruction Fuzzy Hash: B58108F6A002047BD6007721FD42E6B7ADCDF65359F046435FD49B2293FA22E9A486B3

Function 00E543C0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 225COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E5458B
_strlen.LIBCMT ref: 00E545D0

Part of subcall function 00E487D0: _strlen.LIBCMT ref: 00E487DA

Part of subcall function 00E1EF00: _strlen.LIBCMT ref: 00E1EF0B
Part of subcall function 00E1EF00: _strcat.LIBCMT ref: 00E1EF27

Strings

Proxy username: , xrefs: 00E5462F
*password*, xrefs: 00E54543
Telnet proxy authentication, xrefs: 00E54466
Proxy password: , xrefs: 00E5465F
Sending Telnet proxy command: , xrefs: 00E5457C

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen$_strcat
String ID: *password*$Proxy password: $Proxy username: $Sending Telnet proxy command: $Telnet proxy authentication
API String ID: 1497175149-2037000550
Opcode ID: 107c839607d862da9fff19d666b8c1f98782ae12ffd99a963e8058850d45af9d
Instruction ID: b1a03ecbc52b195ace0eae3ccc3384d91b779a30a82bd6ab7876eedaff495b88
Opcode Fuzzy Hash: 107c839607d862da9fff19d666b8c1f98782ae12ffd99a963e8058850d45af9d
Instruction Fuzzy Hash: 6081EBF5900205AFDB00EF14DC46FAAB7A5EF44318F045528FC197B292E772E965CB92

Function 00DE8080 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

IsZoomed.USER32 ref: 00DE80B3
GetDesktopWindow.USER32 ref: 00DE815C
GetClientRect.USER32(00000000), ref: 00DE8166
IsZoomed.USER32 ref: 00DE81F1
SetWindowPos.USER32(00000000,00000000,00000000,?,?,00000116), ref: 00DE8252
InvalidateRect.USER32(00000000,00000001), ref: 00DE8270

Strings

(, xrefs: 00DE8127

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: RectWindowZoomed$ClientDesktopInvalidate
String ID: (
API String ID: 2702938005-3887548279
Opcode ID: 5f3861555cd122e606e82f04410b20ce67e5307f396784d9099d4b66fc9b4549
Instruction ID: 082307c7043b885d2ea3a0d4090f84fb21a894dcaf31b26ff274aa818d5bc2b1
Opcode Fuzzy Hash: 5f3861555cd122e606e82f04410b20ce67e5307f396784d9099d4b66fc9b4549
Instruction Fuzzy Hash: 2451C8B16043C4AFD714AF26EC95B2A7BE5EB44340F08082DF949EB2B1DB31D858DB65

Function 00E704A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 129libraryloaderCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E704B6
_strcat.LIBCMT ref: 00E704EB
GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E7052A

Strings

CryptProtectMemory, xrefs: 00E70524
%02x, xrefs: 00E705B6
p, xrefs: 00E70551, 00E70556
crypt32.dll, xrefs: 00E7050E

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: AddressProc_strcat_strlen
String ID: %02x$CryptProtectMemory$crypt32.dll$p
API String ID: 3651457578-4277748630
Opcode ID: 5452a34f9cf94124ac5d7f71e24171ea59a36b297d5a4bd22abc0e1f4b2b7d58
Instruction ID: 769077a669eaf842e8f2e42a2aad92458674251b4948cb051a377183a2ac69c5
Opcode Fuzzy Hash: 5452a34f9cf94124ac5d7f71e24171ea59a36b297d5a4bd22abc0e1f4b2b7d58
Instruction Fuzzy Hash: 33312BB2A00740AFDB1067356C8AE5B3BD89F51708F085434F80DBB243F625D948CB67

Function 00E0C730 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 122fileCOMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E0C7C2
CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000003,40000000,00000000), ref: 00E0C7FD
GetLastError.KERNEL32 ref: 00E0C870

Part of subcall function 00E0CA10: GetCommState.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00E0C820,?), ref: 00E0CA2C

Part of subcall function 00E476A0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00E476E1
Part of subcall function 00E476A0: InitializeCriticalSection.KERNEL32(00EE53E0,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00E4773A
Part of subcall function 00E476A0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?), ref: 00E47748
Part of subcall function 00E476A0: CreateThread.KERNEL32(00000000,00000000,00E477A0,00000004,00000000), ref: 00E47772
Part of subcall function 00E476A0: CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 00E4777D

Part of subcall function 00E473C0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00E47401
Part of subcall function 00E473C0: InitializeCriticalSection.KERNEL32(00EE53E0,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00E4744A
Part of subcall function 00E473C0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00E47458
Part of subcall function 00E473C0: CreateThread.KERNEL32(00000000,00000000,00E474B0,00000004,00000000), ref: 00E47482
Part of subcall function 00E473C0: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00E4748D

Part of subcall function 00E1EF00: _strlen.LIBCMT ref: 00E1EF0B
Part of subcall function 00E1EF00: _strcat.LIBCMT ref: 00E1EF27

Strings

%s%s, xrefs: 00E0C7DB
Opening '%s': %s, xrefs: 00E0C881
Opening serial device %s, xrefs: 00E0C7AF
\\.\, xrefs: 00E0C7CC

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Create$Event$CloseCriticalHandleInitializeSectionThread$CommErrorFileLastState___from_strstr_to_strchr_strcat_strlen
String ID: %s%s$Opening '%s': %s$Opening serial device %s$\\.\
API String ID: 3096320600-1737485005
Opcode ID: 904a29453cbb284d6b6ca243c347701bc79d84741aeeb2e7cf913b069f318a16
Instruction ID: 6322b2f1d064307284bb2308f41fa94e5e7813772aad87f92fc02a921f47ab8b
Opcode Fuzzy Hash: 904a29453cbb284d6b6ca243c347701bc79d84741aeeb2e7cf913b069f318a16
Instruction Fuzzy Hash: E141A2F5A003006FE3206F24EC46F277AE8EF54718F145528F95AAB3D3E671E95487A2

Function 00E17790 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32(?,?), ref: 00E177C2
htons.WS2_32(?), ref: 00E17825
inet_ntoa.WS2_32(?), ref: 00E17836

Part of subcall function 00E1EF00: _strlen.LIBCMT ref: 00E1EF0B
Part of subcall function 00E1EF00: _strcat.LIBCMT ref: 00E1EF27

htons.WS2_32(?), ref: 00E1787F
inet_ntop.WS2_32(00000017,?,?,00000041), ref: 00E17895

Strings

%s:%d, xrefs: 00E1784C
[%s]:%d, xrefs: 00E178AB

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: htons$_strcat_strlengetpeernameinet_ntoainet_ntop
String ID: %s:%d$[%s]:%d
API String ID: 3000913097-2542140192
Opcode ID: 37fdf18c65eb81313b844d177d86fd266d70c3448c64bf97352e6bf3db3d543f
Instruction ID: 7dfa731790e29d379ed392be4c9f57f91edd75a0c0beedf3dfae58760021780d
Opcode Fuzzy Hash: 37fdf18c65eb81313b844d177d86fd266d70c3448c64bf97352e6bf3db3d543f
Instruction Fuzzy Hash: 913193B15043009FD7209F65D845BABBBF4EB48710F00492DF98ADB291D775E885CB91

Function 00E09130 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00E0916C
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 00E09187
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 00E091A2

Strings

CryptAcquireContextA, xrefs: 00E09166
CryptGenRandom, xrefs: 00E09181
advapi32.dll, xrefs: 00E09150
CryptReleaseContext, xrefs: 00E0919C

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: AddressProc
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 190572456-129414566
Opcode ID: 03c1f590112674eaa7f4487c923c94e4c72ef0b1e4b6a53b07d6435a56f0d490
Instruction ID: 1352ee1ae11de804d35d6dc579fa05a140211641a06a23cc1f2beb1b8e0f5bfa
Opcode Fuzzy Hash: 03c1f590112674eaa7f4487c923c94e4c72ef0b1e4b6a53b07d6435a56f0d490
Instruction Fuzzy Hash: BA2151B4706746AFDB18CF66FD95F2636A5AB94701F10506CF806BA1E2DB31D888CB09

Function 00E00A10 Relevance: 12.1, APIs: 8, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,0000018A,?,00000000), ref: 00E00A2F
SendDlgItemMessageA.USER32(?,?,00000189,?,00000000), ref: 00E00A4D
SendDlgItemMessageA.USER32(?,?,00000199,?,00000000), ref: 00E00A59
SendDlgItemMessageA.USER32(?,?,00000185,00000000,?), ref: 00E00A69
SendDlgItemMessageA.USER32(?,?,00000182,?,00000000), ref: 00E00A75
SendDlgItemMessageA.USER32(?,?,00000181,?), ref: 00E00A86
SendDlgItemMessageA.USER32(?,?,0000019A,?,00000000), ref: 00E00A94
SendDlgItemMessageA.USER32(?,?,00000186,?,00000000), ref: 00E00AA0

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ItemMessageSend
String ID:
API String ID: 3015471070-0
Opcode ID: 8e6c485fe08c13710001c99b82c6c77ff59272d420c9b549ed2a9b05c907633e
Instruction ID: 4d1f5b07cc0e4bab6d5aaf9a2a2b97eef332f359f3542e0700dd653c52ca5f7c
Opcode Fuzzy Hash: 8e6c485fe08c13710001c99b82c6c77ff59272d420c9b549ed2a9b05c907633e
Instruction Fuzzy Hash: 9E0192712813083BF12126129C46FAF7A6CDFC3F88F014118F644691C0D9A6AE12827E

Function 00E68140 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 201COMMON

Download Yara Rule

Strings

pos > base, xrefs: 00E68260
pos == base, xrefs: 00E682DF
head == 0, xrefs: 00E682FE
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/ntru.c, xrefs: 00E6825B, 00E682DA, 00E682F9, 00E68319
tail == n-1, xrefs: 00E6831E

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/ntru.c$head == 0$pos == base$pos > base$tail == n-1
API String ID: 0-1035085132
Opcode ID: 148209b22b72266d42934a272854dc32f46e90286b23937aecbf025e9de3635c
Instruction ID: 43afc445f323190ab78a7444a1b89506b5a9f97e395a3a6aa9158297d551cb6f
Opcode Fuzzy Hash: 148209b22b72266d42934a272854dc32f46e90286b23937aecbf025e9de3635c
Instruction Fuzzy Hash: 43611671A483119BC324DF19D981A2AF7E2FFD8744F09962EF998A7391D731AC11C782

Function 00E05070 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 191COMMON

Download Yara Rule

Strings

&, xrefs: 00E05173
%H%M%S, xrefs: 00E051C5
&, xrefs: 00E05220
&, xrefs: 00E05121

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: LocalTime
String ID: %H%M%S$&$&$&
API String ID: 481472006-1342691861
Opcode ID: d74a2a87a8a73d56529723d6e28d35a098e4cff4596e266007835e2f880fdec0
Instruction ID: 870313adac674f992f097ad01751554bb682d8ff64e5a33999822b0df8d6a1fa
Opcode Fuzzy Hash: d74a2a87a8a73d56529723d6e28d35a098e4cff4596e266007835e2f880fdec0
Instruction Fuzzy Hash: 935107B3909B44ABD710AB209C06B6B77F5AF55704F48682CFC8567292E321D994CB53

Function 00E80B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E80BC7
___except_validate_context_record.LIBVCRUNTIME ref: 00E80BCF
_ValidateLocalCookies.LIBCMT ref: 00E80C58
__IsNonwritableInCurrentImage.LIBCMT ref: 00E80C83
_ValidateLocalCookies.LIBCMT ref: 00E80CD8

Strings

csm, xrefs: 00E80C6D

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e53fdc479d5b4a24bab5333dde65862788144f8aa502a3a9c3c088f56950ba15
Instruction ID: 6f839a40c9492e1d6081dcebcef5a6b546910285cadce2aaad53c161e83a1771
Opcode Fuzzy Hash: e53fdc479d5b4a24bab5333dde65862788144f8aa502a3a9c3c088f56950ba15
Instruction Fuzzy Hash: AF41A574A002089FCF10EF69C884A9EBBF5FF45328F149255E91C7B392D771AA19CB91

Function 00E1CEA0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00E1CD70: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00EE52EC), ref: 00E1CDED
Part of subcall function 00E1CD70: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00EE52F0), ref: 00E1CE1C
Part of subcall function 00E1CD70: GetLastError.KERNEL32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00EE52F0), ref: 00E1CE26

GetCurrentProcess.KERNEL32 ref: 00E1CF82
GetLastError.KERNEL32 ref: 00E1CFBC
LocalFree.KERNEL32(?), ref: 00E1CFE3

Strings

Unable to set process ACL: %s, xrefs: 00E1CFB7, 00E1CFCC
unable to construct ACL: %s, xrefs: 00E1CF65
Could not restrict process ACL: %s, xrefs: 00E1CFEA

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: AllocateErrorInitializeLast$CurrentFreeLocalProcess
String ID: Could not restrict process ACL: %s$Unable to set process ACL: %s$unable to construct ACL: %s
API String ID: 4156538165-2118130043
Opcode ID: 3ddeccaa3ca21846b397b00833ba67af16e1220cb090aacf99a85cee6ff39d05
Instruction ID: e3c2f218084de51eaabe3187aa5265c5a84effed6c6bc490485c3c652039c12f
Opcode Fuzzy Hash: 3ddeccaa3ca21846b397b00833ba67af16e1220cb090aacf99a85cee6ff39d05
Instruction Fuzzy Hash: CB3163B16083409FD310DF51D849B5BBBF8EB88748F14481DF589AF390D7B59949CB92

Function 00E70AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(?,40000003,00000008,000000FF,00001000,00001000,00000000), ref: 00E70B23
ConnectNamedPipe.KERNEL32(?,00000010), ref: 00E70B3A
GetLastError.KERNEL32 ref: 00E70B44
CloseHandle.KERNEL32(?), ref: 00E70B86

Strings

Error while listening to named pipe: %s, xrefs: 00E70BA3

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: NamedPipe$CloseConnectCreateErrorHandleLast
String ID: Error while listening to named pipe: %s
API String ID: 3669627233-1472817922
Opcode ID: df0480fceb183d1176bdd1b544f610cf01d44b6bd0808d99663ba9f32858e1bd
Instruction ID: 6d32c59ebf2e95402b3f26fd918df4901104e17d51f0eac192a453e77410414b
Opcode Fuzzy Hash: df0480fceb183d1176bdd1b544f610cf01d44b6bd0808d99663ba9f32858e1bd
Instruction Fuzzy Hash: 6231E470640700EFE3209B25EC45F6BB7E8EF88318F108528F85AEB291D671EC408A52

Function 00DE2030 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00DE2670
GetCursorPos.USER32(?), ref: 00DE2682
IsZoomed.USER32 ref: 00DE26F5
GetWindowLongA.USER32(000000F0), ref: 00DE2707
SendMessageA.USER32(?,00000112,0000F090,?), ref: 00DE273D

Strings

(, xrefs: 00DE26AA

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Cursor$LongMessageSendShowWindowZoomed
String ID: (
API String ID: 1399778751-3887548279
Opcode ID: af96c7d463b8792a1b42b7aa830429d65ca6bcf373d1b44d3f90e93ea9836f6d
Instruction ID: a5a30f11cd760398fb19056fc0ce9cb528e56cc39f8a9e68ed176e827cdc8ee4
Opcode Fuzzy Hash: af96c7d463b8792a1b42b7aa830429d65ca6bcf373d1b44d3f90e93ea9836f6d
Instruction Fuzzy Hash: 1921D8316082849FE714AF22DC99B7A77E9FB40311F48892DF5C2DA1A1CB75C948DB61

Function 00DE2016 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00DE2670
GetCursorPos.USER32(?), ref: 00DE2682
IsZoomed.USER32 ref: 00DE26F5
GetWindowLongA.USER32(000000F0), ref: 00DE2707
SendMessageA.USER32(?,00000112,0000F090,?), ref: 00DE273D

Strings

(, xrefs: 00DE26AA

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Cursor$LongMessageSendShowWindowZoomed
String ID: (
API String ID: 1399778751-3887548279
Opcode ID: d89c8e08a948f3eaef7fe9034b53d6379aab8c19c29699b91b3e2875d2bf2d8b
Instruction ID: 53b253ce4a1cbcb5fbe51dd9cce27c7632f9d71192026a79ba46ce470982869f
Opcode Fuzzy Hash: d89c8e08a948f3eaef7fe9034b53d6379aab8c19c29699b91b3e2875d2bf2d8b
Instruction Fuzzy Hash: 1021EA316082849FE724AF22DC59B7977F8FB40311F48892DF5C2AA1E0CB75C948D761

Function 00E476A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00E476E1
InitializeCriticalSection.KERNEL32(00EE53E0,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00E4773A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?), ref: 00E47748
CreateThread.KERNEL32(00000000,00000000,00E477A0,00000004,00000000), ref: 00E47772
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 00E4777D

Strings

USWVPhS, xrefs: 00E47755

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Create$Event$CloseCriticalHandleInitializeSectionThread
String ID: USWVPhS
API String ID: 2660700835-2672787360
Opcode ID: e4d392e4ff8578d91d3e7ab7489dadc702452587526aaa66232854f30af1a851
Instruction ID: 8b5322f428666b0dd9300c74b31023bb5d6b3ee11afa6a3e51ee9aef9f72d6e3
Opcode Fuzzy Hash: e4d392e4ff8578d91d3e7ab7489dadc702452587526aaa66232854f30af1a851
Instruction Fuzzy Hash: 8C21B271640304AFE3209F26EC4AB06BBF4EB44B55F10052AFA45BB6D0D7F0A508CB95

Function 00E94BE9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00E94CF6,?,?,?,00000000,?,?,00E946FA,00000021,FlsSetValue,00EBC758,|,?), ref: 00E94CAA

Strings

api-ms-, xrefs: 00E94C40
ext-ms-, xrefs: 00E94C54

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 73e4ecca0f0c0f0d57af8e2e931ee4b26e155b2f1c6f321383b04325d3f9f078
Instruction ID: d2467d6b0fd76e82c4bb13948507e5d56458d153239cd64fa696bc8141b08a7f
Opcode Fuzzy Hash: 73e4ecca0f0c0f0d57af8e2e931ee4b26e155b2f1c6f321383b04325d3f9f078
Instruction Fuzzy Hash: 6D2108B2A03211AFDF319B22AC48E9AB758DB41768F251121F902B72D0E770EE02C6D0

Function 00E70600 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(?,00000000,?), ref: 00E7066F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?), ref: 00E7067E
GetLastError.KERNEL32(?,00000000,?), ref: 00E70686

Part of subcall function 00E1D3E0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00E1711E,?), ref: 00E1D46B
Part of subcall function 00E1D3E0: _strlen.LIBCMT ref: 00E1D476

LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00E4963B,00000000,?), ref: 00E706B1
LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00E4963B,00000000,?), ref: 00E706C0

Part of subcall function 00E1CBD0: LocalAlloc.KERNEL32(00000040,00000014,?,00000000,?), ref: 00E1CC9D
Part of subcall function 00E1CBD0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?), ref: 00E1CCAD
Part of subcall function 00E1CBD0: SetSecurityDescriptorOwner.ADVAPI32(?,00000000,?,00000000,?), ref: 00E1CCC2
Part of subcall function 00E1CBD0: SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?), ref: 00E1CCD5

Strings

CreateMutex("%s") failed: %s, xrefs: 00E70697

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: DescriptorLocalSecurity$Free$AllocCreateDaclErrorFormatInitializeLastMessageMutexObjectOwnerSingleWait_strlen
String ID: CreateMutex("%s") failed: %s
API String ID: 3757897666-2623464464
Opcode ID: f8c3ec345ae44ac690916168892c45e5dc82d38af8be2ddb4ccb0d3487c165fc
Instruction ID: 68ebbfa5b0768cd94d36e6c6397d8e2514334d8be238bfca9cfac866dbe84349
Opcode Fuzzy Hash: f8c3ec345ae44ac690916168892c45e5dc82d38af8be2ddb4ccb0d3487c165fc
Instruction Fuzzy Hash: EA219FB16043019FD600EF65EC49B2B77E8EF84768F04881DF889F7281D770D9088BA2

Function 00E473C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00E47401
InitializeCriticalSection.KERNEL32(00EE53E0,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00E4744A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00E47458
CreateThread.KERNEL32(00000000,00000000,00E474B0,00000004,00000000), ref: 00E47482
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00E4748D

Strings

USWVPhS, xrefs: 00E47465

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Create$Event$CloseCriticalHandleInitializeSectionThread
String ID: USWVPhS
API String ID: 2660700835-2672787360
Opcode ID: 56416eb74c4af8b9071085cfe1447ef3482c07146a73f93ac48e32a9f91bb397
Instruction ID: 606410418bb2a911ae06bdbf303f62929c69aa52199ebe2b53ddac57005dadad
Opcode Fuzzy Hash: 56416eb74c4af8b9071085cfe1447ef3482c07146a73f93ac48e32a9f91bb397
Instruction Fuzzy Hash: 2F21C470644344AFE3208F26EC4AB06BBF4EB44B58F104529FA89BF2D0C7F0A508CB95

Function 00DE6870 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71windowCOMMON

Download Yara Rule

APIs

DeleteMenu.USER32(00000040,00000000), ref: 00DE6925
InsertMenuA.USER32(00000030,00000000,00000040,&Restart Session), ref: 00DE693E
DeleteMenu.USER32(00000040,00000000), ref: 00DE694A
InsertMenuA.USER32(00000030,00000000,00000040,&Restart Session), ref: 00DE695D

Strings

%s (inactive), xrefs: 00DE687F
&Restart Session, xrefs: 00DE692D, 00DE694C

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Menu$DeleteInsert
String ID: %s (inactive)$&Restart Session
API String ID: 985044671-219138112
Opcode ID: 70764cc93d5e56cc6e2ee654ee4a5290a1dce77d1145ae6412c006fcbf511d4b
Instruction ID: 9cef7d36caa17208564bf02dbdbba99a732453c6f218fb89ffc1d2715f10506d
Opcode Fuzzy Hash: 70764cc93d5e56cc6e2ee654ee4a5290a1dce77d1145ae6412c006fcbf511d4b
Instruction Fuzzy Hash: 22215EF1640398BFE614AB77BC4AF467B55EB05700F041066F205BF1E1D6B1E628CB69

Function 00E305F0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 67COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E3061E
_strlen.LIBCMT ref: 00E3064B

Strings

%.*s%s-%s%s, xrefs: 00E30606
-Release-0.81, xrefs: 00E305F5
1.99, xrefs: 00E30666
We claim version: %s, xrefs: 00E306A1

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen
String ID: %.*s%s-%s%s$-Release-0.81$1.99$We claim version: %s
API String ID: 4218353326-4211473871
Opcode ID: 0767217cb6fe8fdd5fe15f2b9f8fd6dd56f559a129ce383a58e8bd0bfb940f75
Instruction ID: 6454253c322c07639f8b51b2ee1ef9db887fca0580512aaeb44d0fa122f695c1
Opcode Fuzzy Hash: 0767217cb6fe8fdd5fe15f2b9f8fd6dd56f559a129ce383a58e8bd0bfb940f75
Instruction Fuzzy Hash: 1211E9B7900B006FD7212A20ED17F973FE6AB94308F08106CF75575663E5639826D791

Function 00DE66E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F02), ref: 00DE69AA
SetClassLongA.USER32(000000F4,00000000), ref: 00DE69BB
SetCursor.USER32(00000000), ref: 00DE69C2
ShowCursor.USER32(00000000), ref: 00DE69D4

Strings

false && "Bad busy_status", xrefs: 00DE69ED
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00DE69E8

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Cursor$ClassLoadLongShow
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$false && "Bad busy_status"
API String ID: 1160125251-1066913011
Opcode ID: 4a5a0a78c15b42d64a7cfcd9c865524d2bf1108df537352aaecb6a7230fa2f81
Instruction ID: d4fe7e58190540569d699069691acdfae7d5c2b16970880c4e3d28abe14e57eb
Opcode Fuzzy Hash: 4a5a0a78c15b42d64a7cfcd9c865524d2bf1108df537352aaecb6a7230fa2f81
Instruction Fuzzy Hash: 6A01F7F05993C56EDB04B733AC8EA3A3B85DB20391F184537F546AA2A1CB64CD08CB31

Function 00DE7180 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(0000000F), ref: 00DE7196
SelectPalette.GDI32(?,00000000,00000000), ref: 00DE71A0
ReleaseDC.USER32(?), ref: 00DE71AD

Strings

wintw_hdc, xrefs: 00DE71C9
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00DE71C4, 00DE71EA
wgs.term_hwnd, xrefs: 00DE71EF

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ObjectPaletteReleaseSelectStock
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$wgs.term_hwnd$wintw_hdc
API String ID: 3714893027-3486798234
Opcode ID: 3809026c1da1cd6c0b71b129a3a3a277bcfa3b9968ae91eb5f5d451d058cb0bd
Instruction ID: 5c194d20b7172d162188a7bbeedc5998c0908cd66f6a911d834ddda33e4dc86d
Opcode Fuzzy Hash: 3809026c1da1cd6c0b71b129a3a3a277bcfa3b9968ae91eb5f5d451d058cb0bd
Instruction Fuzzy Hash: 1BF0B4B2542394AFE6606F13BD0AF663755EB00B10F096027FA0D3E2E0CBB00D4AD7A5

Function 00E9E7A7 Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19db225b8e781c3991ccbe788156fdda628329540e0af7a8c99076118c87c69d
Instruction ID: f8b5b422754621140386a175a5178bb1a770adfe32e610951eedf956f49c395a
Opcode Fuzzy Hash: 19db225b8e781c3991ccbe788156fdda628329540e0af7a8c99076118c87c69d
Instruction Fuzzy Hash: 47B10370A002499FDF25DF99C880BAE7BF1BF89308F146198E615BB392D7709D41CB61

Function 00EA5624 Relevance: 9.2, APIs: 6, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(01681C58,01681C58,00000000,7FFFFFFF,?,00EA560F,01681C58,01681C58,00000000,01681C58,?,?,?,?,01681C58,00000000), ref: 00EA56CA
__freea.LIBCMT ref: 00EA585F
__freea.LIBCMT ref: 00EA5865
__freea.LIBCMT ref: 00EA589B
__freea.LIBCMT ref: 00EA58A1
__freea.LIBCMT ref: 00EA58B1

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: __freea$Info
String ID:
API String ID: 541289543-0
Opcode ID: 7be0abc9d311759d13d9343462396d2fe76a087e0b319ef7818f012f88cd55dc
Instruction ID: eef291e6108565ea28ac869d9d911e11e7db75ddc38dd86c9e05977aa55ec701
Opcode Fuzzy Hash: 7be0abc9d311759d13d9343462396d2fe76a087e0b319ef7818f012f88cd55dc
Instruction Fuzzy Hash: 2671D673901A05ABDF259F548C81BEE77FA9F4E314F19206AF904BF282D739AC008765

Function 00DE6FF0 Relevance: 9.1, APIs: 6, Instructions: 116COMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 00DE70C5
GetCharWidth32W.GDI32(?,?), ref: 00DE70D6
GetCharWidthW.GDI32(?,?), ref: 00DE70EA
SelectObject.GDI32(?), ref: 00DE7113
GetCharWidth32A.GDI32 ref: 00DE7124
GetCharWidthA.GDI32 ref: 00DE7138

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Char$ObjectSelectWidthWidth32
String ID:
API String ID: 4136774150-0
Opcode ID: a1917808de09339e6caf4d1e867f1f62faaeb33d52324b237e7daa6e8cb264e7
Instruction ID: 2cff8b2c2df0283a2fe22d2f19c7504a08afcfdd6a4275102e8b6e3d5b8dce14
Opcode Fuzzy Hash: a1917808de09339e6caf4d1e867f1f62faaeb33d52324b237e7daa6e8cb264e7
Instruction Fuzzy Hash: FD3106B12082D85FD7686B67DCC9A267BAAEB44310F081126F459EE3B0C329CC48E771

Function 00E94080 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E94077,00E809F3,00E80679), ref: 00E9408E
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E9409C
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E940B5
SetLastError.KERNEL32(00000000,00E94077,00E809F3,00E80679), ref: 00E94107

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 34cb5e70ecd0fbf174058020054f03eb755b93d5a15aa46d433c803768a4f3ed
Instruction ID: 728b529d120751b18245fa6af4b019dedd6b89041cb5f5d7bd69451cea9400b1
Opcode Fuzzy Hash: 34cb5e70ecd0fbf174058020054f03eb755b93d5a15aa46d433c803768a4f3ed
Instruction Fuzzy Hash: 5A01D8B220B3159EAF342A767C85D5B2798FB163B9720137EF7107A1F1EE914C46D140

Function 00E2B6A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 149COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E2B779

Strings

SSHCONNECTION@putty.projects.tartarus.org-2.0-, xrefs: 00E2B769
connected%s%s, xrefs: 00E2B86C
X, xrefs: 00E2B6BE
from , xrefs: 00E2B856, 00E2B86B

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen
String ID: from $SSHCONNECTION@putty.projects.tartarus.org-2.0-$connected%s%s$X
API String ID: 4218353326-1191676439
Opcode ID: fa07157b80a3dc6cd85d3a4c2e6f96ab570c9b7c7a0dc6304b00424933068eb5
Instruction ID: 0ba4cdedbaac5190df1098709e7cd4c88b84e880179198b8c78c595b46384a16
Opcode Fuzzy Hash: fa07157b80a3dc6cd85d3a4c2e6f96ab570c9b7c7a0dc6304b00424933068eb5
Instruction Fuzzy Hash: 9151A3F5A003009BE7149F65EC46B6777E8EF80308F04543DEA5AAB342E771E945CB62

Function 00DFF260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E29BE0: GetLocalTime.KERNEL32(?,?,?,?,00E050A4,?), ref: 00E29BF6

_strftime.LIBCMT ref: 00DFF289
SendDlgItemMessageA.USER32(?,000003E9,00000180,00000000,00000000), ref: 00DFF308
SendDlgItemMessageA.USER32(000003E9,0000018B,00000000,00000000), ref: 00DFF31E
SendDlgItemMessageA.USER32(000003E9,00000197,-000000FF,00000000), ref: 00DFF336

Strings

%Y-%m-%d %H:%M:%S, xrefs: 00DFF281

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ItemMessageSend$LocalTime_strftime
String ID: %Y-%m-%d %H:%M:%S
API String ID: 3243744690-819171244
Opcode ID: dba5da5fccc1c0867af1e4589cfe25b547c46d7a820d541b58da5998444664ce
Instruction ID: 332e4ebd4e7e8800dae4acdc3a1e5288e157298bf9e692bb6ef2870af856d9d9
Opcode Fuzzy Hash: dba5da5fccc1c0867af1e4589cfe25b547c46d7a820d541b58da5998444664ce
Instruction Fuzzy Hash: A4312AB26003489FE7009B36FC97B6937E5EB49700F198125F601FF2E1D771AA098B91

Function 00E162B0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

htonl.WS2_32(?), ref: 00E16355

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c, xrefs: 00E162DB, 00E1633E, 00E16366
addr->addresses && step.curraddr < addr->naddresses, xrefs: 00E16343
false && "bad address family in sk_addrcopy", xrefs: 00E1636B
family != AF_UNSPEC, xrefs: 00E162E0

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: htonl
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c$addr->addresses && step.curraddr < addr->naddresses$false && "bad address family in sk_addrcopy"$family != AF_UNSPEC
API String ID: 2009864989-3860342078
Opcode ID: e90779f0d854d2dbca28a3c0306770fc3df91c3aec8c1e2e9ad573c1de8ea418
Instruction ID: 7da228cfc34cc87712a8d0cb19246e3616e7ad2c08e2a7ec99bb738090a09516
Opcode Fuzzy Hash: e90779f0d854d2dbca28a3c0306770fc3df91c3aec8c1e2e9ad573c1de8ea418
Instruction Fuzzy Hash: AF21D2B5600300DFCB24CF09D8819A6B3E1FB95718F18A86AEC68BB351D730EC81CB61

Function 00EA1241 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00EA1304,?,?,00EE5AE8,00000000,?,00EA1214,00000004,InitializeCriticalSectionEx,00EBD778,00EBD780,00000000), ref: 00EA12D2

Strings

api-ms-, xrefs: 00EA1292

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 1c7482325e72e67e4aa8527e9e3a5d0dec374dc85e70c9033f1aec33345a2571
Instruction ID: ebf3f49b6ce906d638bca9de720288544ca0c0d97e54ff279c8cd7bb32160bf9
Opcode Fuzzy Hash: 1c7482325e72e67e4aa8527e9e3a5d0dec374dc85e70c9033f1aec33345a2571
Instruction Fuzzy Hash: 2711E732A41624ABCF2297699C447993798DF0B774F2412A1F911FF2A0D760FD0096E1

Function 00E15220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000,?,00E14D9B), ref: 00E1525B
DeleteFileA.KERNEL32(00000000,00000002,00000000,?,00E14D9B), ref: 00E1526C
GetLastError.KERNEL32 ref: 00E15276
GetLastError.KERNEL32 ref: 00E15281

Strings

Unable to delete '%s': %s, xrefs: 00E15292

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ErrorFileLast$CreateDelete
String ID: Unable to delete '%s': %s
API String ID: 3657518308-26304762
Opcode ID: cbc4d56129f2fb8c125b8a3c6b9627e969c8b65c7ec8fced9571b46822b36a05
Instruction ID: 2d9fa1f698b3e4f8ed347c3e926ae06a4eff42585498f8d09e3f4a5537ff098b
Opcode Fuzzy Hash: cbc4d56129f2fb8c125b8a3c6b9627e969c8b65c7ec8fced9571b46822b36a05
Instruction Fuzzy Hash: 140126B6201212AFE3206B356C4AFAF276DEFD4364F284A39F423E61D0E7304D51C665

Function 00E8C420 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,57959A8C,?,?,00000000,00EA8094,000000FF,?,00E8C4EA,00E8C385,?,00E8C586,00000000), ref: 00E8C455
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E8C467
FreeLibrary.KERNEL32(00000000,?,?,00000000,00EA8094,000000FF,?,00E8C4EA,00E8C385,?,00E8C586,00000000), ref: 00E8C489

Strings

mscoree.dll, xrefs: 00E8C44E
CorExitProcess, xrefs: 00E8C45F

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f9cb51b31171a1623916f28a2d764c7afdf88ee3cbe4b782c9174a54d186c56a
Instruction ID: f97a90b17afd2c89e99b7222639180df99afc459260389ef4a045c28b7e67778
Opcode Fuzzy Hash: f9cb51b31171a1623916f28a2d764c7afdf88ee3cbe4b782c9174a54d186c56a
Instruction Fuzzy Hash: 7601F231900618EFDB018F50DC05BBEB7B9FF04B24F104626F826B2290DB749804CB90

Function 00DFF780 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 00DFF7B6
SetDlgItemTextA.USER32(?,000003EA,PuTTY is copyright 1997-2024 Simon Tatham.Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, Colin Watso), ref: 00DFF7D0
EndDialog.USER32(?,00000001), ref: 00DFF7ED

Strings

%s Licence, xrefs: 00DFF7A5
PuTTY is copyright 1997-2024 Simon Tatham.Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, Colin Watso, xrefs: 00DFF7C5

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Text$DialogItemWindow
String ID: %s Licence$PuTTY is copyright 1997-2024 Simon Tatham.Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, Colin Watso
API String ID: 4005798191-2223775202
Opcode ID: 354cab244ecd8c9fd3b38ce0364fe8236a9cb392089ec8ca5da24c03c852808b
Instruction ID: 69cf664684875027e7974bde6ac04de9c931e84c8ed2640c80d6574196370e7d
Opcode Fuzzy Hash: 354cab244ecd8c9fd3b38ce0364fe8236a9cb392089ec8ca5da24c03c852808b
Instruction Fuzzy Hash: E3F0FC329142485BE2206728FC45EBEB364EF45725F194536F641F62C1C7558C8547F3

Function 00DE2147 Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00DE2148
_strlen.LIBCMT ref: 00DE233A
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000), ref: 00DE2355
_strlen.LIBCMT ref: 00DE2369
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000), ref: 00DE237C

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$GlobalLock
String ID:
API String ID: 2105387149-0
Opcode ID: 6fb4fce93ef0a3ecefc535dd2c93af312b5223ae9755d55c3e908da96d57335c
Instruction ID: 72cae80f972022c85d1b6f4499c481f6a5ccb813a70a1e0d3f3db3a1f81df274
Opcode Fuzzy Hash: 6fb4fce93ef0a3ecefc535dd2c93af312b5223ae9755d55c3e908da96d57335c
Instruction Fuzzy Hash: FD213AB294034437F22137626C87F7B329CDF51764F085135FE096A2D3FA64AA1882F5

Function 00DE1666 Relevance: 7.6, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00DE1680
ImmGetCompositionStringW.IMM32(00000000,00000800,00000000,00000000), ref: 00DE1691
ImmGetCompositionStringW.IMM32(00000000,00000800,00000000,00000000), ref: 00DE16BB
ImmReleaseContext.IMM32(?,00000000,00000000,00000800,00000000,00000000), ref: 00DE23BA
DefWindowProcW.USER32(?,?,?,?), ref: 00DE3520

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: CompositionContextString$ProcReleaseWindow
String ID:
API String ID: 1848772681-0
Opcode ID: 949ee3ba4d84ca35243819fef0aac1e16e670ee4ed4a0122791ee7803a4ae12f
Instruction ID: 1f585b150a7d8ee6d8c60e7efed2857b4874f7a334f474824598e06cb14e2d5e
Opcode Fuzzy Hash: 949ee3ba4d84ca35243819fef0aac1e16e670ee4ed4a0122791ee7803a4ae12f
Instruction Fuzzy Hash: 092126B13403486FE7203712DC86B3B32D9E791304F08803DF9855B282EAB9695A9BB1

Function 00DEAA20 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(000000F0), ref: 00DEAA2A
SetWindowLongA.USER32(000000F0,?), ref: 00DEAA89
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000027,?,?,?,00DE2DC0,?,?,?), ref: 00DEAAA1
CheckMenuItem.USER32(00000180,00000000), ref: 00DEAABA
CheckMenuItem.USER32(00000180,00000000), ref: 00DEAAC9

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Window$CheckItemLongMenu
String ID:
API String ID: 730651012-0
Opcode ID: a7881772d328c3b186d8e71cd548afe460fb073a9499856e2807dda223b18a50
Instruction ID: 881e957455da113a025ee92e5a4818dc80013c9c5197385cb0c5c5128e841e3e
Opcode Fuzzy Hash: a7881772d328c3b186d8e71cd548afe460fb073a9499856e2807dda223b18a50
Instruction Fuzzy Hash: C2012B71A441547FEA151B26FC06F293F22E740B22F240336F756BD1F0CE611818D744

Function 00DEA8F0 Relevance: 7.5, APIs: 5, Instructions: 25windowCOMMON

Download Yara Rule

APIs

IsZoomed.USER32(00DE3F15), ref: 00DEA8F6
GetWindowLongA.USER32(000000F0), ref: 00DEA908
IsZoomed.USER32 ref: 00DEA91B
SendMessageA.USER32(00008003,00000000,00000000), ref: 00DEA939
ShowWindow.USER32(00000003), ref: 00DEA94B

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: WindowZoomed$LongMessageSendShow
String ID:
API String ID: 4028103791-0
Opcode ID: b41e9505cd4f85aaf475ac6f1b8e2e902e00d9d5f525281494a1828bf37a3ee4
Instruction ID: adb30e3baa41787617c20a08a6baca48f3eaf67953620406355f68e694e0d7b5
Opcode Fuzzy Hash: b41e9505cd4f85aaf475ac6f1b8e2e902e00d9d5f525281494a1828bf37a3ee4
Instruction Fuzzy Hash: 29F03030240186AFEA156F27FD5AF143B2AEB00721F160426F342BC0F5DF61A918DE19

Function 00EA0942 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 369COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00EA0AC2
__freea.LIBCMT ref: 00EA0ADE

Strings

a/p, xrefs: 00EA0BA6
am/pm, xrefs: 00EA0B42

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: __freea
String ID: a/p$am/pm
API String ID: 240046367-3206640213
Opcode ID: 80a8c9e2740bbbb5aa0d0f899383e2b91d34cd6819c84c3cccd4430593317a5a
Instruction ID: 501e2c071e8804ad4c6ba721f91f4760fd394353254f27ad58da6dc32983788f
Opcode Fuzzy Hash: 80a8c9e2740bbbb5aa0d0f899383e2b91d34cd6819c84c3cccd4430593317a5a
Instruction Fuzzy Hash: F4C1AC36900216DFDB248FA8C985ABABBB0EF5F318F246149E905BF251D335BD41CB61

Function 00E0B490 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON

Download Yara Rule

Strings

client subnegotiation: SB TTYPE IS %s, xrefs: 00E0BA3F
server subnegotiation: SB TTYPE <something weird>, xrefs: 00E0BAF5
server subnegotiation: SB TTYPE SEND, xrefs: 00E0BA29

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: client subnegotiation: SB TTYPE IS %s$server subnegotiation: SB TTYPE <something weird>$server subnegotiation: SB TTYPE SEND
API String ID: 0-1023599780
Opcode ID: 44aa86bb109abab42ef6e14ace9240d9a7a16a07801d1f80606b2b0743fb8ba7
Instruction ID: f8d1717b876d7dbecb1230c7e86c8348c66c789d2f3b32957cc9509ec4e698cb
Opcode Fuzzy Hash: 44aa86bb109abab42ef6e14ace9240d9a7a16a07801d1f80606b2b0743fb8ba7
Instruction Fuzzy Hash: 5CB14470A083019FD7148B28CC46BAAB7A5FF81328F149669F496BB2E2D331D8C5D752

Function 00E436B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 198COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E437D6

Strings

SSH PRIVATE KEY FILE FORMAT 1.1, xrefs: 00E436ED
file format error, xrefs: 00E436FE
wrong passphrase, xrefs: 00E438F6

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen
String ID: SSH PRIVATE KEY FILE FORMAT 1.1$file format error$wrong passphrase
API String ID: 4218353326-2390803400
Opcode ID: d04811a9d1d0f33f630273429377dd194565ba5f41107ad490548f8a368b2305
Instruction ID: 4d4051d08ffd49c2fe7acac357fb192d67e227d37db016db9991b094b3c85215
Opcode Fuzzy Hash: d04811a9d1d0f33f630273429377dd194565ba5f41107ad490548f8a368b2305
Instruction Fuzzy Hash: 9661E8F4904300AFDB14AF34EC4576ABBE0FF54308F045529F89966293E771EA94C792

Function 00DFF590 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DFF800: SetWindowTextA.USER32(?,?), ref: 00DFF80F
Part of subcall function 00DFF800: GetWindowLongA.USER32(?,000000EC), ref: 00DFF821
Part of subcall function 00DFF800: SetWindowLongA.USER32(?,000000EC,00000000), ref: 00DFF830

LoadIconA.USER32(000000C9), ref: 00DFF5CE
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00DFF5DD

Part of subcall function 00E29B40: GetDesktopWindow.USER32 ref: 00E29B52
Part of subcall function 00E29B40: GetWindowRect.USER32(00000000,?), ref: 00E29B5E
Part of subcall function 00E29B40: GetWindowRect.USER32(?), ref: 00E29B70
Part of subcall function 00E29B40: MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,76C03EB0,?,?,?,00DFDF7C,?), ref: 00E29BBE

Part of subcall function 00DFFD60: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00DFFD8B
Part of subcall function 00DFFD60: GetClientRect.USER32(?,?), ref: 00DFFD9D
Part of subcall function 00DFFD60: MapDialogRect.USER32(?), ref: 00DFFDC6

ShowWindow.USER32(?,00000001), ref: 00DFF753

Strings

Main, xrefs: 00DFF60D, 00DFF64E

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Window$Rect$LongMessageSend$ClientDesktopDialogIconLoadMoveShowText
String ID: Main
API String ID: 174503319-521822810
Opcode ID: f28a4dda8fcef6a4cc8034852463d4ddbc4572127162a1cf13e2db46fe201c75
Instruction ID: 7cf4284f458c806b09bfd3b0dbe6ca5dcc991e59b9b690a1c3fef5d3d3cab10a
Opcode Fuzzy Hash: f28a4dda8fcef6a4cc8034852463d4ddbc4572127162a1cf13e2db46fe201c75
Instruction Fuzzy Hash: 5D412CB5600308AFD7116B21EC42F2BB7E9EF44758F154438F645B73E2EA62EA148771

Function 00E03340 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?,?), ref: 00E033BB

Strings

c && c->ctrl->type == CTRL_RADIO, xrefs: 00E0338C
false && "no radio button was checked", xrefs: 00E033D5
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00E03387, 00E033D0

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ButtonChecked
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_RADIO$false && "no radio button was checked"
API String ID: 1719414920-356531850
Opcode ID: 84f3740141575232d151564189a9c7c47a377e608e5eb509b216702894ba136f
Instruction ID: 9bde81915e8a7c551b8d287230e58ba0296aac4cdc3f2b9935bfd72ad0830f23
Opcode Fuzzy Hash: 84f3740141575232d151564189a9c7c47a377e608e5eb509b216702894ba136f
Instruction Fuzzy Hash: 5411C2727003049FD310AB29DD82F2677D9EF91749F062066E458F72D1DB61ED8487A1

Function 00E2B0A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

Part of subcall function 00E1EF00: _strlen.LIBCMT ref: 00E1EF0B
Part of subcall function 00E1EF00: _strcat.LIBCMT ref: 00E1EF27

_strlen.LIBCMT ref: 00E2B12D

Strings

!cs->sent_verstring, xrefs: 00E2B175
SSHCONNECTION@putty.projects.tartarus.org-2.0-, xrefs: 00E2B11D
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/sharing.c, xrefs: 00E2B170

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen$_strcat
String ID: !cs->sent_verstring$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/sharing.c$SSHCONNECTION@putty.projects.tartarus.org-2.0-
API String ID: 1497175149-2985379557
Opcode ID: 970f1041a42ffc990138b1ca9112e5c92e39b89f07f079437b9ba3650f340c7c
Instruction ID: 3577a2c46e880d429c9abbd32e65df0726fcac66c54251ef009d2cddf85a6fa2
Opcode Fuzzy Hash: 970f1041a42ffc990138b1ca9112e5c92e39b89f07f079437b9ba3650f340c7c
Instruction Fuzzy Hash: 152129B29003003BD7216A20FC46F6737D8DB41718F091669F8157A2D3F762ED65C7A2

Function 00E0CCC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

ClearCommBreak.KERNEL32(?), ref: 00E0CD43
CloseHandle.KERNEL32(?), ref: 00E0CD4C

Strings

End of file reading from serial device, xrefs: 00E0CCFF, 00E0CD64, 00E0CD70
Error reading from serial device, xrefs: 00E0CCFA

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: BreakClearCloseCommHandle
String ID: End of file reading from serial device$Error reading from serial device
API String ID: 2685284230-2629609604
Opcode ID: 8b28542e10dbae0eac676fc8ad6428c58dab8923483b6da75cb4c83b5c21384a
Instruction ID: a3504897c6eb597d36ee393eabe9e7a5d7f844b2676dad7c2efe43df15f41599
Opcode Fuzzy Hash: 8b28542e10dbae0eac676fc8ad6428c58dab8923483b6da75cb4c83b5c21384a
Instruction Fuzzy Hash: 1421C2B16007009BD7209F29EC48E07BBE9EF94314F24593DF89AA32E1D731E855CB51

Function 00E1C340 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00E14BC3,00000000,RandSeedFile), ref: 00E1C367
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000), ref: 00E1C39F

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/utils/registry.c, xrefs: 00E1C3B9
size < allocsize, xrefs: 00E1C3BE

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: QueryValue
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/utils/registry.c$size < allocsize
API String ID: 3660427363-1544670526
Opcode ID: 0883b6ca1f6b399839bf93bedeab3e9aed72eba94f769bfde7d8406d82a38a5d
Instruction ID: 7cb37b76a9607e210074762a16519d80fa53035e3d1d8d101c7ead40eef9168d
Opcode Fuzzy Hash: 0883b6ca1f6b399839bf93bedeab3e9aed72eba94f769bfde7d8406d82a38a5d
Instruction Fuzzy Hash: B111C871284304BFD610AB14AC81F7F77EDEF94B48F50542AF549FA281E6719C448752

Function 00E71580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetNamedPipeClientProcessId), ref: 00E715BC

Strings

GetNamedPipeClientProcessId, xrefs: 00E715B6
kernel32.dll, xrefs: 00E715A0
process id %lu, xrefs: 00E71613

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: AddressProc
String ID: GetNamedPipeClientProcessId$kernel32.dll$process id %lu
API String ID: 190572456-462240408
Opcode ID: 17886c5de8a8fd179f3c52b088b65c877c0381fce91bd88a49bc9300737ecde8
Instruction ID: 3338c96b3e036091426986bbbe1646c68fdd10620a2dd9288d7add4c2aea3bcf
Opcode Fuzzy Hash: 17886c5de8a8fd179f3c52b088b65c877c0381fce91bd88a49bc9300737ecde8
Instruction Fuzzy Hash: 0D11C2B1A403019FD7589F29EC56B5A3AE0AF48714F00907CF44ABF2E2EB318944CBA5

Function 00DE1060 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49registrywindowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(MZx,000000C8), ref: 00DE10E4
LoadCursorA.USER32(00000000,00007F01), ref: 00DE10F5
RegisterClassW.USER32 ref: 00DE111B

Strings

MZx, xrefs: 00DE10E3

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Load$ClassCursorIconRegister
String ID: MZx
API String ID: 738324305-2575928145
Opcode ID: 04b1e2614644eff970efd8337a4dd097acecb75dd7e048c38397a6d16cb9a8bb
Instruction ID: 39d71956f874104f5f5ff153b23dca8001038aeef4e43d7a29d5f7ed4c5594c0
Opcode Fuzzy Hash: 04b1e2614644eff970efd8337a4dd097acecb75dd7e048c38397a6d16cb9a8bb
Instruction Fuzzy Hash: 6D115B74A093889FD300DF66EC5571A7BE4AB48754F04481EF588AB3A0D7758988CB82

Function 00DE67B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 00DE67F9
ShowCursor.USER32(00000001), ref: 00DE683D
MessageBoxA.USER32(Connection closed by remote host,00000040), ref: 00DE685D

Strings

Connection closed by remote host, xrefs: 00DE6852

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Message$CursorPostQuitShow
String ID: Connection closed by remote host
API String ID: 3394085358-3682140707
Opcode ID: fa966bf54fc5719649d2d6da148a4d16efb018cd946696a8dc34265ee8c71bc5
Instruction ID: c08f57eaa0e838ada46c7c4fd81e96a8d03846149256aa85a5e736018687b560
Opcode Fuzzy Hash: fa966bf54fc5719649d2d6da148a4d16efb018cd946696a8dc34265ee8c71bc5
Instruction Fuzzy Hash: 170126B09042C49FEB207B23BCC9B443B51A725755F080125F641790F2DBA1895997B5

Function 00DE63F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00DE6429
MessageBoxA.USER32(?,00000000,00000010), ref: 00DE6440
PostQuitMessage.USER32(00000001), ref: 00DE6476

Strings

%s Fatal Error, xrefs: 00DE63FC

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Message$CursorPostQuitShow
String ID: %s Fatal Error
API String ID: 3394085358-656502033
Opcode ID: 2b7085459570538e91aef8fa2a3a7b7269193520e30c153294b97769cbcb61cd
Instruction ID: 20b88546c4f905aec2da2b5ac48185ebe222524e55498ff11f3835603d99739c
Opcode Fuzzy Hash: 2b7085459570538e91aef8fa2a3a7b7269193520e30c153294b97769cbcb61cd
Instruction Fuzzy Hash: 6DF0F936954284AEE7107B23BC06F853A65AB15745F080024F782781E2DA925559D7B6

Function 00DE6A00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8FB31: IsProcessorFeaturePresent.KERNEL32(00000017,00E8348B,?,?,?,?,00000000), ref: 00E8FB4D

GetDC.USER32(00000000), ref: 00DE6A3E
SelectPalette.GDI32(00000000,00000000), ref: 00DE6A53

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00DE6A20
!wintw_hdc, xrefs: 00DE6A25

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: FeaturePalettePresentProcessorSelect
String ID: !wintw_hdc$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c
API String ID: 1536087120-2668247132
Opcode ID: a3c15087a8cc3e8c2edd215d3e97fc3cf8f23bb208ee229cf381c26874c4bd2a
Instruction ID: a95ea7dc1fbde30d137ee447267e00d7a8c6393dd58a4305fcf9effc443b7173
Opcode Fuzzy Hash: a3c15087a8cc3e8c2edd215d3e97fc3cf8f23bb208ee229cf381c26874c4bd2a
Instruction Fuzzy Hash: F7F0A0F2A40240AFE210AB37BC1AF5732D9DB84B81F099037F518BF298DA71C9468720

Function 00DFF490 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00DFF4BE

Strings

%s Key File Warning, xrefs: 00DFF4A9
You are loading an SSH-2 private key which has anold version of the file format. This means your keyfile is not fully tamperproof. Future versions of%s may stop supporting this private key format,so we recommend you convert your key to the newformat.You, xrefs: 00DFF499
PuTTY, xrefs: 00DFF498, 00DFF4A8

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Message
String ID: %s Key File Warning$PuTTY$You are loading an SSH-2 private key which has anold version of the file format. This means your keyfile is not fully tamperproof. Future versions of%s may stop supporting this private key format,so we recommend you convert your key to the newformat.You
API String ID: 2030045667-626526669
Opcode ID: e8df92c6c9d4ef8352584a8f6b3198cc6877388756d2289b8626ca9bfd677ac3
Instruction ID: 068e1da39112dcbc016e1137852e648e646f1a43d9578e9e91059f77ccfa9756
Opcode Fuzzy Hash: e8df92c6c9d4ef8352584a8f6b3198cc6877388756d2289b8626ca9bfd677ac3
Instruction Fuzzy Hash: 53E04F72D502102AE15136667C0BFEF29BCCBD7B25F081035FA16B9283F951295682B6

Function 00E9D5CC Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(57959A8C,00000000,00000000,00000000), ref: 00E9D62F

Part of subcall function 00E9BA6A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00EA0F69,?,00000000,-00000008), ref: 00E9BB16

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E9D88A
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00E9D8D2
GetLastError.KERNEL32 ref: 00E9D975

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 3c5053ff6a6cf79469a362d88165d2e61ee8585a4a9465dec89e988f0472469a
Instruction ID: db302a36e579fdcff68a788c71b5267ea5c0155d3277cc3fafe80055e8f104eb
Opcode Fuzzy Hash: 3c5053ff6a6cf79469a362d88165d2e61ee8585a4a9465dec89e988f0472469a
Instruction Fuzzy Hash: 79D176B5D04258AFCF15DFA8DC80AADBBB5FF48314F18512AE866FB352D630A901CB50

Function 00E313E0 Relevance: 6.2, APIs: 4, Instructions: 168timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00E314BF
__aulldiv.LIBCMT ref: 00E314E3
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00E3153E
__aulldiv.LIBCMT ref: 00E31561

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Time$File$__aulldiv$LocalSystem
String ID:
API String ID: 1236384784-0
Opcode ID: f41d36289831fd896b6037684556f8ffa7af961b7c73a5ce936cd8338d5b8f3a
Instruction ID: f4dffeb0225e9451b62cca736fb75a7046000acfc5d0b7e516eaab48fa9ea2df
Opcode Fuzzy Hash: f41d36289831fd896b6037684556f8ffa7af961b7c73a5ce936cd8338d5b8f3a
Instruction Fuzzy Hash: AC612871604205AFDB14CF28C844B9ABBE5FF88718F058A6DF999A7390D771E805CB92

Function 00E8E778 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1d76366400aa766bf7c64a7d6ddedcece550e4ccf6ae9dc12de715040f537f
Instruction ID: 91d6212552698d478a1e440373609583c156f918ddf1eefa14ae375f87b9b2f0
Opcode Fuzzy Hash: 4a1d76366400aa766bf7c64a7d6ddedcece550e4ccf6ae9dc12de715040f537f
Instruction Fuzzy Hash: 7641B672A00714AFD725AF78CC42B9EBBE9EB84710F10952AF15DFB781D671D9408790

Function 00DE8750 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 00DE878E
GetSysColor.USER32 ref: 00DE87ED
GetSysColor.USER32 ref: 00DE884C
GetSysColor.USER32 ref: 00DE8889

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: 3c0265ef06d12f0662b98479e5c016ebb783c2d7a5495875b5c927cf23c32d9c
Instruction ID: d4cdd616dd1e681043fb99234c41e8344f90b233c023dec365fde109ebd12f47
Opcode Fuzzy Hash: 3c0265ef06d12f0662b98479e5c016ebb783c2d7a5495875b5c927cf23c32d9c
Instruction Fuzzy Hash: 9641A36501D3D4AED302AFA9804416FBFE4AFA5600F45CD4EF8D88B386D674C589DB63

Function 00E9ADDC Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00E9BA6A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00EA0F69,?,00000000,-00000008), ref: 00E9BB16

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00E9AE40
__dosmaperr.LIBCMT ref: 00E9AE47
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00E9AE81
__dosmaperr.LIBCMT ref: 00E9AE88

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: a95cb37d84f5d8b7fdb5fe7d8e400cd6a1f950b33b8965409ddd6e9d74c76859
Instruction ID: 46bce90636eaa5772415856b4d5b0bbdeeafaad2b73e45f0ce39f420436ff5ba
Opcode Fuzzy Hash: a95cb37d84f5d8b7fdb5fe7d8e400cd6a1f950b33b8965409ddd6e9d74c76859
Instruction Fuzzy Hash: 6D219271600715AFDF21AF61D88096BB7E9EF44368718A939F919B7250D730ED8087D2

Function 00E931FB Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1026387a5557b1370cd535921040f24fa3d06891b6c0179218fbfc22bfdcb919
Instruction ID: 7d0d5ca711d7c28f3503f8f22691df06b3c98fc9fce206aa2115a0edd08dc05b
Opcode Fuzzy Hash: 1026387a5557b1370cd535921040f24fa3d06891b6c0179218fbfc22bfdcb919
Instruction Fuzzy Hash: DB219031204205AFDF20AFB5DC8596BB7AEEF453687105529F91AB7261EB30EE44C7A0

Function 00DE1767 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00DE176C
ImmSetCompositionFontA.IMM32(00000000,00EE3D88), ref: 00DE1779
ImmReleaseContext.IMM32(?,00000000,00000000,00EE3D88), ref: 00DE1780
DefWindowProcW.USER32(?,?,?,?), ref: 00DE3520

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Context$CompositionFontProcReleaseWindow
String ID:
API String ID: 3677218219-0
Opcode ID: 0219c4b08bebcce8890a564d2f4b7df098baf8b9523d81007b3393226c68309f
Instruction ID: 816c885d7cc8288a4be3a4d719ee8b17847a57b5389cc86c1091883b2a12a14d
Opcode Fuzzy Hash: 0219c4b08bebcce8890a564d2f4b7df098baf8b9523d81007b3393226c68309f
Instruction Fuzzy Hash: 60E0E5313002081BD11432265C4597BB3DDEFE6750F04903EF8CAA7202DC746D065BA1

Function 00EA655B Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00EA4BE5,00000000,00000001,00000000,00000000,?,00E9D9C9,00000000,00000000,00000000), ref: 00EA6572
GetLastError.KERNEL32(?,00EA4BE5,00000000,00000001,00000000,00000000,?,00E9D9C9,00000000,00000000,00000000,00000000,00000000,?,00E9D314,?), ref: 00EA657E

Part of subcall function 00EA65CF: CloseHandle.KERNEL32(FFFFFFFE,00EA658E,?,00EA4BE5,00000000,00000001,00000000,00000000,?,00E9D9C9,00000000,00000000,00000000,00000000,00000000), ref: 00EA65DF

___initconout.LIBCMT ref: 00EA658E

Part of subcall function 00EA65B0: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00EA654C,00EA4BD2,00000000,?,00E9D9C9,00000000,00000000,00000000,00000000), ref: 00EA65C3

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00EA4BE5,00000000,00000001,00000000,00000000,?,00E9D9C9,00000000,00000000,00000000,00000000), ref: 00EA65A3

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 12b4a0b67561c70ae47844f161f79f35d0809399fd7a6b29a3bebffa75cdf7a8
Instruction ID: c627edac254fa559dcd055586e4f4538875e92a51bf646c7f9efda98212c3159
Opcode Fuzzy Hash: 12b4a0b67561c70ae47844f161f79f35d0809399fd7a6b29a3bebffa75cdf7a8
Instruction Fuzzy Hash: DCF03736801158BFCF126FE2EC089893F66FF0E370B095511FE19A9131D6719924DBD0

Function 00E985B8 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON

Download Yara Rule

Strings

P(, xrefs: 00E988CB
P(, xrefs: 00E985E6

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID:
String ID: P($P(
API String ID: 0-1372810844
Opcode ID: ed65a4eacfccf3411da2ed46bb59158edb77d05179f9b4eab314446e32619c0d
Instruction ID: 6af548d7c845cc7731e2a43886c33de9b6e799e25c34a756c1da03bce9386b98
Opcode Fuzzy Hash: ed65a4eacfccf3411da2ed46bb59158edb77d05179f9b4eab314446e32619c0d
Instruction Fuzzy Hash: C5C157B2D40204EBDF20DBA8CD82FEE77F89F49740F155065FA44FB282D5B0A9419B61

Function 00E9057E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00E906F5

Strings

M6, xrefs: 00E905EB, 00E905FE, 00E905A6, 00E905A9, 00E90604, 00E9060D
M6, xrefs: 00E907A5

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: __aulldiv
String ID: M6$M6
API String ID: 3732870572-627058004
Opcode ID: a7ae378bb7e0d8fc4bdf95f6efe56eb2e75787fda9f347d478065f451e9038de
Instruction ID: fb423e7c97ae0e8117788387647420a7c48d6f7b59e9880f310175278c258c55
Opcode Fuzzy Hash: a7ae378bb7e0d8fc4bdf95f6efe56eb2e75787fda9f347d478065f451e9038de
Instruction Fuzzy Hash: BEA1E370E01258AFDF24DE78C8506EE7BA5EF55324F94A55AECA5BB381C330E901CB90

Function 00E1EB20 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?), ref: 00E1EBF0

Strings

p - mbstr < mblen, xrefs: 00E1EC83, 00E1ECC1, 00E1ED35, 00E1ED6C
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/unicode.c, xrefs: 00E1EC7E, 00E1ECBC, 00E1ED30, 00E1ED67

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/unicode.c$p - mbstr < mblen
API String ID: 626452242-1134606155
Opcode ID: 51352de99f37a28ebbb23ace13f082661c409ab39bd60939c7629f7773e1cbfa
Instruction ID: a9b07da7a14bc0174b7480c0eed74199e8f38e95d19d30c9c59809a49e6b8a57
Opcode Fuzzy Hash: 51352de99f37a28ebbb23ace13f082661c409ab39bd60939c7629f7773e1cbfa
Instruction Fuzzy Hash: 7E51B2706483859BC730DF14C885AEBB7E1EF94708F14692DFC99AB381D7719984C792

Function 00E42870 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E428F0

Strings

false && "unhandled node type in exprnode_free", xrefs: 00E428CE
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/utils/cert-expr.c, xrefs: 00E42859, 00E428C9

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/utils/cert-expr.c$false && "unhandled node type in exprnode_free"
API String ID: 4218353326-839404475
Opcode ID: 93bc4d967e8f74246b6a32035b0478d2895902b87659003ec0813f06dfc8c916
Instruction ID: 57aee728257b77ec6b28a42557340e67f04cb9bd85e19f8068e051b0c7b4a66a
Opcode Fuzzy Hash: 93bc4d967e8f74246b6a32035b0478d2895902b87659003ec0813f06dfc8c916
Instruction Fuzzy Hash: F0316772A002108BD7106E29BC526AEB3E5DFC1334F85522EF65927391E730AC4587D2

Function 00E055A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E055B5
___from_strstr_to_strchr.LIBCMT ref: 00E055C4

Strings

Event Log: %s, xrefs: 00E05633, 00E0567B

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: Event Log: %s
API String ID: 601868998-1617424366
Opcode ID: 41f3251dbdf78199bf9c720cc0ed07cf466e6ab74c24d90b0b6f2f2a9bb25060
Instruction ID: 9b322517d391d08f560c88367e2e24f25bc3cac14df37d5b4e96407654674609
Opcode Fuzzy Hash: 41f3251dbdf78199bf9c720cc0ed07cf466e6ab74c24d90b0b6f2f2a9bb25060
Instruction Fuzzy Hash: A6213B73600900ABDB215A24EC4677B7795AF12318F8C2515E409B62D2E32398D4CF93

Function 00E036C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,0000014B,00000000,00000000), ref: 00E03744

Strings

c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00E0370C
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00E03707

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-2883471717
Opcode ID: 07967802d1a8397526f3af7c3362607410ea9b84e181050df46712cdf7110c6c
Instruction ID: c45556e2c649c2f4cfebcaa8724268ec5ff73b6897ed11a94a7c7264c0b2dbf0
Opcode Fuzzy Hash: 07967802d1a8397526f3af7c3362607410ea9b84e181050df46712cdf7110c6c
Instruction Fuzzy Hash: 731108F1604304AFE7208B28DC95B337798EB45318F18112BF109A72D1C762AD94C791

Function 00E032A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CheckRadioButton.USER32(?,?,?,-00000001), ref: 00E03326

Strings

c && c->ctrl->type == CTRL_RADIO, xrefs: 00E03303
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00E032FE

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ButtonCheckRadio
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_RADIO
API String ID: 2493629399-4068683935
Opcode ID: a6a6a7b0d9b951b3e7285c24d0a27bedd7f7331c3e16dc8cacf0443cbc914d5c
Instruction ID: ddf03481b77cea603664ee72b52e5a3641fa0759111ff95ff10c481d4b29ab97
Opcode Fuzzy Hash: a6a6a7b0d9b951b3e7285c24d0a27bedd7f7331c3e16dc8cacf0443cbc914d5c
Instruction Fuzzy Hash: AB110472600211EFC310CF64DC82E56B3A8FF89308F015126F54877651D372BC95CBA0

Function 00E0CC00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ClearCommBreak.KERNEL32(?), ref: 00E0CC56
CloseHandle.KERNEL32(?), ref: 00E0CC5F

Strings

Error writing to serial device, xrefs: 00E0CC77, 00E0CC87

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: BreakClearCloseCommHandle
String ID: Error writing to serial device
API String ID: 2685284230-3232346394
Opcode ID: fd6350363d943a8006956306dc2992d8eacd61d43123fc69907056d2c4b4b402
Instruction ID: e0a4f6f4f18ff642717f6d2513ce419f146b2ab87a619016c45514210a28f644
Opcode Fuzzy Hash: fd6350363d943a8006956306dc2992d8eacd61d43123fc69907056d2c4b4b402
Instruction Fuzzy Hash: B21151B15047009FD720DF24FC49E07B7E5AF10319F149A2CF89AA72E1D732E995CA91

Function 00E03400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,?,00000000), ref: 00E03479

Strings

c && c->ctrl->type == CTRL_CHECKBOX, xrefs: 00E03463
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00E0345E

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ButtonCheck
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_CHECKBOX
API String ID: 83588225-3903928787
Opcode ID: 14d030f00b3fe0c0bbeb2d589e4c091b28d95ad9cd43b63f0662db9e8d882c35
Instruction ID: 2fedd21a21cde6f67b3103ac75574d18f3d59db5aa4da408218d7b44d96da81d
Opcode Fuzzy Hash: 14d030f00b3fe0c0bbeb2d589e4c091b28d95ad9cd43b63f0662db9e8d882c35
Instruction Fuzzy Hash: 49012B32644301AFC3128A31DC41A66B7ECFB56709F092172F898BB191C371AC64C7A1

Function 00E03490 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?,?), ref: 00E034F9

Strings

c && c->ctrl->type == CTRL_CHECKBOX, xrefs: 00E034E7
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00E034E2

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: ButtonChecked
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_CHECKBOX
API String ID: 1719414920-3903928787
Opcode ID: 24cf8b8d92967477310a246e2d0c41cd7d74e83ddb3bdfba66e0d8a624ec3a9c
Instruction ID: ddadad89cb805d2c95903b847b788d526ff5a270af9785fd3e6fbea2a1459849
Opcode Fuzzy Hash: 24cf8b8d92967477310a246e2d0c41cd7d74e83ddb3bdfba66e0d8a624ec3a9c
Instruction Fuzzy Hash: 3CF02236700309EFD2129A25ED06F6BB3ECEB4570AF051022F518BA2A1DB21ADA48790

Function 00E42CC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E42CE1
_strlen.LIBCMT ref: 00E42D16

Strings

|| , xrefs: 00E42D02

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: _strlen
String ID: ||
API String ID: 4218353326-1685714724
Opcode ID: 9eba593c25f68621386398aafde168b3b7f7b57ed4e0a64fd9eedde7cac37930
Instruction ID: 6276203c6f71849df57ce3c0e2ba6fbb943b9fbee080a1f9012c6537ef2cd3dc
Opcode Fuzzy Hash: 9eba593c25f68621386398aafde168b3b7f7b57ed4e0a64fd9eedde7cac37930
Instruction Fuzzy Hash: C2018FB1D011086FD210B710FC42A9A739DEB8535CF055434FA0967212F6366AA5C6E6

Function 00DE6290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001,?,?,?,?,00000000,00000000), ref: 00DE62D6
MessageBoxA.USER32(00000000,00000000,00000010), ref: 00DE6302

Strings

%s Error, xrefs: 00DE62E9

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: CursorMessageShow
String ID: %s Error
API String ID: 2689832819-1420171443
Opcode ID: 659d890b9c9b3844be8b42159478d37f0a27f331d0ce7219a93601b441749bc0
Instruction ID: 9725ddfeffed8cf9d7a60602e6e2601891bb9ab6f69ddf846e9fbacdebc6c7eb
Opcode Fuzzy Hash: 659d890b9c9b3844be8b42159478d37f0a27f331d0ce7219a93601b441749bc0
Instruction Fuzzy Hash: B50124B5900244AFE605BF22FC4BE6A7BA8DB55300F04402CF9863A292EA615858D7B3

Function 00DEB140 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Unsupported protocol number found,00000000,00000030), ref: 00DEB18B

Strings

Unsupported protocol number found, xrefs: 00DEB184
%s Internal Error, xrefs: 00DEB172

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Message
String ID: %s Internal Error$Unsupported protocol number found
API String ID: 2030045667-184558026
Opcode ID: 3e925a89607a0389afb83c5f00394b583d8e46fc3f520a647882376153bf7fcb
Instruction ID: 97aaabaa5783accdf8d575f5e8f892b86a495bd3239c57a2bc536290099e426c
Opcode Fuzzy Hash: 3e925a89607a0389afb83c5f00394b583d8e46fc3f520a647882376153bf7fcb
Instruction Fuzzy Hash: ACE02B729403003EE61133657C17F9B3158AB14B26F486031F906B51E3EAA3599481B3

Function 00DFF3D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000223), ref: 00DFF40B

Strings

The session log file "%.*s" already exists.You can overwrite it with a new session log,append your session log to the end of it,or disable session logging for this session.Hit Yes to wipe the file, No to append to it,or Cancel to disable logging., xrefs: 00DFF3DE
%s Log to File, xrefs: 00DFF3F3

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Message
String ID: %s Log to File$The session log file "%.*s" already exists.You can overwrite it with a new session log,append your session log to the end of it,or disable session logging for this session.Hit Yes to wipe the file, No to append to it,or Cancel to disable logging.
API String ID: 2030045667-4035860868
Opcode ID: cdc93bd93b82206172019f645829fa0dac3dbbdc4c9df204082d592064fce482
Instruction ID: 56e697a91f0a37cd7500538bc3cc8e41af5de51aefde992e6d568e5b28ace3d0
Opcode Fuzzy Hash: cdc93bd93b82206172019f645829fa0dac3dbbdc4c9df204082d592064fce482
Instruction Fuzzy Hash: 70F027F7B003003BE60066A17C47EAF36ECCB89B54F041035FE02FA283F8625D558662

Function 00E1C400 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E1C410
RegSetValueExA.ADVAPI32(.G,?,00000000,00000001,00000000,-00000001,?,?,?,?,?,?,?,?,?,?), ref: 00E1C423

Strings

.G, xrefs: 00E1C403, 00E1C422

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: Value_strlen
String ID: .G
API String ID: 3056571664-3391351847
Opcode ID: b48d6aea294a9708409669d9ac609e444af4de1e4b0f30b9ab7b104a66f47f8f
Instruction ID: 28c00fddb1ce5fe58dc163f47883f36fbb112a579e5ec81795415c74e4e92ac0
Opcode Fuzzy Hash: b48d6aea294a9708409669d9ac609e444af4de1e4b0f30b9ab7b104a66f47f8f
Instruction Fuzzy Hash: 8BD02BF33123103BE5108B21BC85F8B379CEBC5750F040425F600B3241C210ED0542B2

Function 00E70C20 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00E70C43
CloseHandle.KERNEL32(?), ref: 00E70C48
LocalFree.KERNEL32(?), ref: 00E70C68
LocalFree.KERNEL32(?), ref: 00E70C75

Memory Dump Source

Source File: 00000000.00000002.2645284381.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.2645263750.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645337256.0000000000EA9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645361741.0000000000EE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2645386462.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_putty1.jbxd

Similarity

API ID: CloseFreeHandleLocal
String ID:
API String ID: 836400252-0
Opcode ID: cad67e8bffcf65bb609351b1a656ab2c8f4aa43e960cc539a4c541c5aecb5dbf
Instruction ID: 3ac2984d50fd68638947ff5c2ff3c12001f6013c1e158b65227c5db14eff3db2
Opcode Fuzzy Hash: cad67e8bffcf65bb609351b1a656ab2c8f4aa43e960cc539a4c541c5aecb5dbf
Instruction Fuzzy Hash: 25F062B6A00205DFDA11AF26FC4589EF3ACEF443587085435F805F2222D721ED65C665