Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ExeFile (200).exe

Overview

General Information

Sample name:ExeFile (200).exe
Analysis ID:1495782
MD5:f5d9021bf02680122ef5de324eb173b2
SHA1:e69e5676df042c1c54d9167d43646d5a89e4384c
SHA256:4df448b9c01fb42bdf6482f214bdb005a27396206c8b81a40bc63782c2404eca
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ExeFile (200).exe (PID: 1868 cmdline: "C:\Users\user\Desktop\ExeFile (200).exe" MD5: F5D9021BF02680122EF5DE324EB173B2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: ExeFile (200).exeReversingLabs: Detection: 47%
Machine Learning detection for sample
Source: ExeFile (200).exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D6C770 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,0_2_00D6C770
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D6E9D0 CryptHashData,0_2_00D6E9D0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D6E9F0 CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00D6E9F0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D6E990 CryptAcquireContextA,CryptCreateHash,0_2_00D6E990
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D6C920 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00D6C920
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D6ADC0 MultiByteToWideChar,PFXImportCertStore,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,CertOpenStore,GetLastError,CryptStringToBinaryA,CertFindCertificateInStore,CertCloseStore,CertFreeCRLContext,CertFreeCRLContext,0_2_00D6ADC0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D80FF0 GetLastError,CreateFileA,GetLastError,GetFileSizeEx,GetLastError,ReadFile,ReadFile,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCRLContext,GetLastError,GetLastError,GetLastError,CloseHandle,0_2_00D80FF0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D81390 CertFindExtension,CryptDecodeObjectEx,0_2_00D81390
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D47AB0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptDestroyHash,CryptDestroyHash,CryptReleaseContext,0_2_00D47AB0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: -----BEGIN PUBLIC KEY-----0_2_00D58A70
Source: ExeFile (200).exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: ExeFile (200).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ExeFile (200).exeStatic PE information: certificate valid
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
Source: ExeFile (200).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D19C90 GetFileAttributesW,DeleteFileW,FindFirstFileW,SetFileAttributesW,DeleteFileW,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,DeleteFileW,0_2_00D19C90
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D25210 PathCombineW,FindFirstFileW,PathCombineW,FindNextFileW,FindClose,0_2_00D25210
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\preloader.htmlJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\Local\Temp\mediaget-installer-tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /index2.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13Host: install.mediaget.comContent-Length: 124Cache-Control: no-cacheData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 6d 65 64 69 61 67 65 74 49 6e 73 74 61 6c 6c 65 72 20 66 69 6c 65 5f 6e 61 6d 65 3d 22 45 78 65 46 69 6c 65 20 28 32 30 30 29 2e 65 78 65 22 20 61 63 74 69 6f 6e 3d 22 73 74 61 72 74 22 20 73 74 61 74 56 65 72 73 69 6f 6e 3d 22 33 39 39 22 2f 3e 0a 0a Data Ascii: <?xml version="1.0" encoding="UTF-8"?><mediagetInstaller file_name="ExeFile (200).exe" action="start" statVersion="399"/>
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D16C20 CreateFileW,GetLastError,InternetOpenW,SetFilePointer,InternetConnectW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,HttpQueryInfoW,GetTickCount,GetTickCount,InternetReadFile,GetLastError,WriteFile,GetLastError,GetTickCount,GetLastError,GetLastError,GetLastError,SetEndOfFile,GetLastError,CloseHandle,CreateFileW,CreateFileW,Sleep,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00D16C20
Source: global trafficHTTP traffic detected: GET /index2.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13Host: install.mediaget.comContent-Length: 124Cache-Control: no-cacheData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 6d 65 64 69 61 67 65 74 49 6e 73 74 61 6c 6c 65 72 20 66 69 6c 65 5f 6e 61 6d 65 3d 22 45 78 65 46 69 6c 65 20 28 32 30 30 29 2e 65 78 65 22 20 61 63 74 69 6f 6e 3d 22 73 74 61 72 74 22 20 73 74 61 74 56 65 72 73 69 6f 6e 3d 22 33 39 39 22 2f 3e 0a 0a Data Ascii: <?xml version="1.0" encoding="UTF-8"?><mediagetInstaller file_name="ExeFile (200).exe" action="start" statVersion="399"/>
Source: global trafficDNS traffic detected: DNS query: install.mediaget.com
Source: ExeFile (200).exeString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: ExeFile (200).exeString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: ExeFile (200).exeString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: ExeFile (200).exeString found in binary or memory: http://crl.globalsign.net/root.crl0
Source: ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.4605978708.000000000982B000.00000004.00000020.00020000.00000000.sdmp, jquery-ui.min.1.8.0.js.0.drString found in binary or memory: http://docs.jquery.com/UI
Source: ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.4605978708.000000000982B000.00000004.00000020.00020000.00000000.sdmp, jquery-ui.min.1.8.0.js.0.drString found in binary or memory: http://docs.jquery.com/UI/Mouse
Source: ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.4605978708.000000000982B000.00000004.00000020.00020000.00000000.sdmp, jquery-ui.min.1.8.0.js.0.drString found in binary or memory: http://docs.jquery.com/UI/Widget
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=avastm
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=opera
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=operam
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, ExeFile (200).exe, 00000000.00000002.4603302424.0000000002918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://install.mediaget.com/index2.php
Source: ExeFile (200).exe, 00000000.00000002.4602574439.0000000000ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://install.mediaget.com/index2.php(
Source: ExeFile (200).exe, 00000000.00000002.4602574439.0000000000ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://install.mediaget.com/index2.phpI
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://install.portmdfmoon.com/download/APSFEM
Source: ExeFile (200).exe, 00000000.00000002.4604981717.00000000067D0000.00000004.00000020.00020000.00000000.sdmp, jquery.min.1.6.4.js.0.drString found in binary or memory: http://jquery.com/
Source: ExeFile (200).exe, 00000000.00000002.4604981717.00000000067D0000.00000004.00000020.00020000.00000000.sdmp, jquery.min.1.6.4.js.0.drString found in binary or memory: http://jquery.org/license
Source: ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.4605978708.000000000982B000.00000004.00000020.00020000.00000000.sdmp, jquery-ui.min.1.8.0.js.0.drString found in binary or memory: http://jqueryui.com/about)
Source: ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, yandex-stuff-tr.txt.0.drString found in binary or memory: http://legal.yandex.com.tr/browser_agreement/
Source: ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, yandex-stuff-tr.txt.0.drString found in binary or memory: http://legal.yandex.com.tr/desktop_software_agreement/
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://mediaget.com
Source: ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, first-page-ru.html.0.dr, yandex-stuff-new-ru.txt.0.dr, first-page-tr.html.0.drString found in binary or memory: http://mediaget.com/license
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000003.2184953573.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.4602574439.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.4602574439.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184992176.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184860354.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184842482.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.4604981717.00000000067D0000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184686575.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184711359.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.4604981717.000000000676D000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184819734.0000000002D62000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184753918.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184933297.0000000002D6C000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184733067.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184779445.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184779445.0000000002D71000.00000004.00000020.00020000.00000000.sdmp, index.html.0.dr, first-page-en.html.0.drString found in binary or memory: http://mediaget.com/license?lang=en
Source: ExeFile (200).exe, 00000000.00000002.4604981717.000000000676D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mediaget.com/license?lang=en-z
Source: ExeFile (200).exe, 00000000.00000002.4604981717.000000000676D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mediaget.com/license?lang=en7z
Source: ExeFile (200).exe, 00000000.00000002.4604981717.000000000676D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mediaget.com/license?lang=en=y
Source: ExeFile (200).exe, 00000000.00000002.4604981717.000000000676D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mediaget.com/license?lang=enGy
Source: ExeFile (200).exe, 00000000.00000002.4604981717.000000000676D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mediaget.com/license?lang=enIyp
Source: ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://mediaget.commediagetMediaGet2Media
Source: ExeFile (200).exeString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: ExeFile (200).exeString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: ExeFile (200).exeString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://sub2.bubblesmedia.ru/client/mediaget_install
Source: ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://sub2.bubblesmedia.ru/client/mediaget_install749c4eeb900d5b934e55da9081b1b685vector
Source: ExeFile (200).exeString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: ExeFile (200).exeString found in binary or memory: http://t2.symcb.com0
Source: ExeFile (200).exeString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: ExeFile (200).exeString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: ExeFile (200).exeString found in binary or memory: http://tl.symcd.com0&
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://webcompanion.com/nano_download.php?partner=MK190501&campaign=729
Source: ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://webcompanion.com/nano_download.php?partner=MK190501&campaign=729http://install.portmdfmoon.co
Source: ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-webcompanion2-en.html.0.dr, bundle-webcompanion1-en.html.0.drString found in binary or memory: http://webcompanion.com/privacy
Source: ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-webcompanion2-en.html.0.dr, bundle-webcompanion1-en.html.0.drString found in binary or memory: http://webcompanion.com/terms
Source: ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-opera.html.0.dr, bundle-opera-en.html.0.drString found in binary or memory: http://www.opera.com/ru/eula/computers
Source: ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-opera.html.0.dr, bundle-opera-en.html.0.drString found in binary or memory: http://www.opera.com/ru/privacy
Source: ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-safefinder-en.html.0.drString found in binary or memory: http://www.safefinder.com/faq/SafeFinder/FAQ_ENG.html
Source: ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-safefinder-en.html.0.drString found in binary or memory: http://www.safefinder.com/privacy.html
Source: ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-safefinder-en.html.0.drString found in binary or memory: http://www.safefinder.com/terms.html
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://bits.avcdn.net/platform_WIN/productfamily_ANTIVIRUS/cookie_mmm_mrk_ppi_004_408_q
Source: ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://chistilka.com/eula.php
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstoreweb_url
Source: ExeFile (200).exe, 00000000.00000002.4603302424.0000000002918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.cou
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://client.mediaget.com/uninstall
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxapp
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxweb_accessible_resourcespage_embed_script.js
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ExeFile (200).exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-autopush.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-0.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-1.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-2.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-3.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-4.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-5.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-6.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-preprod.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive-staging.corp.google.com/
Source: ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
Source: ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://http://install.mediaget.com/index2.phphttps://client.mediaget.com/uninstall-installer-tmp
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://install.mediaget.com/index2.php
Source: ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://install.mediaget.com/index2.phpcrash
Source: ExeFile (200).exe, 00000000.00000002.4602574439.0000000000B5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ExeFile (200).exe, 00000000.00000002.4604981717.000000000676D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: ExeFile (200).exe, 00000000.00000002.4604981717.000000000676D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: ExeFile (200).exe, 00000000.00000002.4604981717.000000000676D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf5u
Source: ExeFile (200).exe, 00000000.00000002.4604981717.000000000675B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ExeFile (200).exe, 00000000.00000002.4604981717.000000000676D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://net.geo.opera.com/opera/stable/windows?utm_source=mgt&utm_medium=pb&utm_campaign=mgt
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://net.geo.opera.com/opera/stable/windows?utm_source=mkt&utm_medium=apb&utm_campaign=729
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jshttps://sandbox.google.com/payments/v4/js/in
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sandbox.google.com/
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-avast.html.0.drString found in binary or memory: https://www.avast.com/eula
Source: ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-avast.html.0.drString found in binary or memory: https://www.avast.com/privacy-policy
Source: ExeFile (200).exeString found in binary or memory: https://www.globalsign.com/repository/0
Source: ExeFile (200).exeString found in binary or memory: https://www.globalsign.com/repository/03
Source: ExeFile (200).exeString found in binary or memory: https://www.globalsign.com/repository/06
Source: ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/https://www.googleapis.com/
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/systemPrivate
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierra
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierrahttps://www.googleapis.com/auth/sierrasandboxhttps://www.googl
Source: ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: ExeFile (200).exeString found in binary or memory: https://www.thawte.com/cps0/
Source: ExeFile (200).exeString found in binary or memory: https://www.thawte.com/repository0W
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE61E00_2_00CE61E0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE21F00_2_00CE21F0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D364B00_2_00D364B0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D745500_2_00D74550
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE25200_2_00CE2520
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D008E00_2_00D008E0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D70AF00_2_00D70AF0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D6ADC00_2_00D6ADC0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D32D900_2_00D32D90
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D490400_2_00D49040
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE10000_2_00CE1000
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D511D70_2_00D511D7
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE51F00_2_00CE51F0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D972F00_2_00D972F0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D4D2E00_2_00D4D2E0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D532E00_2_00D532E0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D132800_2_00D13280
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D972B40_2_00D972B4
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D972100_2_00D97210
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D973E00_2_00D973E0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D973580_2_00D97358
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D974840_2_00D97484
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D974280_2_00D97428
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D974280_2_00D97428
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D974280_2_00D97428
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D7D6700_2_00D7D670
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D9770C0_2_00D9770C
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D518C30_2_00D518C3
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE1BE00_2_00CE1BE0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D51B110_2_00D51B11
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D4FB000_2_00D4FB00
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D53CD00_2_00D53CD0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D69ED00_2_00D69ED0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CE3FA00_2_00CE3FA0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D4DE300_2_00D4DE30
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: String function: 00D60DF0 appears 213 times
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: String function: 00CEB350 appears 210 times
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: String function: 00CEBDF0 appears 76 times
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: String function: 00D67910 appears 31 times
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: String function: 00CEAEF0 appears 31 times
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: String function: 00CEB810 appears 116 times
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: String function: 00CEB030 appears 59 times
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: String function: 00D60D10 appears 174 times
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: String function: 00D85D90 appears 34 times
Source: ExeFile (200).exeStatic PE information: Resource name: ARCHIVE_7Z type: 7-zip archive data, version 0.3
Source: ExeFile (200).exeStatic PE information: Resource name: ARCHIVE_7Z type: 7-zip archive data, version 0.3
Source: ExeFile (200).exe, 00000000.00000002.4604981717.0000000006766000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameD3D10Warp.dllj% vs ExeFile (200).exe
Source: ExeFile (200).exeBinary or memory string: OriginalFilename vs ExeFile (200).exe
Source: ExeFile (200).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ExeFile (200).exeStatic PE information: Section: UPX1 ZLIB complexity 0.9912011579041488
Source: classification engineClassification label: mal56.spyw.winEXE@1/98@1/1
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D7C890 GetLastError,FormatMessageA,GetLastError,SetLastError,0_2_00D7C890
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D23BE0 GetDiskFreeSpaceExW,0_2_00D23BE0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D22640 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,0_2_00D22640
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D048A0 FindResourceW,SizeofResource,LoadResource,LockResource,0_2_00D048A0
Source: C:\Users\user\Desktop\ExeFile (200).exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DATJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMutant created: \Sessions\1\BaseNamedObjects\mediaget-installer-singleapplication-mutex
Source: C:\Users\user\Desktop\ExeFile (200).exeFile created: C:\Users\user\AppData\Local\Temp\mediaget-installer-tmpJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeCommand line argument: false0_2_00D14570
Source: C:\Users\user\Desktop\ExeFile (200).exeCommand line argument: --crashed0_2_00D14570
Source: C:\Users\user\Desktop\ExeFile (200).exeCommand line argument: --crashed0_2_00D14570
Source: C:\Users\user\Desktop\ExeFile (200).exeCommand line argument: --loader0_2_00D14570
Source: C:\Users\user\Desktop\ExeFile (200).exeCommand line argument: --silent0_2_00D14570
Source: C:\Users\user\Desktop\ExeFile (200).exeCommand line argument: --reseller0_2_00D14570
Source: C:\Users\user\Desktop\ExeFile (200).exeCommand line argument: --reseller0_2_00D14570
Source: C:\Users\user\Desktop\ExeFile (200).exeCommand line argument: --subid0_2_00D14570
Source: C:\Users\user\Desktop\ExeFile (200).exeCommand line argument: --subid0_2_00D14570
Source: C:\Users\user\Desktop\ExeFile (200).exeCommand line argument: --test0_2_00D14570
Source: C:\Users\user\Desktop\ExeFile (200).exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: ExeFile (200).exeReversingLabs: Detection: 47%
Source: ExeFile (200).exeString found in binary or memory: https://install.mediaget.com/index2.php
Source: ExeFile (200).exeString found in binary or memory: mediaget-installer-2/binaries/download.php?a=mediaget-lib
Source: ExeFile (200).exeString found in binary or memory: -installer-tmp\
Source: ExeFile (200).exeString found in binary or memory: http://install.mediaget.com/index2.php
Source: ExeFile (200).exeString found in binary or memory: mediaget-installer-2/installer-html/getHtml.php?inst_ver=
Source: ExeFile (200).exeString found in binary or memory: mediaget-installer-2/installer-html/getHtml.php?inst_ver=
Source: ExeFile (200).exeString found in binary or memory: mediaget-installer-2/binaries/download.php?a=mediaget-bin-test
Source: ExeFile (200).exeString found in binary or memory: mediaget-installer-2/binaries/download.php?a=mediaget-lib-test
Source: ExeFile (200).exeString found in binary or memory: mediaget-installer-2/binaries/download.php?a=mediaget-bin
Source: ExeFile (200).exeString found in binary or memory: mediaget-installer-2/bundles/bundle.php?b=
Source: ExeFile (200).exeString found in binary or memory: <load_html>(.*?)</load_html>
Source: ExeFile (200).exeString found in binary or memory: /install-silent
Source: ExeFile (200).exeString found in binary or memory: <additional_parameters>(.*?)</additional_parameters>
Source: ExeFile (200).exeString found in binary or memory: http://install.portmdfmoon.com/download/APSFEM
Source: ExeFile (200).exeString found in binary or memory: http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=avastm
Source: ExeFile (200).exeString found in binary or memory: <install_fusion>(.*?)</install_fusion>
Source: ExeFile (200).exeString found in binary or memory: fusion-installing
Source: ExeFile (200).exeString found in binary or memory: http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=operam
Source: ExeFile (200).exeString found in binary or memory: --installer
Source: ExeFile (200).exeString found in binary or memory: -install-event
Source: ExeFile (200).exeString found in binary or memory: http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=opera
Source: ExeFile (200).exeString found in binary or memory: -installer-singleapplication-mutex
Source: C:\Users\user\Desktop\ExeFile (200).exeFile read: C:\Users\user\Desktop\ExeFile (200).exeJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: msiso.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: mshtml.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: srpapi.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: msimtf.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: d2d1.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: mlang.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: policymanager.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: profext.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: jscript9.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07034fd-6caa-4954-ac3f-97a27216f98a}\InProcServer32Jump to behavior
Source: ExeFile (200).exeStatic PE information: certificate valid
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
Source: ExeFile (200).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00E342F0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00E342F0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D869ED push ecx; ret 0_2_00D86A00
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D86A59 push ecx; ret 0_2_00D86A6C
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D58A70 push ecx; mov dword ptr [esp], 00000000h0_2_00D58A71
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D37E20 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,0_2_00D37E20
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 3DD0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9430000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 95C0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 95E0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9950000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 99D0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9A30000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9A50000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9A70000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9AF0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9B10000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9B30000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9B70000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9BF0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9C10000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9C30000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9C50000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9C70000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9C90000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9CB0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9CD0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: 9D10000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeWindow / User API: threadDelayed 5654Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeWindow / User API: threadDelayed 4153Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exe TID: 6368Thread sleep time: -565400s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exe TID: 6368Thread sleep time: -415300s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeLast function: Thread delayed
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D19C90 GetFileAttributesW,DeleteFileW,FindFirstFileW,SetFileAttributesW,DeleteFileW,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,DeleteFileW,0_2_00D19C90
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D25210 PathCombineW,FindFirstFileW,PathCombineW,FindNextFileW,FindClose,0_2_00D25210
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\preloader.htmlJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\Local\Temp\mediaget-installer-tmpJump to behavior
Source: ExeFile (200).exe, 00000000.00000002.4602574439.0000000000B42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: ExeFile (200).exe, 00000000.00000002.4602574439.0000000000ADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
Source: C:\Users\user\Desktop\ExeFile (200).exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D85E26 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00D85E26
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00E342F0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00E342F0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D85107 GetProcessHeap,RtlAllocateHeap,RtlInterlockedPopEntrySList,VirtualAlloc,RtlInterlockedPopEntrySList,VirtualFree,RtlInterlockedPushEntrySList,0_2_00D85107
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D283C0 InterlockedIncrement,CloseHandle,RtlInitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,RtlInitializeCriticalSection,RtlEnterCriticalSection,SetUnhandledExceptionFilter,RtlLeaveCriticalSection,0_2_00D283C0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D28180 GetCurrentThreadId,SetUnhandledExceptionFilter,RtlLeaveCriticalSection,0_2_00D28180
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D28CC0 RtlEnterCriticalSection,SetUnhandledExceptionFilter,0_2_00D28CC0
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D86CB7 SetUnhandledExceptionFilter,0_2_00D86CB7
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D28D90 SetUnhandledExceptionFilter,RtlLeaveCriticalSection,0_2_00D28D90
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D27970 FreeLibrary,FreeLibrary,FreeLibrary,RtlEnterCriticalSection,SetUnhandledExceptionFilter,RtlLeaveCriticalSection,RtlDeleteCriticalSection,TerminateThread,CloseHandle,CloseHandle,RtlDeleteCriticalSection,CloseHandle,CloseHandle,InterlockedDecrement,RtlDeleteCriticalSection,0_2_00D27970
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D85E26 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00D85E26
Source: C:\Users\user\Desktop\ExeFile (200).exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D18A60 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00D18A60
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00D23CE0
Source: C:\Users\user\Desktop\ExeFile (200).exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D06030 CreateNamedPipeW,0_2_00D06030
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D86EA8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00D86EA8
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00CF0920 GetVersionExW,0_2_00CF0920
Source: ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: AVGUI.exe

Stealing of Sensitive Information

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\ExeFile (200).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesJump to behavior
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D68380 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,closesocket,closesocket,closesocket,closesocket,closesocket,0_2_00D68380
Source: C:\Users\user\Desktop\ExeFile (200).exeCode function: 0_2_00D65540 htons,bind,htons,htons,bind,getsockname,WSAGetLastError,htons,htons,htons,WSAGetLastError,0_2_00D65540

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		1
OS Credential Dumping		1
System Time Discovery		Remote Services11
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		2
Virtualization/Sandbox Evasion		LSASS Memory31
Security Software Discovery		Remote Desktop Protocol1
Data from Local System		2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Disable or Modify Tools		Security Account Manager2
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
Obfuscated Files or Information		Cached Domain Credentials3
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Software Packing		DCSync24
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ExeFile (200).exe47%ReversingLabsWin32.Trojan.Generic
ExeFile (200).exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://jquery.org/license0%URL Reputationsafe
https://curl.haxx.se/docs/http-cookies.html0%URL Reputationsafe
https://drive-staging.corp.google.com/0%URL Reputationsafe
https://www.avast.com/privacy-policy0%Avira URL Cloudsafe
http://www.safefinder.com/privacy.html0%Avira URL Cloudsafe
http://www.safefinder.com/faq/SafeFinder/FAQ_ENG.html0%Avira URL Cloudsafe
http://mediaget.com/license?lang=en-z0%Avira URL Cloudsafe
https://net.geo.opera.com/opera/stable/windows?utm_source=mkt&utm_medium=apb&utm_campaign=7290%Avira URL Cloudsafe
https://payments.google.com/0%Avira URL Cloudsafe
https://payments.google.com/payments/v4/js/integrator.jshttps://sandbox.google.com/payments/v4/js/in0%Avira URL Cloudsafe
https://docs.google.com/0%Avira URL Cloudsafe
https://bits.avcdn.net/platform_WIN/productfamily_ANTIVIRUS/cookie_mmm_mrk_ppi_004_408_q0%Avira URL Cloudsafe
https://sandbox.google.com/payments/v4/js/integrator.js0%Avira URL Cloudsafe
http://sub2.bubblesmedia.ru/client/mediaget_install749c4eeb900d5b934e55da9081b1b685vector0%Avira URL Cloudsafe
https://install.mediaget.com/index2.phpcrash0%Avira URL Cloudsafe
https://curl.haxx.se/docs/http-cookies.html#0%Avira URL Cloudsafe
https://chrome.google.cou0%Avira URL Cloudsafe
https://drive-daily-2.corp.google.com/0%URL Reputationsafe
https://drive-autopush.corp.google.com/0%URL Reputationsafe
https://http://install.mediaget.com/index2.phphttps://client.mediaget.com/uninstall-installer-tmp0%Avira URL Cloudsafe
https://drive-daily-4.corp.google.com/0%URL Reputationsafe
https://drive-daily-1.corp.google.com/0%URL Reputationsafe
https://drive-daily-5.corp.google.com/0%URL Reputationsafe
https://www.thawte.com/cps0/0%URL Reputationsafe
http://mediaget.com/license?lang=enGy0%Avira URL Cloudsafe
https://install.mediaget.com/index2.php0%Avira URL Cloudsafe
https://drive-daily-6.corp.google.com/0%URL Reputationsafe
https://drive-daily-0.corp.google.com/0%URL Reputationsafe
https://drive.google.com/0%Avira URL Cloudsafe
https://www.google.com/systemPrivate0%Avira URL Cloudsafe
https://www.thawte.com/repository0W0%URL Reputationsafe
http://install.portmdfmoon.com/download/APSFEM0%Avira URL Cloudsafe
http://docs.jquery.com/UI/Widget0%Avira URL Cloudsafe
https://client.mediaget.com/uninstall0%Avira URL Cloudsafe
http://mediaget.commediagetMediaGet2Media0%Avira URL Cloudsafe
http://install.mediaget.com/index2.php(0%Avira URL Cloudsafe
https://net.geo.opera.com/opera/stable/windows?utm_source=mgt&utm_medium=pb&utm_campaign=mgt0%Avira URL Cloudsafe
http://jqueryui.com/about)0%URL Reputationsafe
https://drive-preprod.corp.google.com/0%URL Reputationsafe
http://jquery.com/0%URL Reputationsafe
https://drive-daily-3.corp.google.com/0%URL Reputationsafe
http://install.mediaget.com/index2.phpI0%Avira URL Cloudsafe
http://sub2.bubblesmedia.ru/client/mediaget_install0%Avira URL Cloudsafe
https://chrome.google.com/webstore0%Avira URL Cloudsafe
http://install.mediaget.com/index2.php0%Avira URL Cloudsafe
http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=operam0%Avira URL Cloudsafe
http://docs.jquery.com/UI0%Avira URL Cloudsafe
https://payments.google.com/payments/v4/js/integrator.js0%Avira URL Cloudsafe
http://mediaget.com/license?lang=en0%Avira URL Cloudsafe
https://www.avast.com/eula0%Avira URL Cloudsafe
http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=opera0%Avira URL Cloudsafe
http://mediaget.com/license?lang=en7z0%Avira URL Cloudsafe
http://www.opera.com/ru/eula/computers0%Avira URL Cloudsafe
http://webcompanion.com/nano_download.php?partner=MK190501&campaign=7290%Avira URL Cloudsafe
http://webcompanion.com/privacy0%Avira URL Cloudsafe
http://mediaget.com/license0%Avira URL Cloudsafe
http://legal.yandex.com.tr/desktop_software_agreement/0%Avira URL Cloudsafe
http://mediaget.com/license?lang=enIyp0%Avira URL Cloudsafe
https://chistilka.com/eula.php0%Avira URL Cloudsafe
http://docs.jquery.com/UI/Mouse0%Avira URL Cloudsafe
http://www.opera.com/ru/privacy0%Avira URL Cloudsafe
http://mediaget.com0%Avira URL Cloudsafe
https://chrome.google.com/webstoreweb_url0%Avira URL Cloudsafe
http://legal.yandex.com.tr/browser_agreement/0%Avira URL Cloudsafe
http://mediaget.com/license?lang=en=y0%Avira URL Cloudsafe
http://webcompanion.com/nano_download.php?partner=MK190501&campaign=729http://install.portmdfmoon.co0%Avira URL Cloudsafe
https://www.google.com/0%Avira URL Cloudsafe
http://webcompanion.com/terms0%Avira URL Cloudsafe
http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=avastm0%Avira URL Cloudsafe
http://www.safefinder.com/terms.html0%Avira URL Cloudsafe
https://sandbox.google.com/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
lb-ks-1.mediaget.com
185.130.105.44
truefalse
    		unknown
    install.mediaget.com
    		unknown
    		unknownfalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://install.mediaget.com/index2.phpfalse
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://sub2.bubblesmedia.ru/client/mediaget_install749c4eeb900d5b934e55da9081b1b685vectorExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://jquery.org/licenseExeFile (200).exe, 00000000.00000002.4604981717.00000000067D0000.00000004.00000020.00020000.00000000.sdmp, jquery.min.1.6.4.js.0.drfalse
      • URL Reputation: safe
      		unknown
      http://www.safefinder.com/faq/SafeFinder/FAQ_ENG.htmlExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-safefinder-en.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://payments.google.com/payments/v4/js/integrator.jshttps://sandbox.google.com/payments/v4/js/inExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.avast.com/privacy-policyExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-avast.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.safefinder.com/privacy.htmlExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-safefinder-en.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://bits.avcdn.net/platform_WIN/productfamily_ANTIVIRUS/cookie_mmm_mrk_ppi_004_408_qExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://payments.google.com/ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://sandbox.google.com/payments/v4/js/integrator.jsExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://net.geo.opera.com/opera/stable/windows?utm_source=mkt&utm_medium=apb&utm_campaign=729ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.com/license?lang=en-zExeFile (200).exe, 00000000.00000002.4604981717.000000000676D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://curl.haxx.se/docs/http-cookies.htmlExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://curl.haxx.se/docs/http-cookies.html#ExeFile (200).exefalse
      • Avira URL Cloud: safe
      		unknown
      https://install.mediaget.com/index2.phpcrashExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://docs.google.com/ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://chrome.google.couExeFile (200).exe, 00000000.00000002.4603302424.0000000002918000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://http://install.mediaget.com/index2.phphttps://client.mediaget.com/uninstall-installer-tmpExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive-staging.corp.google.com/ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://mediaget.com/license?lang=enGyExeFile (200).exe, 00000000.00000002.4604981717.000000000676D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://install.mediaget.com/index2.phpExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive.google.com/ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://install.mediaget.com/index2.php(ExeFile (200).exe, 00000000.00000002.4602574439.0000000000ADE000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://install.portmdfmoon.com/download/APSFEMExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://docs.jquery.com/UI/WidgetExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.4605978708.000000000982B000.00000004.00000020.00020000.00000000.sdmp, jquery-ui.min.1.8.0.js.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://client.mediaget.com/uninstallExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.google.com/systemPrivateExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.commediagetMediaGet2MediaExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://net.geo.opera.com/opera/stable/windows?utm_source=mgt&utm_medium=pb&utm_campaign=mgtExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://sub2.bubblesmedia.ru/client/mediaget_installExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://install.mediaget.com/index2.phpIExeFile (200).exe, 00000000.00000002.4602574439.0000000000ADE000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://chrome.google.com/webstoreExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://docs.jquery.com/UIExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.4605978708.000000000982B000.00000004.00000020.00020000.00000000.sdmp, jquery-ui.min.1.8.0.js.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=operaExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.com/license?lang=enExeFile (200).exe, ExeFile (200).exe, 00000000.00000003.2184953573.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.4602574439.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.4602574439.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184992176.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184860354.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184842482.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.4604981717.00000000067D0000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184686575.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184711359.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.4604981717.000000000676D000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184819734.0000000002D62000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184753918.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184933297.0000000002D6C000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184733067.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184779445.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2184779445.0000000002D71000.00000004.00000020.00020000.00000000.sdmp, index.html.0.dr, first-page-en.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive-daily-2.corp.google.com/ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://drive-autopush.corp.google.com/ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://payments.google.com/payments/v4/js/integrator.jsExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive-daily-4.corp.google.com/ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.avast.com/eulaExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-avast.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=operamExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.com/license?lang=en7zExeFile (200).exe, 00000000.00000002.4604981717.000000000676D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive-daily-1.corp.google.com/ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://webcompanion.com/nano_download.php?partner=MK190501&campaign=729ExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.opera.com/ru/eula/computersExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-opera.html.0.dr, bundle-opera-en.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive-daily-5.corp.google.com/ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://legal.yandex.com.tr/desktop_software_agreement/ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, yandex-stuff-tr.txt.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://webcompanion.com/privacyExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-webcompanion2-en.html.0.dr, bundle-webcompanion1-en.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.com/license?lang=enIypExeFile (200).exe, 00000000.00000002.4604981717.000000000676D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.opera.com/ru/privacyExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-opera.html.0.dr, bundle-opera-en.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://chistilka.com/eula.phpExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.com/licenseExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, first-page-ru.html.0.dr, yandex-stuff-new-ru.txt.0.dr, first-page-tr.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.thawte.com/cps0/ExeFile (200).exefalse
      • URL Reputation: safe
      		unknown
      http://docs.jquery.com/UI/MouseExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.4605978708.000000000982B000.00000004.00000020.00020000.00000000.sdmp, jquery-ui.min.1.8.0.js.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.comExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive-daily-6.corp.google.com/ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://drive-daily-0.corp.google.com/ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.thawte.com/repository0WExeFile (200).exefalse
      • URL Reputation: safe
      		unknown
      https://chrome.google.com/webstoreweb_urlExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://mediaget.com/license?lang=en=yExeFile (200).exe, 00000000.00000002.4604981717.000000000676D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://download.mediaget.com/mediaget-installer-2/bundles/bundle.php?b=avastmExeFile (200).exe, ExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://jqueryui.com/about)ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000002.4605978708.000000000982B000.00000004.00000020.00020000.00000000.sdmp, jquery-ui.min.1.8.0.js.0.drfalse
      • URL Reputation: safe
      		unknown
      http://webcompanion.com/nano_download.php?partner=MK190501&campaign=729http://install.portmdfmoon.coExeFile (200).exe, 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://webcompanion.com/termsExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-webcompanion2-en.html.0.dr, bundle-webcompanion1-en.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive-preprod.corp.google.com/ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://legal.yandex.com.tr/browser_agreement/ExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, yandex-stuff-tr.txt.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://sandbox.google.com/ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.google.com/ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://jquery.com/ExeFile (200).exe, 00000000.00000002.4604981717.00000000067D0000.00000004.00000020.00020000.00000000.sdmp, jquery.min.1.6.4.js.0.drfalse
      • URL Reputation: safe
      		unknown
      http://www.safefinder.com/terms.htmlExeFile (200).exe, 00000000.00000003.2183753988.000000000937A000.00000004.00000020.00020000.00000000.sdmp, bundle-safefinder-en.html.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://drive-daily-3.corp.google.com/ExeFile (200).exe, 00000000.00000003.2148686179.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, ExeFile (200).exe, 00000000.00000003.2148724912.000000000291B000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      185.130.105.44
      		lb-ks-1.mediaget.comNetherlands
      		14576HOSTING-SOLUTIONSUSfalse

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1495782
      Start date and time:2024-08-20 16:26:49 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 7m 44s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:5
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:ExeFile (200).exe
      Detection:MAL
      Classification:mal56.spyw.winEXE@1/98@1/1
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 99%
      • Number of executed functions: 93
      • Number of non-executed functions: 177
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Override analysis time to 240000 for current running targets taking high CPU consumption

      Warnings

      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
      • Report size exceeded maximum capacity and may have missing disassembly code.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtReadVirtualMemory calls found.
      • VT rate limit hit for: ExeFile (200).exe

      Simulations

      Behavior and APIs

      TimeTypeDescription
      10:27:56API Interceptor2593098x Sleep call for process: ExeFile (200).exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      HOSTING-SOLUTIONSUSMega.nz Spreader.exeGet hashmaliciousLaplas Clipper, Meduza StealerBrowse
      • 45.159.189.105
      file.exeGet hashmaliciousAmadeyBrowse
      • 185.209.162.226
      http://tqwwwcom.ru/Get hashmaliciousUnknownBrowse
      • 204.155.30.34
      xworm.exeGet hashmaliciousUnknownBrowse
      • 185.209.160.70
      Fb9Ff8L4T7Get hashmaliciousRHADAMANTHYSBrowse
      • 185.209.160.99
      file.exeGet hashmaliciousVidar, XmrigBrowse
      • 185.209.162.208
      file.exeGet hashmaliciousVidar, XmrigBrowse
      • 185.209.162.208
      05F1TC85Up.exeGet hashmaliciousDanaBotBrowse
      • 45.159.189.76
      05F1TC85Up.exeGet hashmaliciousDanaBotBrowse
      • 45.159.189.76
      Green.exeGet hashmaliciousRedLineBrowse
      • 185.209.160.70

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:data
      Category:dropped
      Size (bytes):49120
      Entropy (8bit):0.0017331682157558962
      Encrypted:false
      SSDEEP:3:Ztt:T
      MD5:0392ADA071EB68355BED625D8F9695F3
      SHA1:777253141235B6C6AC92E17E297A1482E82252CC
      SHA-256:B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
      SHA-512:EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-av360.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):728
      Entropy (8bit):5.4386472019762975
      Encrypted:false
      SSDEEP:12:pn/trccM3uksu/eGIh7JZ4mySGIS4I5mUfSxDRRXkt8ZDRRFm5dYMv:1d7SquWGIhJGIS4sKRRRy8JRRQfYMv
      MD5:3E31181EFAB6491D1BFE8C691B215CF9
      SHA1:6C5E9E4B61DFC705A7D4DE8A22E4F815CE825C0D
      SHA-256:906B1C8178054D73592B09D01CC776E9F467FE84CB31176006B9B9DC1DDB10AE
      SHA-512:498016A85306B202D85455DEC3925C3A10636867010488540F4F1BBEBC12121C458791C33F499E1CB902FDEFAD27ABCA77D8B06726AE0D12B030FF0FD925811F
      Malicious:false
      Reputation:low
      Preview:<div id='##PAGE_ID##' class='selPage'>....<img src='./img/360_offer_small.jpg' style='position:absolute;left:0px;top:0px;'/>....<input type='checkbox' id='av360_installCheck' checked='checked' style='display:none'/>....<div style="position:absolute;left:15px;top:250px;cursor:pointer;"><img src="./img/cancel-cancel-grey.png" onClick="javascript:skip_av360()"></div>....<div style="position:absolute;left:485px;top:250px;cursor:pointer;"><img src="./img/next.png" onClick="##NEXT_PAGE_BUTTON##"></div>..</div>....<script language='javascript'>...function skip_av360()......{...... document.getElementById('av360_installCheck').checked = false;.......document.getElementById('currentState').value = 'skip';......}..</script>..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-avast.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):2238
      Entropy (8bit):5.561714876398931
      Encrypted:false
      SSDEEP:48:OXufI8SGYjySs3uQxkmEQIJEZIu4InRJG5gpKvNKM4vYKNKMWcM:OXgdSGe8ukrEUr41
      MD5:10F6C2A03E3792543A41A4D33AA0F083
      SHA1:1841B1E82BC157705B26B2ECF081AFA4D3BFC3E6
      SHA-256:59BACB21B65C2BA31EE3A74975AC8E7AB7A2C2DDD7850B8E979E730F83C5EE70
      SHA-512:09BC9146A5018EF9C9028393E1FA7293D2481BC18705CF2F118B1B21E9F717924AF47D02080F3F0355C8AA3BD053DBACF55414D7E43F31D1CD0FB024C33FF237
      Malicious:false
      Reputation:low
      Preview:<div id='##PAGE_ID##' class='selPage'>.... <img src='./img/avast-screen-ru.jpg' style='position:absolute;left:0px;top:0px;'/>.. ....<input type='checkbox' id='avast_installCheck' checked='checked' style='display:none'/>.... <div id='operaCheckIconDiv' style="position:absolute;left:30px;top:190px;" onclick='return avastChecked();'><img id="operaCheckImg" src="./img/checkbox-black-on.png"></div> -->....<div style='position:absolute;left:25px;top:285px; font-size: 12px; face: Calibri; color: gray; background-color: RGB(241, 241, 241); width: 680px; height: 35px; z-index: 9999'>........ ..........., . .......... .. ......... ......... Avast Antivirus . ........ .......<br>....<a href='https://www.avast.com/eula' target='blank' style="color: Gray;">............. ..........</a> . ............. . ....<a href='https://www.avast.com/privacy-policy' target='blank' style="colo

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-opera-en.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):3053
      Entropy (8bit):5.178326749717347
      Encrypted:false
      SSDEEP:48:4ui6Py5M5h5v+uGIVfySGFSyStpo8q1IN6SIS4zsRNFG5Anp07n9NKM4vN8noNKn:4uF6+jt+LtSG0xpoZ1fStMWsnrL
      MD5:D50FD619C84501EC4C920C5757B9E4F0
      SHA1:0625AD5F60D65B41F68ACFF3491D7669100683A4
      SHA-256:06AB1A2EE7F4E0BB2AF43907EB503FF69932DCE59DAEE982F2C65A22C0AC91CD
      SHA-512:D8D0EE71C6156CD85CBCA0FC6319DF4863946726DBC67E70C3E674580A20FD1C858D35CE0FC5EA6C039DF97ACC46E5E50B57AFE70B4F740F2A815FCC95CB0BB7
      Malicious:false
      Reputation:low
      Preview:<div id='##PAGE_ID##' class='selPage'>.... <div style='position:absolute;left:20px;top:10px; font-size: 30px; face: Calibri; color: #42B2EE;'>Install Opera Browser</div>.. <img src='./img/opera/opera-logo.png' style='position:absolute;left:580px;top:10px;'/>.. <img src='./img/opera/opera-mockup2.jpg' style='position:absolute;left:298px;top:60px;'/>.. .. <div style='position:absolute;left:20px;top:60px; font-size: 16px; face: Calibri'>Fast and Secure Internet Browser</div>.. .. <div style='position:absolute;left:50px;top:100px; font-size: 14px; face: Calibri'>Ad bloker</div>.. <img src='./img/opera/opera-adblock.png' style='position:absolute;left:20px;top:100px;'/>.. .. <div style='position:absolute;left:50px;top:130px; font-size: 14px; face: Calibri'>Battery saver</div>.. <img src='./img/opera/opera-battery.png' style='position:absolute;left:20px;top:130px;'/>.. .. <div style='position:absolute;l

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-opera.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):3435
      Entropy (8bit):5.564181724424449
      Encrypted:false
      SSDEEP:96:4uUbAj6Mh+LtSG053Jrsj1yfdStyWsnrL:4zbAjhhsta1Jwj1yfAe
      MD5:6AF3DD94AA58F23DCF11A1E797497B14
      SHA1:839CA22201CEE968EC104188433223C2CB44CDEC
      SHA-256:C937BB7270769158DD8C625F878D641F550F4FAD719C8FBA99C5AD7E681B591D
      SHA-512:B6F38B079478BBACC08237149C4443AEF62041DFAAC2E7FF12A2194E1BA4F29D8C9814776669DF0D5263944FC5C6A3ADEDCA4ACABCE446241FB50440413A18CB
      Malicious:false
      Reputation:low
      Preview:<div id='##PAGE_ID##' class='selPage'>.... <div style='position:absolute;left:20px;top:10px; font-size: 30px; face: Calibri; color: #42B2EE;'>.......... ....... Opera</div>.. <img src='./img/opera/opera-logo.png' style='position:absolute;left:580px;top:10px;'/>.. <img src='./img/opera/opera-mockup2.jpg' style='position:absolute;left:298px;top:60px;'/>.. .. <div style='position:absolute;left:20px;top:60px; font-size: 16px; face: Calibri'>......., .......... . .......</div>.. .. <div style='position:absolute;left:50px;top:100px; font-size: 14px; face: Calibri'>.......... .......</div>.. <img src='./img/opera/opera-adblock.png' style='position:absolute;left:20px;top:100px;'/>.. .. <div style='position:absolute;left:50px;top:130px; font-size: 14px; face: Calibri'>........ ...... .......</div>.. <img src='./img/opera/opera-battery.png'

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-safefinder-en.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):2517
      Entropy (8bit):5.189415942341495
      Encrypted:false
      SSDEEP:48:nIsPl/+FuVdGGMySLUqmIKImARZG5gpABWM4vYoWMWMM:nVN/uEGGM/xmLX
      MD5:9E78557B60DADEF5D8EA00070EE88CA1
      SHA1:DB9BA07407B05AF64442DE33F4CB1CA50EB20578
      SHA-256:B289AA157775432E386C07FB77CB57F9E3F98BE5BF4A777EEE37428D579559A6
      SHA-512:DD7094E92ECD4DF5C197567DB8409C3D37DF73B1D9CA9D011D715D22CB8DD1366E27691979D920EC8DFB050A42F2E19058FC061197CEBE658D072D7B49CE5591
      Malicious:false
      Reputation:low
      Preview:<div id='##PAGE_ID##' class='selPage'>.... <div style='position:absolute;left:20px;top:20px; font-size: 20px; face: Calibri; color: black;'>Install SafeFinder</div>.. .. <div style='position:absolute;left:20px;top:70px; font-size: 16px; face: Calibri'>SafeFinder gives you the optimal way to share, search, work & play. Improve your search experience and set SafeFinder as my homepage, new tabs and default search engine on compatible browsers.</div>.. ....<input type='checkbox' id='safefinder_installCheck' checked='checked' style='display:none'/>....<div id='safefinderCheckIconDiv' style="position:absolute;left:20px;top:150px;" onclick='return safefinderChecked();'><img id="safefinderCheckImg" src="./img/checkbox-black-on.png"></div>........<div style='position:absolute;left:45px;top:150px; font-size: 12px; face: Calibri'>By clicking .Accept. you agree to the ....<a href='http://www.safefinder.com/terms.html' target='blank' style="color: Gray;">Legal

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-turbom-en.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):828
      Entropy (8bit):5.355846111989816
      Encrypted:false
      SSDEEP:24:1o7SeiuuGI8xGIS4m4zo4ILRRRGC8JRRQfYMv:1o7XiuJI8AIS4m4zo4KRKCG2Pv
      MD5:7E43E9642E82E1B58455A7112F77CBC4
      SHA1:E79038B507D5539B53131DCEE93FFCF2AE7CBAF9
      SHA-256:62067016760757E26C17A48587AEA0EA71119FD60DFB70AF23AE8D7561A344E9
      SHA-512:414F14277DF45D621AA50F67E45846DCF4AAB0F2120D39D8D5E6A86F0C18588B5D499668CD793B9F48D7959091C32BFDCEB37C1C9ABB2FA4A47C7EDAE472327E
      Malicious:false
      Reputation:low
      Preview:<div id='##PAGE_ID##' class='selPage'>....<img src='./img/turbom-en.jpg' style='position:absolute;left:0px;top:0px;'/>....<input type='checkbox' id='turbom_installCheck' checked='checked' style='display:none'/>....<div style="position:absolute;left:150px;top:250px;cursor:pointer;"><img src="./img/cancel-cancel-grey-en.png" onClick="javascript:skip_turbom()"></div>....<div style="position:absolute;left:340px;top:250px;cursor:pointer;"><img src="./img/next-en.png" onmouseover="this.src='./img/next-hovered-en.png';" onmouseout="this.src='./img/next-en.png';" onClick="##NEXT_PAGE_BUTTON##"></div>..</div>....<script language='javascript'>...function skip_turbom()......{...... document.getElementById('turbom_installCheck').checked = false;.......document.getElementById('currentState').value = 'skip';......}..</script>..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-turbom-tr.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):823
      Entropy (8bit):5.356733917249688
      Encrypted:false
      SSDEEP:24:1Dn7SeiuuGIPxGIS42m4wo42ILRRRGC8JRRQfYMv:1Dn7XiuJIPAIS4Z4wo4hRKCG2Pv
      MD5:3F3CFD6828B8D9E7E0F4475F723DA1DC
      SHA1:7E96DD5406469322BFE1636D89795D2470FE25E8
      SHA-256:EAD88946728C652D7994C4BFAC122F03493025E52E8D5687786518B2B2207184
      SHA-512:8124B74973C7AE6596F11F926903C28C6F6AF69D071277275E0D7E40136623078348C80C0716410A39C1B295DB86C82B07BE1F2AD0F9305E513622289EF792FA
      Malicious:false
      Reputation:low
      Preview:<div id='##PAGE_ID##' class='selPage'>....<img src='./img/turbom-tr.jpg' style='position:absolute;left:0px;top:0px;'/>....<input type='checkbox' id='turbom_installCheck' checked='checked' style='display:none'/>....<div style="position:absolute;left:150px;top:250px;cursor:pointer;"><img src="./img/cancel-cancel-tr.png" onClick="javascript:skip_turbom()"></div>....<div style="position:absolute;left:340px;top:250px;cursor:pointer;"><img src="./img/next-tr.png" onmouseover="this.src='./img/next-hovered-tr.png';" onmouseout="this.src='./img/next-tr.png';" onClick="##NEXT_PAGE_BUTTON##"></div>..</div>....<script language='javascript'>...function skip_turbom()......{...... document.getElementById('turbom_installCheck').checked = false;.......document.getElementById('currentState').value = 'skip';......}..</script>..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-turbom.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):813
      Entropy (8bit):5.356974825717192
      Encrypted:false
      SSDEEP:24:167SeiuuGIhcxGIS4o4Zo4CLRRRGC8JRRQfYMv:167XiuJIqAIS4o4Zo48RKCG2Pv
      MD5:5C0A257B14139E3BC56E806D6C737F22
      SHA1:78E117894DB43BB98D1D96930F54E46B1F63B8CB
      SHA-256:DBB780A98852C298334A4AF878D167098D59AD12AC67FA08CE69CA113484C803
      SHA-512:CE0C9383E7C2EA19CDA6A98DDF05FBC3A29EE1AE73A7A2DFB0D3935E02634EDA13A48267F6785ED7EFE79C6B89CE83F52853174D5DB088408CFBC99D89EFE11D
      Malicious:false
      Reputation:low
      Preview:<div id='##PAGE_ID##' class='selPage'>....<img src='./img/turbom.jpg' style='position:absolute;left:0px;top:0px;'/>....<input type='checkbox' id='turbom_installCheck' checked='checked' style='display:none'/>....<div style="position:absolute;left:150px;top:250px;cursor:pointer;"><img src="./img/cancel-cancel-grey.png" onClick="javascript:skip_turbom()"></div>....<div style="position:absolute;left:340px;top:250px;cursor:pointer;"><img src="./img/next.png" onmouseover="this.src='./img/next-hovered.png';" onmouseout="this.src='./img/next.png';" onClick="##NEXT_PAGE_BUTTON##"></div>..</div>....<script language='javascript'>...function skip_turbom()......{...... document.getElementById('turbom_installCheck').checked = false;.......document.getElementById('currentState').value = 'skip';......}..</script>..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-webcompanion1-en.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):2609
      Entropy (8bit):5.188751741660367
      Encrypted:false
      SSDEEP:48:wUuiDjAXsI+tfgurmuDwVyAzfGiSySlq1Jvq2IcGXImYqRQnG52MpbZpSaQUM4vO:xu8EStfgDFjGnyo28i
      MD5:7C7898C8D209930579C0F5A2C3047B42
      SHA1:D8E186E9241D8BA574F509E2495179B0FA726DC7
      SHA-256:0AE3B07E1AC729CE46967228EADFF909BB1F6B5FC49D340428524AE33D153869
      SHA-512:BD49F69F35D8D6B3326D819E700070F78A5AEBAA97B4F0627A1E2CCF2C640C7622BD2D9777CCC3FBBCA99A76504608FEE9977295D2604B0B647E1BD7BE3A38CF
      Malicious:false
      Reputation:low
      Preview:<div id='##PAGE_ID##' class='selPage'>.... <div style='position:absolute;left:20px;top:10px; font-size: 30px; face: Calibri; color: #42B2EE;'>Optional Offer | Adaware Web Companion</div>-->........<img src='./img/wc-logo.png' style='position:absolute;left:20px;top:20px;'/>.. .. <div style='position:absolute;left:20px;top:80px; font-size: 15px; face: Calibri'>Adaware Web Companion helps you safely browse the web by blocking malicious sites and phishing scams.<br><br>....Block malicious threats by installing Adaware Web Companion. Improve your internet security and set your homepage, new tabs and default search to Bing. by Microsoft. on compatible browsers.</div>.. ....<input type='checkbox' id='webcompanion_installCheck' checked='checked' style='display:none'/>....<div id='webcompanionCheckIconDiv' style="position:absolute;left:20px;top:195px;" onclick='return webcompanionChecked();'><img id="webcompanionCheckImg" src="./img/checkbox-black-on.pn

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-webcompanion2-en.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):2610
      Entropy (8bit):5.175489598720475
      Encrypted:false
      SSDEEP:48:wUuiDjAXsI+tf7muDwVyAzfGiSySlq1Jvq2IcGXImYqRQnG52MpbZpSaQUM4vQIS:xu8EStfaFjGnyo28i
      MD5:0AB512819E3B4AF624ABF099E026C857
      SHA1:953CDD96269F5B5C367CBE6C914C10616E201610
      SHA-256:682488B97C19961DE3C14B32EBDFE90D9CB3D76F668B0C71115E500FE2D6D805
      SHA-512:3ED287207C151A45F1D836FBE986C1AE93FA7469FE3953984F61AD2621B657192405DC62C068B7BB4BA48B32CB604FA937867FDED9CA337E15B400C1A7A58268
      Malicious:false
      Reputation:low
      Preview:<div id='##PAGE_ID##' class='selPage'>.... <div style='position:absolute;left:20px;top:10px; font-size: 30px; face: Calibri; color: #42B2EE;'>Optional Offer | Adaware Web Companion</div>-->........<img src='./img/wc-logo.png' style='position:absolute;left:20px;top:20px;'/>.. .. <div style='position:absolute;left:20px;top:80px; font-size: 15px; face: Calibri'>Adaware Web Companion helps you safely browse the web by blocking malicious sites and phishing scams.<br><br>....Block malicious threats by installing Adaware Web Companion. Improve your internet security and set your homepage, new tabs and default search to SecureSearch by Adaware on compatible browsers.</div>.. ....<input type='checkbox' id='webcompanion_installCheck' checked='checked' style='display:none'/>....<div id='webcompanionCheckIconDiv' style="position:absolute;left:20px;top:195px;" onclick='return webcompanionChecked();'><img id="webcompanionCheckImg" src="./img/checkbox-black-on.p

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-yabrowser.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):1553
      Entropy (8bit):5.6827161111568865
      Encrypted:false
      SSDEEP:24:SVOHEk15JiQs7tcUr6S6Nj1W60kOKl/2EQOlfvBiGIUfGIS4+0BRRRh8JRRQVdb:mOHEk15JiQmb6S38OVUptIVIS4fRFGG
      MD5:4E7EA3F060C0601B24F133F8B9A186AF
      SHA1:5836A16D083998EA7037AD4CE4860F936F35CFA0
      SHA-256:73A0B0075106D27FA9777280F8F8FCFB879B95C4721D9FBAA6854C8AC4C7974A
      SHA-512:148E81B0C32E03AF7E968C7AC4D71DCC450D6C5FC9D46A77CA7E1CC9BC14005FE6CDE2516879717F28DABAE433B1B5CD0C8D843253780AF4D60F74C12B705A81
      Malicious:false
      Reputation:low
      Preview:<div id='##PAGE_ID##' class='selPage'>.... <img src='./img/yandex/yabrowser-title.png' style='position:absolute;left:220px;top:15px;'/>.. <img src='./img/yandex/yabrowser-plus.png' style='position:absolute;left:5px;top:105px;'/>.. .. <div style='position:absolute;left:90px;top:70px; font-size: 18px; face: Calibri; color: red; '>.......... ......., .......... ....... . ..... .......</div>.. ....<input type='checkbox' id='yandex_installCheck' checked='checked' style='display:none'/>........<div style="font-size: 12px; face: Calibri; color: black; position:absolute;left:15px;top:215px; z-index: 9999">........... "..........", .. .......... ............ .......... <a href='http://legal.yandex.ru/browser_agreement/' target='blank'> ...... ........</a> .....<a href='http://legal.yandex.ru/desktop_software_agreement/' target='blank'> .. ....

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\bundle-yasovetnik.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):1872
      Entropy (8bit):5.6999157790312465
      Encrypted:false
      SSDEEP:48:zOY1553YIX5PgiQYU6Sw8OS9IAIS44R7GG:zOYp3tzQNs8Vltv
      MD5:1AB73FECAB21C6CC4B22527B1AD5234C
      SHA1:4AD1F0BEAC7402FEE64565BD18B86E60E2574181
      SHA-256:5FBDCD9AB1DF58B0B5D530F6834F183C287DAB5CB46BB47D24BFB37357DFD7E5
      SHA-512:2462BEDDCE5CDEBC206104AB2BA28EEB86978F629DE231100A0939E70A764D813A4CFDD8B484DA3AF8C66AC493CA04696209A307C959FB847AFD078FA8018D0D
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>.... <img src='./img/yandex/yasovetnik-title.png' style='position:absolute;left:220px;top:20px;'/>.. <img src='./img/yandex/yasovetnik-screenshot.jpg' style='position:absolute;left:330px;top:75px;'/>......<div style='position:absolute;left:30px;top:75px; font-size: 18px; face: Calibri; color: red;'>....... ...... .... .. ......</div>........<div style='position:absolute;left:30px;top:110px; font-size: 14px; face: Calibri'>............ ........, ..... .. ..........<br> ............ ......, .......... ...<br> ............. . ........ .............<br> .......... ........-.........,<br> ..... ........... ..... ...... ........</div>.. ....<input type='checkbox' id='yasovetnik_installCheck' checked='checked' style='display:none'/>........<div style="font-size: 12px; fac

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\first-page-en.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):9681
      Entropy (8bit):5.150565791535141
      Encrypted:false
      SSDEEP:192:oGPsp1sugDG1Vv4WxVAxVLip75+L8+oiB48oqNC:oeUpgDG1Vv4EAxVLip75+L8+oiB48oqU
      MD5:3CEA2EB18AB74B059DB23F3489DAF74D
      SHA1:2DA9598C0C6BCEB9929AC3C4C484665C4EC25B4E
      SHA-256:F7BF37699F6A08BC2053BD72064C4CF61FDF5F34F2344372341A90EE784079CE
      SHA-512:B35BF6FF0D73FB61C4AAB46703B57F311A64602D245C1923E40946B836D06D7E85276DE29A8F2EF94F8FEA66DF68B76AE6B5CD08E2DD345461415426744D7615
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>.. <div style="position:absolute;left:660px;top:7px;cursor:pointer" onClick="##CLOSE##"><img src="./img/close.png"></div>.. <div style="position:absolute;left:40px;top:40px;"><img class="mediagetLogo" src="./img/mediaget-logo.png"></div>.....<div style='position:absolute;left:230px;top:30px; font-size: 20px; face: Calibri'><b>Fast downloads</b></div>.....<div style='position:absolute;left:230px;top:70px; font-size: 14px; face: Calibri'>To continue with installation just click "Continue"</div>..... .....<div id="closeLabel" style='position:absolute;left:230px;top:140px; font-size: 14px; face: Calibri; color: Gray;cursor:pointer' onClick="##CLOSE##" onmouseover="return mouseOverClose()" onmouseout="return mouseOutClose()">Cancel</div>.....-->.....<div style="position:absolute;left:310px;top:128px;cursor:pointer"><img id="nextBtnImg" src="./img/next-en.png" onClick="##NEXT_PAGE_BUTTON##" onmouseover="return mouseOverNext()" onmouseout="return

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\first-page-new-ru.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):12253
      Entropy (8bit):5.1663969930349305
      Encrypted:false
      SSDEEP:192:8pcaap5OWpgx6J9W2boJfTzWICQWJxyniIiRiq9Yh6zndIdRdqJRI7k:8pCHtze7aZQcM7qR9Yh6L2HcJRI7k
      MD5:6BB07D6FF02DC6398F9520EBBF8B6D07
      SHA1:7AF435C6AD36169432CA636044230DC3A367EF04
      SHA-256:FC3A415E1D6F764351B99639A03E32631C3525A3BA54D72DA0492232110152FF
      SHA-512:79329E2164A7B88AC0CC096349196559473DA5CBB6BF5084EA8255F608807D3A144F5E1AE536206AB8592471EF0214D5823339C1B3FB3BBE8FAA3C40D866B777
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>..<div style="position:absolute;left:10px;top:10px;"><img src="./img/mediaget-logo.png" height="30px" width="30px"></div>..<div style="position:absolute;left:660px;top:7px;cursor:pointer" onClick="##CLOSE##"><img src="./img/close.png"></div>.....<div style='position:absolute;left:160px;top:15px; font-size: 20px; face: Calibri; color:DarkSlateGray;';>........ ........ ...... MediaGet</div>.....<div style='position:absolute;left:80px;top:50px; font-size: 20px; face: Calibri'>... ......... ..... ... ........ ...... ..........</div>..........<input style='position:absolute;left:40px;top:90px; display:none' type='checkbox' id='addFirewallExceptionCheck' checked>.....<input style='position:absolute;left:40px;top:110px; display:none' type='checkbox' id='addWindowsAutostart' checked/> .....<input style='position:absolute;left:300px;top:80px; display:none' type='checkbox' id='addFilesAssocia

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\first-page-ru.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):11957
      Entropy (8bit):5.207621051207641
      Encrypted:false
      SSDEEP:192:IGFgb2gx6J9W2boJfRRluYFWTcXWXfyniIiRiq9Yh6zndIdRdqJRI7U:IQeLjWTcX8M7qR9Yh6L2HcJRI7U
      MD5:E8E3D64CD3CE18A45DA3FA3D078644D6
      SHA1:C03C8D2F81998C119D628D60EBB6B48F19F97D12
      SHA-256:DBB588446AB6A0FD4993FC385D7E4A50BEF75F3698827F223886FED8E3A0E3D9
      SHA-512:E6496C45801686EB78C5047EA36E81B845890F68E6F5F9138DBE940829B246E7FE6C09564A20252C697417DBD762C9E40915F55C7C08D0AF84753F235E18592E
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>..<div style="position:absolute;left:660px;top:7px;cursor:pointer" onClick="##CLOSE##"><img src="./img/close.png"></div>.. <div style="position:absolute;left:40px;top:40px;"><img class="mediagetLogo" src="./img/mediaget-logo.png"></div>.....<div style='position:absolute;left:230px;top:30px; font-size: 20px; face: Calibri'><b>....... ........ ......</b></div>.....<div style='position:absolute;left:230px;top:70px; font-size: 14px; face: Calibri'>... ......... ..... ........ ...<br>........ ...... ..........</div>.....<div style="position:absolute;left:280px;top:128px;cursor:pointer"><img id="nextBtnImg" src="./img/next.png" onClick="##NEXT_PAGE_BUTTON##" onmouseover="return mouseOverNext()" onmouseout="return mouseOutNext()"></div>..........<div style="position:absolute;left:40px;top:200px;cursor:pointer; z-index: 9999">......<div style="font-size: 14px; face: Calibri; color:

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\first-page-tr.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):11738
      Entropy (8bit):5.0483804223524995
      Encrypted:false
      SSDEEP:192:kHANJVgx6J9W2boJfRUg0Xm3onWsuyniIiRiq9Yh6zndIdRdqJRI7g:LPeQm3onSM7qR9Yh6L2HcJRI7g
      MD5:04CDFA7E072948AFF164E2E347AE077E
      SHA1:E8576D046AA7286BEDB374B52B5FB66C660AA34E
      SHA-256:4DDB2B7255D3AC03DA234A34971E1EF5E5DB8710CAC2C8BD3F7644F67C9DFED6
      SHA-512:EA38EAD19B6792361F72F359D53D1F68D9A479D49A6DFC299315AE8FF52570279FD821F6B472F0DFD6BD220274C3F6221E4346835DB34E35D81088610395D698
      Malicious:false
      Preview:<div id='##PAGE_ID##' class='selPage'>.. <div style="position:absolute;left:40px;top:40px;"><img class="mediagetLogo" src="./img/mediaget-logo.png"></div> .....<div style='position:absolute;left:230px;top:30px; font-size: 24px; face: Calibri'><b>##TITLE##</b></div>.....<div style='position:absolute;left:230px;top:90px; font-size: 14px; face: Calibri'>Medya i.eri.ini indirebilmek i.in "devam" 'a t.klamal.s.n.z</div>.....<div id="closeLabel" style='position:absolute;left:230px;top:140px; font-size: 14px; face: Calibri; color: #BEBEBE;cursor:pointer' onClick="##CLOSE##" onmouseover="return mouseOverClose()" onmouseout="return mouseOutClose()">Iptal</div>.....<div style="position:absolute;left:300px;top:128px;cursor:pointer"><img id="nextBtnImg" src="./img/next-tr.png" onClick="##NEXT_PAGE_BUTTON##" onmouseover="return mouseOverNext()" onmouseout="return mouseOutNext()"></div>..........<div style="position:absolute;left:40px;top:200px;cursor:pointer; z-index: 9999">......<div sty

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\yandex-stuff-new-ru.txt

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with very long lines (357), with CRLF line terminators
      Category:dropped
      Size (bytes):955
      Entropy (8bit):5.575059197703277
      Encrypted:false
      SSDEEP:12:FRgQM0g8U+SskX9Dl1b1c5A0KbYz6+SskAmKa2AlABAEdEtlFBRJAlA7Eep6AbzY:TWP83ShN51W60K0Sh/BLlfjBROlwBg
      MD5:EFE8B553B302B54B8B3B36442C7F92E9
      SHA1:A79AD2B9FD9783C83C21982F205408D914490A00
      SHA-256:0F65B9A2883FFAFBFA7FDA230F6DB26A35D3683218B6162CC46C3BA483E6E752
      SHA-512:EF465E312B752FE100217D8F73C68AD1DB76A714DF5EBE1F89F4032CF5606A640FF40E4F835BB35C2964842584E6DC950ED7C869CED6FB1EDA7AD65C8478D476
      Malicious:false
      Preview:<div style="font-size: 10px; face: Calibri; color: gray; position:absolute;left:40px;top:240px; z-index: 9999"><img class="mediagetLogo" src="./img/yandex-logo-ru-gray.png"></div>..<div style="font-size: 12px; face: Calibri; color: DarkSlateGray; position:absolute;left:160px;top:235px; z-index: 9999">....... "..........", .. ............ .. .........:</div>..<div style="font-size: 12px; face: Calibri; color: DarkSlateGray; position:absolute;left:160px;top:255px;">... .......... ..........:<br> ..<a href='http://legal.yandex.ru/desktop_software_agreement/' target='blank' style="color: DarkSlateGray;">........... .. .......</a>,<br><a href='http://legal.yandex.ru/browser_agreement/' target='blank' style="color: DarkSlateGray;"> ...... ........</a>,<a href='http://mediaget.com/license' target='blank' style="color: DarkSlateGray;"> MediaGet</a></div>

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\yandex-stuff-ru.txt

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with very long lines (487), with CRLF line terminators
      Category:dropped
      Size (bytes):788
      Entropy (8bit):5.550513698850116
      Encrypted:false
      SSDEEP:12:Fti4XUM0VdUR4w9Dl1b1c5A0F2rlJAlABAEdbacBhIFGAlAzbepU0HYzHPo:G4Vus4Q51W60F20lfWNBhIF7lG62TPo
      MD5:68E589AB2C32A2E08AC8F80D997A1087
      SHA1:84A7C3C9DD72A4859DAEFA41E849B792A60B03FD
      SHA-256:D5D56F2F71A322AFB4C931ABCE9C7FF82B75C7107A145BEAE535C9887935169B
      SHA-512:FD3F94CC1088E241D000DE46BDBFBB7F818EC62E9FF54BD000A153CB41B182BE420B914EB5794EA7917C5842E3D010264072B3DEFF4FD70692CA68BDE6AC9F9C
      Malicious:false
      Preview:<div style="font-size: 11px; face: Calibri; color: Gray; position:absolute;left:40px;top:235px; z-index: 9999"><img class="mediagetLogo" src="./img/yandex-logo-ru.png"></div>..<div style="font-size: 10px; face: Calibri; color: Gray; position:absolute;left:160px;top:230px; z-index: 9999">....... "..........", .. .......... <br> ............ .......... ...........<br> <a href='http://legal.yandex.ru/desktop_software_agreement/' target='blank' style="color: Gray;">.. .......</a> . <a href='http://legal.yandex.ru/browser_agreement/' target='blank' style="color: Gray;"> ...... ........</a>.<br>.. ..... ......... ....... Chrome <br>..... ............</br></div>

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\bundles\yandex-stuff-tr.txt

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, Unicode text, UTF-8 text, with very long lines (456), with no line terminators
      Category:dropped
      Size (bytes):466
      Entropy (8bit):5.1827473712588885
      Encrypted:false
      SSDEEP:12:FR4XUp3CSBJAlGAEdbSKAlIbVSzZOuq6RXPL:T4IOlpWWlIpSzZY6xL
      MD5:BC602FE860B934B83DC7A39CA5119626
      SHA1:EB8CBF076D5ABD2909EF2841DE2A6DCEB81C10A5
      SHA-256:0CB2310C38DB9F50631C29054E35A9AADA1BF0D205FA041D67FBCED29128EEDE
      SHA-512:BCC7121731B90910D4C85D2F841A5319F14DFA0D3A47FDC32450449EC400A711000BFB1A42FBAC4AF9ACBEDFBC7EDF87C09D0288E9B59AAFCAE8A667DDF6EA3D
      Malicious:false
      Preview:<div style="font-size: 10px; face: Calibri; color: Gray; position:absolute;left:40px;top:235px; z-index: 9999">"Devam" butonuna t.klad...n.zda, <br><a href='http://legal.yandex.com.tr/desktop_software_agreement/' target='blank' style="color: Gray;"> Yandex</a> ve <a href='http://legal.yandex.com.tr/browser_agreement/' target='blank' style="color: Gray;">Yandex Browser</a> lisans s.zle.mesini kabul<br> etmi. olursunuz. Chrome yeniden ba.lat.lacak.</div>

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\cancel-en.template

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:exported SGML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):677
      Entropy (8bit):5.381720504085217
      Encrypted:false
      SSDEEP:12:8HyOcGiMqLySb86pVXq2ySb86euXmyxlqZgIe1myOZg4v4:onDub86pxxb86BFcgIayg4v4
      MD5:E57D564FA41ED5EA0A7F7A9852A63FA4
      SHA1:0B60EDE6A53241A7890B699A64D6353449EC9511
      SHA-256:7B33A1645C15771B863D6C6C1AF1C8EFFBA22FAD9DED94E6F67F2DF1BECD0B66
      SHA-512:A400D0820F2F8FB34A32BFC309F1568D090F91F671C4E7E659D3912E13CB1BE4819C3A653088562AC0C82E6BBEEE64A0B42CDCA5C3DABCA7C648E21A91F0E0A8
      Malicious:false
      Preview:<div id="##PAGE_ID##" class='selPage'>...<div style="position:absolute;left:0px;top:0px;"><img src="./img/cancel_page_simple_en.jpg"></div>.. ...<div style="position:absolute;left:660px;top:7px;cursor:pointer" onClick="##CLOSE_BUTTON##"><img src="./img/close.png"></div>..-->...<div style="position:absolute;left:660px;top:7px;cursor:pointer" onClick="##CANCEL_BUTTON##"><img src="./img/close.png"></div>...<div style="position:absolute;left:410px;top:210px;cursor:pointer;" onClick="##CANCEL_BUTTON##"><img src="./img/yes-en.png"></div>...<div style="position:absolute;left:120px;top:210px;cursor:pointer;" onClick="##TRY_BUTTON##"><img src="./img/no-en.png"></div>..</div>

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\cancel-tr.template

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:exported SGML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):677
      Entropy (8bit):5.381720504085217
      Encrypted:false
      SSDEEP:12:8HyOcGiMqLySb86pVXq2ySb86euXmyxlqZgIe1myOZg4v4:onDub86pxxb86BFcgIayg4v4
      MD5:E57D564FA41ED5EA0A7F7A9852A63FA4
      SHA1:0B60EDE6A53241A7890B699A64D6353449EC9511
      SHA-256:7B33A1645C15771B863D6C6C1AF1C8EFFBA22FAD9DED94E6F67F2DF1BECD0B66
      SHA-512:A400D0820F2F8FB34A32BFC309F1568D090F91F671C4E7E659D3912E13CB1BE4819C3A653088562AC0C82E6BBEEE64A0B42CDCA5C3DABCA7C648E21A91F0E0A8
      Malicious:false
      Preview:<div id="##PAGE_ID##" class='selPage'>...<div style="position:absolute;left:0px;top:0px;"><img src="./img/cancel_page_simple_en.jpg"></div>.. ...<div style="position:absolute;left:660px;top:7px;cursor:pointer" onClick="##CLOSE_BUTTON##"><img src="./img/close.png"></div>..-->...<div style="position:absolute;left:660px;top:7px;cursor:pointer" onClick="##CANCEL_BUTTON##"><img src="./img/close.png"></div>...<div style="position:absolute;left:410px;top:210px;cursor:pointer;" onClick="##CANCEL_BUTTON##"><img src="./img/yes-en.png"></div>...<div style="position:absolute;left:120px;top:210px;cursor:pointer;" onClick="##TRY_BUTTON##"><img src="./img/no-en.png"></div>..</div>

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\cancel.template

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:exported SGML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):669
      Entropy (8bit):5.380023504221536
      Encrypted:false
      SSDEEP:12:8HyOceqLySb86pVXq2ySbIeuXmyxlqZgIedmyOZg4QUd4:o1ub86pxxbIBFcgI4yg4v4
      MD5:CA9BB2A0A69D0EABBF616D0BE35CECD1
      SHA1:687DF9984B88C6F394D2D8BE64A0AAEF1A3E8CC7
      SHA-256:7A4F5103E8B7A7EDE0A08FDFED809037256BB989197D1D45F57ED8ABD68EA0D5
      SHA-512:CF838F765DE0FBFCC7AB16BCA9FF7043B5BFF738B513E9ECBD49C932CF2E3E5CB9440DE5F36A4461FDC26E2528A44FF3B0BB4887BE1A3E7F5838CBAA392B688B
      Malicious:false
      Preview:<div id="##PAGE_ID##" class='selPage'>...<div style="position:absolute;left:0px;top:0px;"><img src="./img/cancel_page_simple.jpg"></div>.. ...<div style="position:absolute;left:660px;top:7px;cursor:pointer" onClick="##CLOSE_BUTTON##"><img src="./img/close.png"></div>..-->...<div style="position:absolute;left:660px;top:7px;cursor:pointer;" onClick="##CANCEL_BUTTON##"><img src="./img/close.png"></div>...<div style="position:absolute;left:410px;top:210px;cursor:pointer;" onClick="##CANCEL_BUTTON##"><img src="./img/yes.png"></div>...<div style="position:absolute;left:120px;top:210px;cursor:pointer;" onClick="##TRY_BUTTON##"><img src="./img/no.png"></div>..</div>

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\360_offer_small.jpg

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2016:03:21 12:57:40], baseline, precision 8, 680x232, components 3
      Category:dropped
      Size (bytes):30507
      Entropy (8bit):7.451190034170032
      Encrypted:false
      SSDEEP:768:xcBDGrp2k5iA/cIFpQVRP8YRhA3LosCiU0:hrp2kZFpQbjRh+CE
      MD5:0CCF12B7766E6B9F8ADA1D837C87BEFC
      SHA1:63A712AD7E7CB8B710EEFF215D3C164C777AEAD8
      SHA-256:8B17DF1B2DDA0E59878F23E75AF2681A5C9CCBAE40E504532733A835C4450140
      SHA-512:E51607C9DD548DC8F0C77DC6C4946A541E5ADF35C848079A9D8987AEF26283C46093D79E289C31AE12B2D2E7F9286971DB3E02ECA9CCB0C7CDF942F22DA706CD
      Malicious:false
      Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS6 (Windows).2016:03:21 12:57:40..................................................................................&.(.........................................H.......H..........JFIF.....H.H.....C.....................................%...#... , #&')*)..-0-(0%()(...C...........(...((((((((((((((((((((((((((((((((((((((((((((((((((......7....".......................................<.........................!.1A.Q."a.2q...#...$BCRU...3r....................................,.......................!1A....Ba..R.."#Q..............?..-.i.X..>O`<..V...e...Z[....0'.)....>..8..Ky..),l.Xw.Q.Z.....,.dS.LJ#.x...;..{W.w_P.........7....i.7m.<.c.'..<z...H R.C.$S.Wp.>.B_.....9.....VE=..M(PA.9.8..N).sr.nt{Z!4.D..l-[.........G....;R..[.....>.T...\..t..F.H.<c..Bk..f...`.....q..}..L...M...I<j.H....7...@2}+BR.0........EX/t.B.A..T0.. ....,q

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\accept-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4499
      Entropy (8bit):7.925436237660937
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xXasz5Hg8DvRyN:bSHIIHUCD4wadasdfyN
      MD5:1D6E2B901F7145832E4FA54C57A5BF77
      SHA1:BDC34E2535610AE1E54FD4F0A1931CCA753182F0
      SHA-256:BF8F91B944B9D437FE83974096C4F3D2AD93991690FA0A6D25002BE713AAB651
      SHA-512:D1EB04DF6D260E31E3549BCF01DB33C7F843624AE4A33211BB0B5A762A591F4531DACA49E33CFA6F30EA4BF21A2805D8E93D6CB5353BC9BE5756AA56829FBB97
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\accept.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3935
      Entropy (8bit):7.90263688431469
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xe+4+J0ItuLOSsCM/:bSHIIHUCD4wav4+J0ItUsb
      MD5:6974CD17749849D5AAE93AF0A2D5C460
      SHA1:3826D9AB26FE22D3F93583C556A560198AE6D72E
      SHA-256:3A505EF15D53235CC633A6137B8232C48825677391CCC911B90ED8FA911BCF19
      SHA-512:B634BEAA392E174208724BD02D3EC9CF7D6E3C446DC279EB5AF1814B6C88712120C01A35C9BF6C7F732D92600286B339574B2B519DA2AD070963EEF3C7340A75
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\avast-screen-en.jpg

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2020:04:15 14:04:14], progressive, precision 8, 680x320, components 3
      Category:dropped
      Size (bytes):60483
      Entropy (8bit):7.736136999624722
      Encrypted:false
      SSDEEP:1536:2iZOVTiZOVBsolblEPlI54bwQJWr/JtI/orrPL:2fVTfV/YdS4bwXIgrrj
      MD5:14E0F07D43D39C8BA158782CAA28E1FE
      SHA1:D10F33A86EF44C46861688379690D841C51A735D
      SHA-256:9C170036649A9DA9ABCD7EBE6931BC8E9E1E8070C7DDA821F06CB4A69F87296E
      SHA-512:4A1CF493BDCB09FB9CB594B4BC70D8E6439C95A70C26F07F758C2A55C988D24D49019C9D89907BB485A164DCFC0C45922E730CBE1DC5C2376A58BA08C22D782B
      Malicious:false
      Preview:.....:Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS6 (Windows).2020:04:15 14:04:14......................................@...........................................&.(.........................................H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch....

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\avast-screen-ru.jpg

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2020:04:15 14:03:49], progressive, precision 8, 680x320, components 3
      Category:dropped
      Size (bytes):56837
      Entropy (8bit):7.799998050440673
      Encrypted:false
      SSDEEP:1536:OsfJ7j1McItevM3kLe42ikc+9yZyuvT5pFoWFuV:hDMcwefe6+9UyuvT5S
      MD5:106667145B71B8CB7369B3BBC09EE1ED
      SHA1:F4D341034C19AD77EC0E41230EE3B907D0F02321
      SHA-256:7A008591B88E5409DCF908AAB375E5557A9FBD8F61058F949012C69015B7ECAE
      SHA-512:8E8408EE55B312DE1A2607CE6CC6EF7E46BD3A707AF40FDBFD38C1347AEAE1AFF0AA214666D1F08C7709826387FF40EEB90D36871C89E09532CA5E085EEF81CD
      Malicious:false
      Preview:......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS6 (Windows).2020:04:15 14:03:49......................................@...........................................&.(.........................................H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................K...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......pk+is.04Y....i{..7=..^;...~.....9.*......MO..l......Z7...$*.u.......T....=.+,.6...nM...._.Za..H.K./......J...73\3.._.j..&<{12..n.X.\......V.3..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-cancel-grey-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3479
      Entropy (8bit):7.896434420518669
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xX+XF854m3:bSHIIHUCD4wax+eWm3
      MD5:B763B80BA47497BD8DFBC3758A31CBA7
      SHA1:5CC664E75D68C1484726815A0BA81D2C7A3FE30C
      SHA-256:4FB6BF93445C6E987D988F9E3ACA6A8380A56F8AFDBAB4940EE69FD20E82B457
      SHA-512:6FF42A9DCE2FF90614BBB1135A3DD311A5D3F65616964DD7207D8ADCD0B9314ECF56965D17763F72664E091B95161F5DF509ECD384AA57B8AD708285C5192DCD
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-cancel-grey.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4359
      Entropy (8bit):7.913299632309897
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xLZjVtdpLyNGb9DvVLB6/:bSHIIHUCD4watHtdeGxNBY
      MD5:3E44D126179E4FEFDE781534458337D8
      SHA1:C00B6C28E7B2D79834822E165C42A1BA46E0E04B
      SHA-256:B1CB1F753910CE1AF9445FC559970D5ECF918C3BA589EE2F98D568727C38B250
      SHA-512:80FF1C4F512D7D21701DB077B3961F2A59DFAAE8AEBEFB0AF841DA6F442C5317B595448E18A2C0E11C27E2AE8F8578CB719BAF2DA962CB08CAF8BF4E64981C9B
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-cancel-tr.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3300
      Entropy (8bit):7.879764416710231
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xPqNGpqxpf6:bSHIIHUCD4wadqNGwxd6
      MD5:A654BA9FD8904DFAFD090B09D42DFF13
      SHA1:853C66E60697F3ED2F9D6B79C3C5B07362DBDA02
      SHA-256:B168C81582AAB262A7683B4EDE2796F2B07B7DD5B20C256BA09CF2A9DF9865B0
      SHA-512:C0F13CA919184B3736E6254861E58D565D679C7206E6395F02AC798346693A289E545BDF31CA8A815CD5A22B8A0B63E6130E45C9CC91043900DA81C9A0FC6AF8
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-cancel.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4568
      Entropy (8bit):7.93453321447606
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xQtNuFZ4kr9jhQFjkRWAp:bSHIIHUCD4wa+tNuFekJEmWk
      MD5:FF072DFE13633B9E50675D7D68A90313
      SHA1:DDCCBAE1A3FA851C448D521F5269A480C98D76DD
      SHA-256:D16E4B93290D8E12AFAA50C55ADEC23D8F1396D790D19D9B1FEB533EDAD7549B
      SHA-512:5642C0BACAA26BD518868C66C008BB82C1300551CC80AA3D8530878FA7A04A6165315994698A4ABA714A6F9E78E4959A9C38E656F78E5D3ED0430E325DC3DBC8
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4314
      Entropy (8bit):7.917177368893782
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xytObk36ZfuQfcAE9mwJwo9U:bSHIIHUCD4wai6haA4m3
      MD5:5F7599F93FEB5A69A267A97115D5E9B7
      SHA1:BECC65EEDBD499A478C671E91C9FD7AF25BDE0E3
      SHA-256:267C56377617DA011B90FC05DFB836EE19678033A9AB642FDA42A68F212D775A
      SHA-512:4D43BBAFC54E36ADC8F43D26392DDF6E9B2D0445C527E93ADE1B88F5FC811578084828CC1730CC8ADD15B7D19FCD7C949C921F1C478FD75049CAC0DDF08167F2
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-green.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 206 x 62, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):1626
      Entropy (8bit):7.708694112589448
      Encrypted:false
      SSDEEP:24:TME2IGijqWq72LbOnbNsIA9MBbLgfjbcjhgbQ46MIwkJRneGp234ZqvjlYITA9JX:T9GiRquObN0+ujbHaMI1yLcAhYrvP
      MD5:6D99956B38246482EBAAACF875FCB680
      SHA1:757ACA17309ECABC50A533491A15F294CEC5366A
      SHA-256:14BDF8206611F5D3409067DD41E8CB6746600F5BDCC03C28D70E21478C4A4B5D
      SHA-512:475A0D164AFE11EF3891CAE6D6DE4410168EDA803023E9FB0BAE86B42BA64C66893BE093FD2EED02CD719AFBC9BC49388768CB5F7EDE76592EE66A453967F8A0
      Malicious:false
      Preview:.PNG........IHDR.......>.....c.$.....sBIT....|.d.....IDATx^..h.U....bc.I..(%c.l-i..a+......x..!Q......K...H.#..FD..2jw$X..s.*...(l.j.xof#..x.:....v.s......k.g..~...s..r.DD.2.k..v!E#.......@@# )+...$;.V......6......@.H.bb.Hfjz..eE..a P..$.#".Id.Q..i....I@..D*..E...@...#.qP. `@...@....8...0 .q..a..@.......8..0.. .j....@..h.....5.... ..4..................A......c..C@...@....1..! .qP. `@...@....8...0 .q..a...Z..k...k.......5..._..............0".[q..~..o.N...C..x........&.Kq.k......=...?s...;G.%......}2.Io.{....W..@,....Z.Vy0X.m...&uC......p..<.@.{a.O.....'..4s.~.0]q...y.....O-.MM......8.kw........j......;s...k..;..F....]s......b0 ...k.j......wO......W.9..m..Qc.._........aA.......hAMs.i..zhG..)E.*Nz.~Z4w..>.S.........X....;.......G'w.5...S.......o...Qb.Pj....Wr.M....h.....*....h..N..:.D.'(V}.R..>.<...J/A7.B,..*.g#L...%.8.|..M-.xY.~....y...Tq..}w(M.......S.n.K5.e...........!N..R.K9...J.xY.r.....q2..=....K_.8..A.f.}.....Tq.XT{.....7.......Kq....w...

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-installation-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):4991
      Entropy (8bit):7.928803006278162
      Encrypted:false
      SSDEEP:96:ySMllcHitlIxv9vk7C1+I4wWHLihk/xbuDjYU2OmVCXz6g7GBWeFMD8P:ySHIIHUCD4wautmVCVyB3FV
      MD5:943E1EA5CEC617A488BA0243977B108E
      SHA1:C85EB79D8C92328075798C7C3F622895E311A6B3
      SHA-256:9F4E10337AFBCBD927CD445C285FF48CE47F3C2EBF04E6A9AFD271BBA3BDBFC4
      SHA-512:E5E1202435463452B1C318323592A28AE81E2E2B0E6372EAD28D23534F217B3D4F66376A0A1165A16870AB4D10C349064E5A0F416182BE841E37B4EF884B0419
      Malicious:false
      Preview:.PNG........IHDR.......(.......G]....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-try-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3985
      Entropy (8bit):7.909025723521929
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xkHRrWd+GxgUrQ:bSHIIHUCD4waGxKkGNs
      MD5:B3DD5AD11C8B9F0163596FF34F96FC51
      SHA1:8BC6E3F265D1678CB06BBE1F1033836C689BF6D2
      SHA-256:9ABBC64E23EF322032018D48C01650F375AC16D0FE1717ED169405DDFB416F65
      SHA-512:A52B3B96F93AB6623C969E20621617851716D3ACC1908A932A7CAED912F5E2212D5C1DCB03458ACDD23784731A1E615B29E5EC59E9A46556B1258C948EFFEC95
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-try-tr.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3883
      Entropy (8bit):7.906842992589639
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xojdj6AKDC/DsRUb2:bSHIIHUCD4waMF6ARbsRUb2
      MD5:7B2A7E4182325D1F6ECF4AB3A804CB9B
      SHA1:A7DD7E31AA3139A7E93996BD8445C4E10045F30C
      SHA-256:9AC72796032C936D1C4DF6F3560A6D90E793ABED7166A1A9BA7CB205FF71025F
      SHA-512:7032FB6226E863E25CB981CC776C8BAC1070361C59044023D6C9B399A85B0C311F6B591E71F053D29FDA45E4A6867AE2BFE01519809BCD84147D6DBE859CFB18
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-try.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4257
      Entropy (8bit):7.911489962328254
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xZvxPex2dpCl4:bSHIIHUCD4wa1dyC
      MD5:0C20E488CB0E79CCD4668387E84F9C1E
      SHA1:D656AACB334753D641352CBDAE28E7285EF1D8FB
      SHA-256:9BD84EDBDFE0BA75B4D067C335DE6D3DAD90E203EA12915F9A67DBB402437CEA
      SHA-512:335CE68F563148ADEA6B33D0BB295AF109D28850C7F3C8AF78BDA5F58C545D3674532732763C0B5CBAF63149F24399212ADC6D07B3CAEAC90897650CA39EE838
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-white.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 206 x 62, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):1492
      Entropy (8bit):7.677563509243536
      Encrypted:false
      SSDEEP:24:Tc/WHRyNVIQtc1U4zyX8XI/9xqYZmzgVxkE+hZgtNMcgOB98EO9Q766ww6ww6wwY:TgWUdGI3qDnE+hZaM1OIE6QuGGGGn9
      MD5:29FB1E2193E89A21ABE4630B14F88DDA
      SHA1:E68AC71D0101B1B34875B11C4273093A151B1FC9
      SHA-256:793CC89013DEDCB1E1F4B8E4DE2C696BD87F60AEB4450D9B99F1C1E8F09E8739
      SHA-512:F4A76AB2BFAE58C10974ED6881E8D3748474690B2D67F04ED10722E6E6DC82F693381C15E652AEADCC8EA5F294C16DEA1C4DBD5535B6CE10D3A66B904B06294B
      Malicious:false
      Preview:.PNG........IHDR.......>.....c.$.....sBIT....|.d.....IDATx^.MK.K...A..#(.~...A..$(.....K......!.paP".\(.&...#.*.".T2..A.p....t...{oU...L...<.<}.j....A..........x............\.{...O......@..>.8?.|(y.......q......@..."NP.p.$..P.(....,.P..h.B...5@...(..4N!.... ...........a......c..SH...H......)$@qX.$`A..X@....8.... @q,.q..P....X..8..8..(.k..,.P..h.B...5@...(..4N!.L.sww...c<<<...Ie..........Bgg'+....dV...k......5.Lkk+....q..&.Iq.......444....555......e..CCC...}.U.O..@&.988...!.LOO..9??....z.......0_K.XWW......u....<??.o...X.GGG.......GOOO..{{{j.\.|3.......1I...=.......F?K....L.....|>..#.<.kuu5,Z.G:..).8.oZXX...Ih....._......."..ggg.WWW..(N..fR....p)..t......522RpP.T..w..}}}...WC.."..c.8d....555arrR...9sss..V....jv)...{Ey..f...Iq....l$.S.P.#.7.nz.'.".frI..r.8..NLL...E.5...\q$.....d.._^^....|Y3)...qdi..S.,.=..[."...........4....\.....+...>........IqJ..w....9n).Wd..pxx..."..]...AuuuQq.K.]......l..).O........~||..."...T.~.}..G.Iq..T....R.r.S5.]......"

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4154
      Entropy (8bit):7.910770766730817
      Encrypted:false
      SSDEEP:96:bSMllcHitlIxv9vk7C1+I4wWHLihk/xOihQOFNf62or:bSHIIHUCD4waMVOFNf6N
      MD5:9ED03195F26D875220702B075E29C6C0
      SHA1:CA402040918A23EF5C967FD505E5BE1087DB3D9A
      SHA-256:1BC28C53F21A5E0083B9C2D2B959539B97C78920102D5A06059F4DCA867473A6
      SHA-512:C4845FC722057950D06077324A560A5694FBEE913E8E98658A13788B4A3C93EBF5776657BAEF623D1DF2DDB421EB560A121EF6E5F2ECBE2D21EF24D81111E16A
      Malicious:false
      Preview:.PNG........IHDR.......(.....Wi......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel_page_simple.jpg

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=310, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=680], progressive, precision 8, 680x310, components 3
      Category:dropped
      Size (bytes):21833
      Entropy (8bit):6.917213946073042
      Encrypted:false
      SSDEEP:384:ftCiiG3vng/LiBYNg78yWGBuubtz2Iy9BYkurorSZT:ftCiF3vxYyPRTtztyfYkAosT
      MD5:0523F7FA41CC8349774D7336B8E9DBCB
      SHA1:8DA9C5BBD51A366DCF3BEF18C471EA8EE5AE3056
      SHA-256:F63B4CA1BC7AEC4B98DCA35C9112FCB5065C362F33760CA520DEF2E8A1A933E1
      SHA-512:942DF5EEECA649FB18EF3B417F6E0053CC64C0567984198ABDF65DA0C10D70CBBC0E583BC2C20F2F570D1E6A47DC91D7D1E3F35CC1B1B8753E031BFB0D59E741
      Malicious:false
      Preview:.....PExif..MM.*...........................6...........................................................................(...........1...........2..........i............. ............'.......'.Adobe Photoshop CS6 (Windows).2020:04:09 10:41:52.............0221...................................6...............................n...........v.(.....................~...................H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................I...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..D.I%)$.IJI$.R.I$............"..1.H4...c.]._N...[.+'...a.........s..LG.<d@.&

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\cancel_page_simple_en.jpg

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=310, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=680], progressive, precision 8, 680x310, components 3
      Category:dropped
      Size (bytes):28274
      Entropy (8bit):6.974824782530709
      Encrypted:false
      SSDEEP:384:7YNg7giibYNg71vn6/liBYNg7xh3PXvMv8pkJdhZ4l:7Yy0iAYyJv1Yy/P/MUpUc
      MD5:EB5615660E55716CF933ED44222028CF
      SHA1:07DC30D1BECD565F0128415FBFC47507B2D9BCBE
      SHA-256:C09077E451BCED29D799B6D2B7A8982205E5087D4B1ADDFA7566C574BE7775DA
      SHA-512:63655245606E6886C63DC3AF393B589A40C723E10E03A63944EFB94EF0FD5473BD805A1427187AF539D50DC5E61BBB9E5C2991E10DE79DA305EB8D09A77686DA
      Malicious:false
      Preview:......Exif..MM.*...........................6...........................................................................(...........1...........2..........i............. ............'.......'.Adobe Photoshop CS6 (Windows).2020:04:09 10:48:02.............0221...................................6...............................n...........v.(.....................~...................H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-black-off.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):594
      Entropy (8bit):7.284771036181718
      Encrypted:false
      SSDEEP:12:6v/7m/6TUaWI5c+4QIIuary0BjlMN7Eoz1hmj0ENcqRCsKH8TylGgWmGl:b/62Mc+4Muv2lMDz1QjvFR6+g2l
      MD5:43C99C5146E09CFA42C5BB0200521EDD
      SHA1:1373E1708988A60C135D10BB835D072D5C70B129
      SHA-256:5C872761FED19FE5DC7276B5AC89259744BC1864BA7AAB81B0C44A2427C9D367
      SHA-512:F35DA12FE3C3E6B2A33A7BDB8B4207C31C2A3CF6E9C8C37F4D76FCE84C8AB8DBFC3358E7B45E981E62D10647952462B7DDC5BD4FB3655EECC18A4448F75577F9
      Malicious:false
      Preview:.PNG........IHDR................a....pHYs................6iCCPPhotoshop ICC profile..x...J.P.@...P+.qpx.((..`.-E...!...Ji.^^.~..[..w...QpP...@q...!........r...u.a.a.k.n:..|9...S.....n....$....+..y.;...|.*.L..n.. *@.B....0.~.A...:i.@<..^./@)...()..A|.f..|0..3.}.0ut..jI:Rg.S-..eI....<.e:.dr?...&........b..n:r.jY{..3.......Xz,ZA8T..*......x..oazR..+....V...../..O..ZOb... cHRM..z%..............R....X..:....o.Z......IDATx....@......h....T^..C.h....$@..y;..$.c..;K)..X..#..Hn..N.rk.$....U]H...t.<..g.=.../.C.f.:Z...|X0..o....)..%... "..#.".JrS.C..@r.2s%.U=u...............IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-black-on.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):691
      Entropy (8bit):7.400499400699301
      Encrypted:false
      SSDEEP:12:6v/7m/6TUaWI5c+4QIIuary0BjlMN7Eoz1hmj0GsHh10AOKAAvDs9Ltj:b/62Mc+4Muv2lMDz1QjDsHh3MsI9LR
      MD5:5E5359F444A2F7F727BF055729F1DA5F
      SHA1:B7863BE1EA595A7FFCDDB14442E46CD30D866327
      SHA-256:57FE447542AE8B49444A09A7A07B7EA24C83EAECA5AAF087F4EC50CB289135BB
      SHA-512:D866A98EF177DB8040AC10B9F96D0F37A7D11F57EDB46CEFD2EF883950CAFCDE64704D706A661D266023D95DB68690AC0F4BBB28919A2365666E86093EF854DB
      Malicious:false
      Preview:.PNG........IHDR................a....pHYs................6iCCPPhotoshop ICC profile..x...J.P.@...P+.qpx.((..`.-E...!...Ji.^^.~..[..w...QpP...@q...!........r...u.a.a.k.n:..|9...S.....n....$....+..y.;...|.*.L..n.. *@.B....0.~.A...:i.@<..^./@)...()..A|.f..|0..3.}.0ut..jI:Rg.S-..eI....<.e:.dr?...&........b..n:r.jY{..3.......Xz,ZA8T..*......x..oazR..+....V...../..O..ZOb... cHRM..z%..............R....X..:....o.Z......IDATx..Aj.0.E.HQ.....x_r.".1.v.u...j|#......d!.QWm.....3.'..P.....B....FA...3w).....j.SJ...!h.\3.#`.=x....'k.A..u...QJ!.E)..0...3..R.......7...b.."..b....=.G.|*n7..!.O.K..^...6._...SI..}.sI....\q......|..R.!......R.A0s.;.I...sGf....5....N.mU....IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-blue-off.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3049
      Entropy (8bit):7.874580692912668
      Encrypted:false
      SSDEEP:48:b/6qbllck+itY5vm7I6Wzv9UAOb57C1cSMIg6lc3d+0UWHdVG/jJtFo3/d7zaY+d:bSMllcHitlIxv9vk7C1+I4wWHLihk/xU
      MD5:CDC0E7EFCEAE3705956CF9806376C450
      SHA1:7D23E81BF8E9C5E34EE65A8CB66B46143B4E9D7B
      SHA-256:B82E0BC74FD601BFA5C2BBADEEA7BE20720E9B614622A7A92E45D642B0343426
      SHA-512:B9BE2EF3149F2427D274DF995AD1B3A32C44A3BC02FB343B0BF5DC82DA3A69A2D22FF273053B7902CAFDADCEE2F2365FFEB27355443EEE9A6313E77BF9046C3A
      Malicious:false
      Preview:.PNG........IHDR................a....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-blue-on.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):389
      Entropy (8bit):7.28884558678762
      Encrypted:false
      SSDEEP:12:6v/78AVlQdqR6iYW53JO8I7usvN3QlpmP/k7eFlnQt:clfR6iP5PI7RQHeeefq
      MD5:64FCB4193C444F034D1312873BB62943
      SHA1:05D0EDC924CB1CE30239EDAB01855A70991E3357
      SHA-256:42FE4EE2D1A6F3C7A08E2D54C4EA1B206395FD647F954A1076AB389900C6D82A
      SHA-512:054D50EC7806A5B4DD71287C03F5FE92F70A2027C0D77680CBD53C4D75A8611798F096D0A5AC9D2DFD556226E489A9CCEED80D006FC7681508DFEAC5D8473D6D
      Malicious:false
      Preview:.PNG........IHDR................a....gAMA......a....<IDAT8....J.@....\.."xh.V....F..G...!,l.^@E.N....l.b..FT6$q~br9.b"N........<..R'Z.n...40..I...iz.".8N.u.%...@.E. .za.....cD.oF..f.M3..#CV.7..M..^....Q....].........H.@._.....v..v....8..-KF.O.F....,..r...[........p8....`.E.m......?......bS.!{...3.*3.iE..r".....d.;...g%w..*oV...!o{..&CVs.d0...~o0..Y..q............IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-dimgray-on.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):633
      Entropy (8bit):7.337431096542785
      Encrypted:false
      SSDEEP:12:6v/7m/6TUaWI5c+4QIIuary0BjlMN7Eoz1hmj0Q6ZtUmR+P/WpVfPbz5v3UN:b/62Mc+4Muv2lMDz1QjgZbYXuVfPBkN
      MD5:BE84C0A7BB79D587B8AE44365EB05B24
      SHA1:487B2B7CD265889C5AA35EED7A721A4C0EE7075B
      SHA-256:04ACFCBA51D2831B64E05C96CC21DD19A2E9E0E12A38DE1F46BD2D38E303B68F
      SHA-512:879B5EF67F1FF3EE2B72CEF73A0C8A6A41D16B32A210F4C9EADEF18C5783A20E9E9BF1010259F631B3565C7DF19F65DD16219EA09825F9B3689DC88B780F771C
      Malicious:false
      Preview:.PNG........IHDR................a....pHYs................6iCCPPhotoshop ICC profile..x...J.P.@...P+.qpx.((..`.-E...!...Ji.^^.~..[..w...QpP...@q...!........r...u.a.a.k.n:..|9...S.....n....$....+..y.;...|.*.L..n.. *@.B....0.~.A...:i.@<..^./@)...()..A|.f..|0..3.}.0ut..jI:Rg.S-..eI....<.e:.dr?...&........b..n:r.jY{..3.......Xz,ZA8T..*......x..oazR..+....V...../..O..ZOb... cHRM..z%..............R....X..:....o.Z......IDATx..A.. .E....!....f..B..0.9......Ji.q.6.....1.u]..7\.)..c.R.8.M..0.3p.h......d`..k.i.k..eI9.._..F..g.D.QT.3.(.k..U8..8.'.i..p.........%.D..u...g$.tj... 1.~.l..<......u...!...b?ND..;....IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-gray-on.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):744
      Entropy (8bit):7.463214809782998
      Encrypted:false
      SSDEEP:12:6v/7m/6TUaWI5c+4QIIuary0BjlMN7Eoz1hmj02XFbz9+fd55WllImems5YOjLhA:b/62Mc+4Muv2lMDz1Qj5Rp+l55WllxP9
      MD5:06B1D4FB3003F0C449C74A1EF9156F37
      SHA1:D8D85F93330E52405A5C8F974496826B99A9DD8E
      SHA-256:9877B0C11463FF0F9B1DED7A49A6857237B7B5B8160C9178549D01CAD355159C
      SHA-512:1578A62B73B03AB6A7557F6195AD00C8A351FE7B8CD5B945057B995B89B698AD18881A8AC7E72B0E0FEBF1A417911BC765CA398C61BB1A0DCD067EAF769C0844
      Malicious:false
      Preview:.PNG........IHDR................a....pHYs................6iCCPPhotoshop ICC profile..x...J.P.@...P+.qpx.((..`.-E...!...Ji.^^.~..[..w...QpP...@q...!........r...u.a.a.k.n:..|9...S.....n....$....+..y.;...|.*.L..n.. *@.B....0.~.A...:i.@<..^./@)...()..A|.f..|0..3.}.0ut..jI:Rg.S-..eI....<.e:.dr?...&........b..n:r.jY{..3.......Xz,ZA8T..*......x..oazR..+....V...../..O..ZOb... cHRM..z%..............R....X..:....o.Z.....,IDATx..Mn.0...8...$.d.`.Jn...e8C..K.>.B...*....ED.sW...J.............x...W.)(..Mk.*.z.E...zP".....BDR..l..b.m..{.G....N...3....<...F.H7@UU.E.`0...w..|:...M.l6h.Y,.......s...V....!Q...nq.eYk..9w.AUU.\.%a.r.\....c~... .s....i...a6..$.eR.....1dYF..L.S&..m.....c..e........{'.u..~.Edu<._..'......l...l.gt....IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-off.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):218
      Entropy (8bit):6.433223624675344
      Encrypted:false
      SSDEEP:6:6v/lhP6IcRnDspZBHIA52b7Gu/BpKudIrIrwp:6v/7iIrxHIPHx/B3cIW
      MD5:B3BE2D1089A6F1478586814141E261A3
      SHA1:D597501F5977BD2E85FC9906330BC360507EB9B7
      SHA-256:1A50031D59D953B1A69DCC8A4D4FB9FAE244E4ECFBE4DF432026917AEDACF7FF
      SHA-512:9A9EB1E06A952982A94EF510E1106E2EC7F97AEEB598845ACECF9A824542BF4A7FB7987A1F445C0B0F868EBDF09E45E7ED6D374A80CDA045CFF7F7AA184BFF03
      Malicious:false
      Preview:.PNG........IHDR..............H-.....tEXtSoftware.Adobe ImageReadyq.e<...|IDATx......0...4t.N..e..!\.}..=....C..s....A).(.&.0..&.H.C....e.u.R.5*.D...!.}L.F....!....:.a...k(.y....0V..R...)m........a..x7*....IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-on.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):359
      Entropy (8bit):7.096434333250565
      Encrypted:false
      SSDEEP:6:6v/lhP6IcRnDsxHhD0uVnCCpRrjzgsNR0thfZgYURDCFr7AndTp:6v/7iIrphDXNlTrjMeR07fOYG67Anr
      MD5:928691DF2896A9ED30FEDDC14DE022E5
      SHA1:AB542DF8188A553EC3D578D06616A537C6DC8269
      SHA-256:94AFB0F3DA39A88539ACFD0F3B7206DFF8EF7600099D33BCCC850F28D9CC305E
      SHA-512:7548E3BC6042B91A4FC85FA090A3CB3790E1E6AD2350F0F05F14745A946C89657CCE3BA526E7FEB486F247C11F909EEC89CF60D2E6DE4E5335E62C4615867F70
      Malicious:false
      Preview:.PNG........IHDR..............H-.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..9n.0......H Q<....P.\.!..%r...!."...K.X.q.B..F...y~{F.....+.'..;...,.O..MUU)j.6,..Py ..Q.`.}...a8bb..%.u..4E....K.m[...8...R.4.R.......i.yl].#1.2..M..:....GQ..0.<.c.+.,2.".O. .`Y.....q,.y.1.#|..8......$KQ.x...u.....Wm.F.$..C..A.d.r.........M.}p...0..M..x.Rx....IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-white-off.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):2903
      Entropy (8bit):7.871277803737411
      Encrypted:false
      SSDEEP:48:2/6qbllck+itY5vm7I6Wzv9UAOb57C1cSMIg6lc3d+0UWHdVG/jJtFo3/d76RzN:2SMllcHitlIxv9vk7C1+I4wWHLihk/xu
      MD5:5147E38DAC6CD2240123AE354B2402AB
      SHA1:2BEA80FDAF1C3D0C12972B5A619BED26F1D14559
      SHA-256:26D47A2A44EF18E337208903FE5EE1EFBC5AFBCF17AD5D8E424C12BA983C0AC0
      SHA-512:6DC896E30E9F36BC9AA6A510899C07472CCBC21DC327CE5AFB3855504CCBC7EC252F2BC4BABD9FEB03B35AAC381FBBE5E95C90209325E8693BB3D2B4BC181040
      Malicious:false
      Preview:.PNG........IHDR..............H-.....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-white-on.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3088
      Entropy (8bit):7.883520361970016
      Encrypted:false
      SSDEEP:96:2SMllcHitlIxv9vk7C1+I4wWHLihk/xHV4E:2SHIIHUCD4wab
      MD5:CBF2E00625713E9237825F88ABB8C72F
      SHA1:59F72604BD12C96503914D7DEFCF8C88C1DD51E1
      SHA-256:F5311F5EA0C2F3D2548B61AFA3E332EC3FCD9D5FFB0A4EA416770F74494591E9
      SHA-512:2E974FF888ED2A993970201FA557596AA28C629A85453CF381A9A19D7821196C99E2D9A9DF11451533A08902485605C9CD390A43B956FC4A55E28184EAD89CB5
      Malicious:false
      Preview:.PNG........IHDR..............H-.....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\close.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 13 x 13, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):1292
      Entropy (8bit):6.784655495237181
      Encrypted:false
      SSDEEP:24:P1hpunQWwjx82lY2T32HEVVteeyJ3VVeeLGnsftAtQjoniNyuP7kos6BX:ditNn2VcJ3tQuq20qP7kosmX
      MD5:3823A041D226998EC950DECB63D09CE8
      SHA1:62C583BF1C7BA8AED98967EEF9BA5CF216F1E8FA
      SHA-256:B65BC9E0353544B031F9BCF9E7AB0226719F5FF1BA399544B2D8395BBC2DEA25
      SHA-512:D3C364DFF2B381037BAA823724ED974488550D67888528E3F64156E549E0D9DF1980D803E627183CA30AC2A9E89A985045E27407FC0D29401CDB8FFDB521D69B
      Malicious:false
      Preview:.PNG........IHDR.............r..|....tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:816A243F562D11E19426B6DD7C5B8E39" xmpMM:DocumentID="xmp.did:816A2440562D11E19426B6DD7C5B8E39"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:816A243D562D11E19426B6DD7C5B8E39" stRef:documentID="xmp.did:816A243E562D11E19426B6DD7C5B8E39"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..[.....IDATx.\R.J.A.....K4.A...&..."Zha!".......Q4.b.....+.!..MDL..?!X(..#..K.c=...o....-'...i:5 .......o..A.!...._,.C

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\custom-back.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 650 x 77, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3119
      Entropy (8bit):7.71098264250602
      Encrypted:false
      SSDEEP:96:9SMllcHitlIxv9vk7C1+I4wWHLihk/xo+:9SHIIHUCD4waz
      MD5:2C5A525EE7031243C43E4AE14F0080B7
      SHA1:EF0797150CF27B077D1682A0D94B2EFF47AEA1CC
      SHA-256:D3B52744D8BD75162C3E9B2314ACB5E5786D43D6CE5B69D0740546E159B43418
      SHA-512:710EB6D554665D257B9795630CA17422AD262C2677753A96843EAFCC0882465455B53C7C9D08F0ADABB1FFF90A20C58BDCB35DA65805C50A13243D41D896C9C2
      Malicious:false
      Preview:.PNG........IHDR.......M.....!.E.....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\load-hover.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4488
      Entropy (8bit):7.914850902129742
      Encrypted:false
      SSDEEP:96:kSMllcHitlIxv9vk7C1+I4wWHLihk/xKzIHwb/p0ndFg6uqhhP:kSHIIHUCD4wakzWwbud26uM1
      MD5:DB85E6D05EADA38D424A2E595643717A
      SHA1:E0B38E8BA59FEC11DE18EC5B1B66B59922620BCC
      SHA-256:B96740EEF24466EED8627BAA9A3912DA7F269012FF7513BE44A7DD0759272931
      SHA-512:EBAA8C7853039280075D19BDF076515C252C845FB28DF8CA5B9D364EAEBD4517D903884E8DA747BE1295ABF00BB79EBD554A3636045725BD57B86BB8C7B945C6
      Malicious:false
      Preview:.PNG........IHDR.......2......$......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\load.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4430
      Entropy (8bit):7.921226672000871
      Encrypted:false
      SSDEEP:96:kSMllcHitlIxv9vk7C1+I4wWHLihk/xyP3ZtXjCtmvPmjll9:kSHIIHUCD4wawP3ZHmjll9
      MD5:C05092DBCFAFDF377483704AC25DBACF
      SHA1:5F3462EFF57AAABECB7CE437FD1D92DA55EDE35A
      SHA-256:74992BEE2C2BAB1A6934568058E50CA831D8BB1E09B3D0D472F3081658B18FDC
      SHA-512:B8252965DFC54E806926B684B6BF20D1167A15F95B9791AE52C66F70ED66AD4B6FD737A0850D5A17F7E0ED1CC0811B91DE5A5F07F2C99772E2FEECB3B4FB9A86
      Malicious:false
      Preview:.PNG........IHDR.......2......$......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\logo-avast.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 127 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):5828
      Entropy (8bit):7.9454818689856745
      Encrypted:false
      SSDEEP:96:sSDZ/I09Da01l+gmkyTt6Hk8nTfTAVWUkk6sqnlfXa3dUlA6iYf/5JhRa4gI:sSDS0tKg9E05TcViL9nl/aGNiYfrnarI
      MD5:93BA1364E1DD335134AA6212993FD881
      SHA1:54510274AC6CC12B75D306808E19BB11B1A950EC
      SHA-256:50EB2C20CE90ECBFE0C19269369AF0865F57891864FA0E7365C6B9A4CD3D631A
      SHA-512:A4EBB16EDABEBA230EE454A6794D420999DD81C6D077D9851BDB1A4D485E4003190AD6DE4BD51FA2A431D0712E266754B298EB649D4FD1FAB967EA80546F6902
      Malicious:false
      Preview:.PNG........IHDR.......(......6%\....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\mediaget-logo.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 136 x 135, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):14680
      Entropy (8bit):7.975231268423949
      Encrypted:false
      SSDEEP:192:TSHIIHUCD4waY5iW8C6HYTSH4DduFk09rhQ+zXckMC2a03SIDwwdv9YPjBKCvJNQ:G50wL5VzSH4keQ5zNjQNwwdvUVZWKT2
      MD5:A27C51E0821FF975C33C70578BBE1D97
      SHA1:E067C98EC18DA0264209247A898958334778DDFC
      SHA-256:29EBD96D14DEE8E335A674BF093AF7ABFD1CBD931B3277516FBCD037366D1344
      SHA-512:4ECFD3CE91179FD6E59C8FA97322EF36A46C773FD608577343D96C97492D39F6DA42E7926C67883A3C48782A5293D1FA71D043380ACC0D8A41538241F1ED0395
      Malicious:false
      Preview:.PNG........IHDR.....................pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-bold-hovered.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4465
      Entropy (8bit):7.914346867116267
      Encrypted:false
      SSDEEP:96:kSMllcHitlIxv9vk7C1+I4wWHLihk/xpoBiGNsh5G7LInqibmf:kSHIIHUCD4wa/o1sjeiyf
      MD5:83C81DF0929732411F558EA71579A551
      SHA1:B8BA43E776347D7BA3255EE6B28BF234D337CC5E
      SHA-256:AA34EDFD745D5AD8781AF3E6018AA1EFB8E854E688CCCD36076713AD94D2E559
      SHA-512:621C5977ECE20B5D386C86AB03C829D7869D5F353CE77B13FC582E87DF056B10D8DEF9AFA9A2ED3F107F76BD301FF8D65071412227F9E2C4365D604DA3AF6244
      Malicious:false
      Preview:.PNG........IHDR.......2......$......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-bold.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):4470
      Entropy (8bit):7.917289430396852
      Encrypted:false
      SSDEEP:96:kSMllcHitlIxv9vk7C1+I4wWHLihk/xMIzq7ZXkv9pRJdAr/:kSHIIHUCD4wai/2zdAD
      MD5:2FD9F1B799FD5787126754D2C1F6C651
      SHA1:41B61FE270C1D1B121619078D486497EB79D65F2
      SHA-256:60434DCA05436A016A7E3F4CE86B51B8A4EFC50FF5FC9E8AC16DD58BE6D26C82
      SHA-512:3A4788A01A2246AB5D525B67BA9E31FD40DDD67621EED62B10464ED34070B8D946AF8A309A6FB417AFB4C6CB56729F5A8017DA26C8D5292396B48E3E06F9528C
      Malicious:false
      Preview:.PNG........IHDR.......2......$......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):4396
      Entropy (8bit):7.913214767932911
      Encrypted:false
      SSDEEP:96:ySMllcHitlIxv9vk7C1+I4wWHLihk/xi+R9brt6/yyKfAi2X6NQszf:ySHIIHUCD4wab/EQAXX6Np
      MD5:2A76910CEF3A8DF7DD051770C033B259
      SHA1:F63E428920555D84ECD5113F71D772C5EF2D21F2
      SHA-256:9BD6DED5C8E41450A27716CB7A103AA8151D3688282F7F5FF4CBAA0F1FEBB6E4
      SHA-512:E7258CDF8B1ABAEF0B96F740120F3BF5916D50D657195DD160BC8868BEF1281F2568FA3E5674046DFFE3FD0C97203031EAE74893BACE796BEDB48DB10D823E09
      Malicious:false
      Preview:.PNG........IHDR.......(.......G]....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-green-180.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 177 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):5231
      Entropy (8bit):7.951714136048024
      Encrypted:false
      SSDEEP:96:iSw+d36HJjEEoovnaNErgGT/sd7s2K0O8l3vEWebnuMhsvOsUn:iSwQ3yLooSEr5T/Os2KJ8lfmnukn
      MD5:049139E93363F3E947107146349AF929
      SHA1:BC56DE6D4A7D0DCF05B4CD26D1F13F3545E96419
      SHA-256:4BFEE58FB3B28E7E57554E0AFE68E197A7CFB9E3EEFC2EE6FA76B1BFE214F8F7
      SHA-512:A2735C4B19AC9D891755D6BF14E46A0E97B148E99A7137F88DFC57ECB13FFDE922DFAA1CE335122AE76A684F01ABAF0CD6180CD1206601949815F2BA2189C330
      Malicious:false
      Preview:.PNG........IHDR.......(......@.N....pHYs................6iCCPPhotoshop ICC profile..x...J.P.@...P+.qpx.((..`.-E...!...Ji.^^.~..[..w...QpP...@q...!........r...u.a.a.k.n:..|9...S.....n....$....+..y.;...|.*.L..n.. *@.B....0.~.A...:i.@<..^./@)...()..A|.f..|0..3.}.0ut..jI:Rg.S-..eI....<.e:.dr?...&........b..n:r.jY{..3.......Xz,ZA8T..*......x..oazR..+....V...../..O..ZOb... cHRM..z%..............R....X..:....o.Z......IDATx..yx.U..[U]..;..e.`$...2.8#:,*: 8.*:.. ......*.(........*..!l..%.!a....{-...".2.....y........s.)q.rWC....).#0.....}K.D..< ..W..Y.:.h.....D....=.....NGTW&......8.+WQ...B.UTQ...*.qTQ.....!..........B.E..bA...[....b...$..S...:H.k.K.F.Z......B..BF....=Q.. ...NI.C-WM...H..wq...B\.kn.f&ew..vc.l.[....b!.a=...[...A.^%.V.'.?..i...8.4.....S.EB...../.......Dz......w..g.s.t.E.|b,..Kh...9Y~.....*......<|~l1U..............?...3..M...e....)..a... U....!S./.{..<....3w.g...8-..(.Q]....w.M..t.....d.0u&g.`..bS.Jv...J.41.).{..}y....-..,..M .....B..O..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-green-220.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 221 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):6532
      Entropy (8bit):7.94790780534549
      Encrypted:false
      SSDEEP:192:5SwQZjV8j7DawZVkQmNbFs6qUbDGWmzNVg:gwojAGQmNbLqcDGRg
      MD5:ADAAC85E4884F643E061C06F26D3DD78
      SHA1:3D437BAE1C1F93579DEA115F2C38F1D5334BFBE4
      SHA-256:F78541A8B1218AAFCB3BE55F0188B1F880799E49E9FBE8642403DA95902DE1FA
      SHA-512:01E2316C49304AA921F6647F014070C66CE9CF3F7474E6ED3DBD319A1115532B06AE86F2E0AD9F13FA0A097E7D30F91D14CBB5C97CB2EA10487865B6CF2BA9DB
      Malicious:false
      Preview:.PNG........IHDR.......2........M....pHYs................6iCCPPhotoshop ICC profile..x...J.P.@...P+.qpx.((..`.-E...!...Ji.^^.~..[..w...QpP...@q...!........r...u.a.a.k.n:..|9...S.....n....$....+..y.;...|.*.L..n.. *@.B....0.~.A...:i.@<..^./@)...()..A|.f..|0..3.}.0ut..jI:Rg.S-..eI....<.e:.dr?...&........b..n:r.jY{..3.......Xz,ZA8T..*......x..oazR..+....V...../..O..ZOb... cHRM..z%..............R....X..:....o.Z......IDATx..yx.U...S..[..IHB..` ........#....WT.7.AQ.Q.w.Aq...3.( nQv$..D.IHX"..z_..~..i...g.....y.<<].U...w;.1i....t.|.i...3d../..t........U...T...2t<.....V....l<.C.~y.pH\....\..0d..c@g...!C.t...2.3d..!C.t...........[.1B Z.at.!....bZ.U."...0!.@ %0...8...Hf$!.]h...H .....R.N..]8)..........!$.B.8...9[.V..".......8!.....0..G0..m..p.........4*.[1.V........N.R.h...ys...V.r.....gYRv.&.$$..RC..8..a,.0d@.C....\.,......&.mY....?...#.*bZ..)=.^....o.V..]...>.g.A..+....b.c...C.....~t]cf.;.i.V.XS.0+.=.......R..T.t..$.f;..'.O.o...#.k..Y.y..Z>:..h1d@

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-green.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 274 x 62, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3044
      Entropy (8bit):7.854177066533027
      Encrypted:false
      SSDEEP:48:5qNJ0vYCpaYpXIM31gsITuPPf4pStL4FIhLYAJfiZnB3O1yuu6I0Pi4Si3wuw7Pp:YHCpak/1ghTuPH3LDEAJfiZnxO1A6I0G
      MD5:BBA90EDFD2AE811524E38E12D7BB0B56
      SHA1:A8E8272081CCB8329A03AA2270D7A9C845CACFA6
      SHA-256:62AC3BE9569D8DF00FC7272533A26254121A3FB27832BE016BFDBE29FD98D6DF
      SHA-512:F4186B5233E6DB81BC71E3F4600602E225EDF743175E1273ADF242DE14B1B458E1447742CD73BF4E42F77DBE4DD03FE5672668A3CCA64302C9198EFCC6A197B2
      Malicious:false
      Preview:.PNG........IHDR.......>.............sBIT....|.d.....IDATx^.}lUg.....HI{yk...2;.[.....t..v....,.L...q.%+&K.`l..pb..f.....f..{.:V.P....C"....B......;.s....sn..=....y.<..=...y....=..:..FM...FS.3\ .. .H@.A].t.[^...Gkh-^M......@..B....K.h.-.U.2...\..t..j...F...i....@(.:QFkH..P....@..> .!.T....L.B..!......`....D&.!.......@H0.@.."...DF..@.. $.. ....@H"#D. ........... $...........UTUVG......)*/Yb.h.p....P...tb`....OC#..6..@......h..h..e.T4...?....s.........].Hw||.o...=1..6...H....@A..[../.c..Ax...B.iA ......=XD....g...4...g.E8&...]8..J...g...r.[.L....ps..@.$.h!aA..3KDX@v.j..zw..JY.X|6u.ALB.D&..%.h!i......k...B/|;..b......$VH8....w.!"a/'7)j.a.| ..B .B.[.l..q..D6.^..;D$4:d..O.....*......sL...&Vw...%.s.'t9...{......Ab.H..D.._.X#Ow..%.....4....Mq.g,.$NH..j..U.[...o..}.z....$.~...pV.gL.k~..$."}..$NHT..3..........n.,$..~.v...\9....h"M..$NH._....n6.m>|/..K[8.A....4.....%"q....$,...S..B.3.(..R....u..z........U9.s...1.]|....}.i....^~..........|.r......K..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-hovered-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):5669
      Entropy (8bit):7.93840355691811
      Encrypted:false
      SSDEEP:96:ySMllcHitlIxv9vk7C1+I4wWHLihk/xpbgAKAST+G/gOe6eV8CC34ZnFIt1:ySHIIHUCD4wa5bST+G/gOwyIZny1
      MD5:EDF2B3D5D5A129642EA1767E3073D0F3
      SHA1:BAD309410B838BB77DC3C6A4B7609F924752CF25
      SHA-256:6BBE49B48FA1C85F46DC12499E97E83A7DD7AC80D17B9F68E623EE3C263A4106
      SHA-512:99C7360A6233B4917ABBDAFCA92431B14852ED11676489E2837D8BEE63A9ABC70F28D40D37A4E2E4BD8A922829399DAB05D74E46E11E8CF57BBC1CDEE17E2930
      Malicious:false
      Preview:.PNG........IHDR.......(.......G]....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-hovered-tr.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):5445
      Entropy (8bit):7.935161427280956
      Encrypted:false
      SSDEEP:96:ySMllcHitlIxv9vk7C1+I4wWHLihk/xp0WMnZeGhgIRbwUp3+Px09CRcoTxKm:ySHIIHUCD4wa1y1RbwUp3ix4oTf
      MD5:2C82A05B8CB6E945AA3229225D77BADB
      SHA1:8D74A2BB45AA403DA49E449D390AA6B6D8D7C58B
      SHA-256:5687EB042704EF34B3B47711B377AD972ED948229128D0DC0D663DFB71BA97CE
      SHA-512:79776830B0F020CCFE98870D216FFAB7F16D827C657107E156956B0A9BC9F61D9E2C769A1804899666857584D55D5D5CE9EF4B28AFD61F61B2C99BFBADF2BDF0
      Malicious:false
      Preview:.PNG........IHDR.......(.......G]....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-hovered.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):6160
      Entropy (8bit):7.9429678304530205
      Encrypted:false
      SSDEEP:192:ySHIIHUCD4waQUGNM/RN0LI8PYlG7EPOd:N50wiGNM8R7+Od
      MD5:CFA79036B0110FD42CA4188313C6C8DE
      SHA1:7229571E656A12A910002A47E4608DC38CF21B38
      SHA-256:107A6154B6A13FAAD96B31C9C92A9AA8889C76D00EFA1A0000C47DDBB2A183A2
      SHA-512:B1D7251F7C6FF00111A9D7E48EF830E8FC76C6DB6E2E0D6028841F15C5F771AEE48CC2C6D5CC2472EC3F27F2EEC4FCF7EC9A0FFDE86B66C0A7AC57315AEC45AD
      Malicious:false
      Preview:.PNG........IHDR.......(.......G]....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next-tr.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):4198
      Entropy (8bit):7.909717078685963
      Encrypted:false
      SSDEEP:96:ySMllcHitlIxv9vk7C1+I4wWHLihk/xwcOBaS0bNDQJZQf2Ns/N:ySHIIHUCD4wa+cOUbqJZQeNsV
      MD5:5578CCC1B4540F9593646472C64D2628
      SHA1:962AF6E0BE8591849816537B8DCEAB66082B6DD3
      SHA-256:FA55BBB525A07683D76F34D500FBFB67E726625F7CFEB17E47D553C0CF050E49
      SHA-512:C9E77F17382B964D9ABEBCF1D689F9A6520FE927867615AF9E9BE6D8FD1C9076B23E5CD5ABB9BD0FD7BAA9C14ACBC59FCE7BE0CB7A3FAFF9BBF7852E99800E0F
      Malicious:false
      Preview:.PNG........IHDR.......(.......G]....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\next.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 180 x 40, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):4824
      Entropy (8bit):7.919163776212046
      Encrypted:false
      SSDEEP:96:ySMllcHitlIxv9vk7C1+I4wWHLihk/xg01tnhDi4xanqm/OZgfjUeDoIo:ySHIIHUCD4wa+UhDjN4OqUeDoIo
      MD5:8527D5D916E354F9516F0DD377766816
      SHA1:93AD1932FB57C6E23C398BDEF88E83B50B4729A2
      SHA-256:587FF583D37A7C1CA81A08662A0744F093EC4D448B7B27DE0BD602CA4AA20FB9
      SHA-512:B7BED18061EA281EA4E55346D5196F39389394B30886D1C989636DE73CA262079D05BD727898E32BDA6E2F74188D73318B7825E1F86FBB79D3FC721E86507A1C
      Malicious:false
      Preview:.PNG........IHDR.......(.......G]....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\no-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 150 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3529
      Entropy (8bit):7.894142137876445
      Encrypted:false
      SSDEEP:96:LSMllcHitlIxv9vk7C1+I4wWHLihk/xtXjN4pUz5SHZq:LSHIIHUCD4waLCpy4HZq
      MD5:9C3AC999E3ED8DC7763DC70882E0BEF5
      SHA1:7970875FFBFE3D8FC5D059807DE97D21BAA4F659
      SHA-256:527B4CC7A39641641F84617443A72BA527E3073C3D9A941933E0A5E571D6344B
      SHA-512:F77992B00C0CADA4A9B678E7860FABF270832880E659D72DFA1AE85F61523402B5AE789E637F908A63B862DE09E3DD91CB5D3152B06ECD2149401849A72C4D41
      Malicious:false
      Preview:.PNG........IHDR.......2.......".....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\no.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 150 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3462
      Entropy (8bit):7.893662990055222
      Encrypted:false
      SSDEEP:96:LSMllcHitlIxv9vk7C1+I4wWHLihk/xQw5LW5j1fXx3UCKx:LSHIIHUCD4wauw0533UCKx
      MD5:12B2DF3BA786FE7ED7D38300D49DC1CF
      SHA1:3FDA264EDF9C97E3A46ABF469D22ADF2814849A1
      SHA-256:C471750413D892E4C0D70F0F09C9FC02F57B61A1020CA97B8C5315BE646A3448
      SHA-512:0DBA89FECA61AC1C2AF4789D38088F6F421074D45283F1F75F25B443B75150190735FAF26EA73FC74E974E19517ABCA95F006300A3189D7B7ADEFD930AB429EA
      Malicious:false
      Preview:.PNG........IHDR.......2.......".....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\opera\opera-adblock.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 16 x 20, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):714
      Entropy (8bit):7.622587184814141
      Encrypted:false
      SSDEEP:12:6v/7+2CJ4DotZYoZWORrlWtMYBvM2G2BvntlsGmx0dAoLimt2eBPPZ2e4+Ob8l0f:dsDoTWOtcti+UGmdoLi5Y4jYlJ6
      MD5:2ABECF83F367E5F015E6C1DA85FB78DB
      SHA1:313EA4280E9362076A071F322BDA3E1049758EA6
      SHA-256:D62325083CFA49297ED75DF8928AD3010EF650F1FCCD899000DC336E75BC8601
      SHA-512:B12D0BF87D182B6B6BD76B76CD05C917EF64828C91E8377ACF5FEAD62DC638E845E1D64E7C45EEFD663714CE688F3419DFFB51818E7725F60E6AE658A812E77D
      Malicious:false
      Preview:.PNG........IHDR..............b.w....gAMA......a.....IDAT8..SKH.Q.>.._....&1.....6.3#...B.(..m..TC....mc..6..8c.A.-....)......9CGF........s..} ..l{4.Q.W...._)...`0....H...."....~2......-...^.. ...F..E...4G./......V...m5d{8y/....;*.}c#C...#.iM..&twa...?{.5..a(...Ux.....wq..\./d:?.9_.d9I<.8S..x...DC..4/.K..#.m.+.'..R#.F.%4..x...3.....k.)z.(..2.P,e.j3..I....`.O.Na8..<..+`%.}z.w..._...iQ9Vl .~..".f........?.*x...!~..,k@......c...........u...'..).gi..jwtt.v...S|.....%M._8..\....4#...S.@<yH.m$.JSMr."..n-..........{.rdre......H....#.3_?}. ......-.`...S_>O....*.c=...Dp...<.~i.$..]d.*..nn..>[y....0::>....K...0m..*[}..w9.xL8c.k.4../.|..}.NmU..B.#,...gN..o............k..;.....IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\opera\opera-battery.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 22 x 14, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):553
      Entropy (8bit):7.552033242759757
      Encrypted:false
      SSDEEP:12:6v/7RiiB7SLEkBf709FPByF+iGxdhfIPi632zJNO:+AnBI9DyperwPi02K
      MD5:BE2B9BF2E907DF8AC60D230332865D56
      SHA1:0BE743F70EC686AE1ECC44A13EFF4134169B5D26
      SHA-256:471327883276CE89C0933272ADB33AFBD43D6C8F6CCA7AA7BE6542EB91F9F2CB
      SHA-512:59F16519D7BE4C63B24BD8AE40633B49B4798D96BE6457B3F9C6204DFD23962BDE47EFFB910A673E9F8D073BE301F8EEC3D324484E568845770E49B4B910A8E7
      Malicious:false
      Preview:.PNG........IHDR.............+1......gAMA......a.....IDAT8..TAKTQ...yw..$..!..Q".S.F......I...Kw.m.:h.*j..jQR..!..p...P..6.hQ...x........w..}..s.;tnl..X8.D.A...aB.Eb.....n......,.m7.8....a...,(.V.3.........Q..W.3.|.c......V.'.F.TG.Bi..+..8>.b. `...7".;L.[..|=...."...<*.J............J.v&....7..t.3. .......'j..^....z.P0....,...M.-...U.CRS.6..&...[]].HW._:....W>...W!......[.kHKA.uX7..x.....6/...D=..lvs`.....|..l5V.B.|...6...v...Ib....q...h5^~.[...g....d.E..'.?.9]....4I.#Y.K3.'....gg.....Df.t.....Y...!.{7......p .....IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\opera\opera-check.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):389
      Entropy (8bit):7.28884558678762
      Encrypted:false
      SSDEEP:12:6v/78AVlQdqR6iYW53JO8I7usvN3QlpmP/k7eFlnQt:clfR6iP5PI7RQHeeefq
      MD5:64FCB4193C444F034D1312873BB62943
      SHA1:05D0EDC924CB1CE30239EDAB01855A70991E3357
      SHA-256:42FE4EE2D1A6F3C7A08E2D54C4EA1B206395FD647F954A1076AB389900C6D82A
      SHA-512:054D50EC7806A5B4DD71287C03F5FE92F70A2027C0D77680CBD53C4D75A8611798F096D0A5AC9D2DFD556226E489A9CCEED80D006FC7681508DFEAC5D8473D6D
      Malicious:false
      Preview:.PNG........IHDR................a....gAMA......a....<IDAT8....J.@....\.."xh.V....F..G...!,l.^@E.N....l.b..FT6$q~br9.b"N........<..R'Z.n...40..I...iz.".8N.u.%...@.E. .za.....cD.oF..f.M3..#CV.7..M..^....Q....].........H.@._.....v..v....8..-KF.O.F....,..r...[........p8....`.E.m......?......bS.!{...3.*3.iE..r".....d.;...g%w..*oV...!o{..&CVs.d0...~o0..Y..q............IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\opera\opera-logo.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 75 x 28, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):2314
      Entropy (8bit):7.894434331014045
      Encrypted:false
      SSDEEP:48:TdZ8EIIsjeRr6qn8kmNVGJmsQojREYcQP6bHoahUAo/:RZLLbP1863bP6bHU/
      MD5:A7474995DD01516CEA41C16F7594AADD
      SHA1:0F16FE1DD1D5B4BBEF066D66C7C34EB741F20600
      SHA-256:6A143A7E5DEAF0F15616B89B3F22C96D053C7ECC89E178FB2C991FBB9EEA5284
      SHA-512:780B480EB0EDE1A1D30355CB5AB28A55E9CA7BB9A479A99C40685ACF03C4AB33224B8D77C0B03563368679F10C781FBE503855B9C5A49E0A74E24A1AD1A90218
      Malicious:false
      Preview:.PNG........IHDR...K.........).B.....gAMA......a.....IDATh...l]e....s.._k..c.]..pN.2eS...Q'....i1:3.....t....$iH....qh....A.'C.s...6......].m{.=...?..NO.n...O..9.{......<.=.J.4]1...j>...>'..a4c{J..5.~.5.&.....uuuL2%.E..[$J......U.v]./.y.....g../.5.d=6.X..f9&. D.....@0.....2ii.KIG.Wr.,.L).l.fF.'..M.._....'..:......3..f.D...P...!..n9.z'}..r\..6.f..H..Vl.mZ..T.%"9tO..".'TEm.j.^z..x.....S..;..s.<.. .g)..`.h(.......R;.....gh....*Ve..Q.......\....a..".EEK!.N...r`F]F.m....|....A.te.2...]d..R.u.f....!....Db..T..K.....Z+...w.}.u...."..Q....(....H..WY......W.).HG..P<..d..v.B............b..G..5...^n...e.. ..{...8..WTP....c.D.8......}c.RF..6r3...P..........m.z.....A,.._.P...&.x...,.........s3.b~.u...Z....Z.S..L.....W.f&...D..f.;.?.kl....u7`t-./.g...=5.1T........!.....D...N...Y....Q.b}....w"4f......?....n...B..xe...+@.8...#.tt..-..p`.3}PR.j..............-.u.M.....]0o..3Z..r..<.^w.h.Dm.Y[...B.3 ..\3..X.y...*..8.k......N...A.8....W.".?......1.+..t.O

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\opera\opera-mockup.jpg

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 359x153, components 3
      Category:dropped
      Size (bytes):10092
      Entropy (8bit):7.957422064858935
      Encrypted:false
      SSDEEP:192:VnxWgEzHPM6ILExqfXS4ZlwguAx8HLGSycW0/4CWekz:hNEzHPM6OEGi4fFuwkMt0/4l
      MD5:5FC2F45724B2CD7A6DAEC6F84FAE01CD
      SHA1:A1E03FA31A903204EC512242EA8EB7CA35D46DCC
      SHA-256:898C1B5F3ED1F8236D86E46EE617F9FF9FEAF6192EDEDEEEA3FFD9D99F7AB14A
      SHA-512:C438F51FF82E6E62A8D7E21BA7F0C02A451D1F2A59300B04F3A628F2103F69058C188C1EEE224A5E49A376BDF4603F504F5EA12CC69D744E9EE2638E2379D037
      Malicious:false
      Preview:......JFIF.............C.....................................%...#... , #&')*)..-0-(0%()(...C...........(...((((((((((((((((((((((((((((((((((((((((((((((((((........g..".........................................V..........................!1..AQa........"SUq...257Vrt.....#3..6BCRbu...4EFds..$%&..................................8..........................!1QR.....Aq..$4a..3.."25B.#b............?...8..9v..eE;".pa...v....|.Q.e......H.CfD.x......._P..S(TrN2....l.S..cgm...........vZJ:...=.<.p...._.Y:,C.....d.L......Z[6]U..={.Q_].*6..pc.....:x....lm.......'ve..F)M...A.K.....^...m.nD.Wa.....845..D.....SM..kw..S...Dm....N.(\.;ics.p.O....3...I=...t~ROgB.q..q.q......8..aw:?)'.....I..Y.5...O..._..K.....\v5g.9a..Zr.Vi!{....ji#a..N.MO'..;....!..OgJ;.S...E..B..MO'......t..fG.Hw&.......{:Qp.#.;.S...Grjy=.(.Y..R....t..5<..\,..)....{:Q..OgJ..dz..rjy=.(.MO'....2=.C.5<..w&........!..OgJ;.S...E..B..MO'......t..fG.Hw&.......{:Qp.#.;.S...Grjy=.(.Y..R....t..5<..\,..)....{:

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\opera\opera-mockup2.jpg

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=153, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=359], baseline, precision 8, 359x126, components 3
      Category:dropped
      Size (bytes):26505
      Entropy (8bit):7.334100061822296
      Encrypted:false
      SSDEEP:768:eg2lii4g2l8zz6HREVZZTGBll63IpEBmd:3+b+8zaENAnEZS
      MD5:B33B26C90E5F2C33DB95AC71761F4536
      SHA1:C22A4E90293707F50CFC7EC1F0D6A9BC09E9D304
      SHA-256:A177EF1913D8B9B1FA5993F52EB9ED25C7730E1DCD2029A4E4C6D81D1E8C6ED5
      SHA-512:6C635ABA000FA6E99B6C26438D6E0F7FE7B53DEAEE427209AABB52EEA647FADB744E262FB9E5CD8C2ACD2DF1509AA0A7135B39C1406CDE6BE2BCD84BFAE36007
      Malicious:false
      Preview:......Exif..MM.*...............g.......................................................................................(...........1...........2..........i............. ............'.......'.Adobe Photoshop CS6 (Windows).2020:02:19 21:05:00.............0221.......................g...........~...............................n...........v.(.....................~...................H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................8...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..Y....]..<zC..-.X.:..k]...9.?..../d..K.............[i......s.......\.,{rZ[.V..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\opera\opera-vpn.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 20 x 14, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):564
      Entropy (8bit):7.574447564559627
      Encrypted:false
      SSDEEP:12:6v/7MOXJLqhd1yEEHRS1YqmDRz3KBY60riIeba12oacTsg65KvH/Pxz:RCLGytHRSWqmVuBY6Qijb0HTsX5oz
      MD5:643A1150E8ECA4BF46A2FFB95CCA3E73
      SHA1:EFDDDC024D4918D6F4F78AE20256E260ED59D9A8
      SHA-256:854B0CD099E88C8309FDA0ED6513F46C19C338627040EEDFB9207DC16E465E4D
      SHA-512:C20DF468D597A2F42AE1C5800C89BDB132636FD192BF5E79A7959489D292ADBB600AA1EB7C9CFA002158B8F9012A4DB56410F5791AD17AF0BA534255C70A086F
      Malicious:false
      Preview:.PNG........IHDR............./.<.....gAMA......a.....IDAT8....k.`..g.....A...E......+.Y.."x*..W....(...G(..b.!n..[V.........d.%.7.d!.{.K. ./..}.H..Z.Z...HX..KX...U.n.;..+,..0pN.;. .!.{=Z_.Q...n.'p...d6ES...%eI.N...9.c.......$R..i...K.U.'N>DA.i..Rw... .j...a....A...!.r..@y.....C4.5..".F..j4.g..V....?,..b.K..>..=.V...r..U...MF.&.im./......%.D..3&.a....C.E`...>..Ht..f.+.4k#.7U.,.G-.....!..*.0.f..oi.s9..]...[.d.z.....2+..F.'ol.s}.{.@A.....1:LoI...........|^I...\..._.D..z...)../.>......._.#.b...Pr....o.6..{:.#:..S{}J.....9..s...E.]C....IEND.B`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\wc-logo.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 229 x 40, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3691
      Entropy (8bit):7.932300965581058
      Encrypted:false
      SSDEEP:96:nbybWxaxuHNGfcqjE7gXU8MmX7q1567YyHiYSmF:n2WxAXfcqjE7gX3M87N1F
      MD5:48573907EFA5A673B918EE8246C8637D
      SHA1:69503736D1B5C89A67AFBA9BA8D39E7A3B32D2E7
      SHA-256:03ED11F9006A009BE654F615F959B54CA36CA1CA363E7B1DAE48944E3ABA78B9
      SHA-512:1A81AA2CD7C077EBEB8CACED7F119AFF4E75C6C0489A1E23F2E2C4EB287712795B1986EDC138B359C08BAA36171172DF1CD5EA56230D07119235A37DB17F5C9C
      Malicious:false
      Preview:.PNG........IHDR.......(.......=|....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..][..W.>c{...^2..&\.x.4)./.....E...Rl.......M......m..!!T..+@...A.T`......Q....(..&...^..e......g.3^..n..;s.s......Ut]'..N.E../..O.%.iZ...#...'?.x........(..w....&....z.g.W>..E".i.h.T.#.. .p..0.`.8.....D...@....n..c.'.f... Cp.B.v.}E..#...}.^....m.Z........C.....M..w.W.;A\...T.h.@...f.5.....q..!.YMX..@\.......g.!.....'Ou.%U..(....9........kBu.e.....7.....\.....8...,g....Q..`..l.K...2&QS..c.1.r.2.<....J.-...]%.........V=;r.X.F..+..d...E..@.c\:(..0>.P.I.$.L.yF... 7q.B..8.:.p...N..0).S......r...q.P0N....7..d.....$..X.l.j}.z...{..T7lO,...F. 03"Hp..A:..s...w..(!...H.@...z....6.c.....W.1...`MH..D.MH........q.n6A.l.....fP......)n`./4.2.,.....F.....'a....Lm.{9...H....2.DY.Da.0..z.P.F*e.S...^....' a..9v.}...#....f...^....?...;.....t.........'...l...eRR....8u..O.T...A...M.Y.6..n.V..6.=.-++g.>.?.o'..D......69E4..B..`.......a..7.5-.RQ=....#...q..]...\S..x!...q.lFp.0.L..-.dC.A...;..D`.

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex-logo-ru-gray.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 104 x 55, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):5272
      Entropy (8bit):7.934411634487265
      Encrypted:false
      SSDEEP:96:GSMllcHitlIxv9vk7C1+I4wWHLihk/xHMLMWrPPliTMZ+B/C0pfvt:GSHIIHUCD4waFazr3lvZ+BqAvt
      MD5:B9AC24AC8D864F4AF72B8420F23D95D9
      SHA1:AA653E8D5AACB686B781A24E0E657821B4A8978C
      SHA-256:8705EA87FA5E3335BE4508C2C854EEEAC7294349949831D58CC1A0990C7B02D2
      SHA-512:C3E93B1FDEA30467BEF008BE6595BDC194FA637E52C105098C2ABFD6B6913BA5B1308A7C21381B47573C1DBDFE90AFCB9317E8B40D22B1D9AD548EAC47BBEB93
      Malicious:false
      Preview:.PNG........IHDR...h...7.............pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex-logo-ru.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 104 x 55, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):5964
      Entropy (8bit):7.9443039940495535
      Encrypted:false
      SSDEEP:96:GSMllcHitlIxv9vk7C1+I4wWHLihk/xl+e5/j7CL/Wabp0/atMMns0gARckxzI6Q:GSHIIHUCD4waKeRjeLJ0/atMeD5Q
      MD5:FF2CE8112EA6F11AA1886A591D34592C
      SHA1:68B34F1842472A73A5E8C0696BCBCBC134071238
      SHA-256:6643EF0D6FF6DAAE4EAD2D2E00FFD3B4BA81C4A7D137FC0A644C66B4E87B3750
      SHA-512:B9747DAFEDAF1530380EE7328CD2B33B312F5BAF5A9118F2FCC84B9FEDB6B905E1193480E3CFE47D2305F383202103FE53E4C973C8899060BCF50FF39317A54C
      Malicious:false
      Preview:.PNG........IHDR...h...7.............pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex-logo-tr.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 104 x 55, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3470
      Entropy (8bit):7.763652774272464
      Encrypted:false
      SSDEEP:48:UwqQNn2xrkJJ3OHXfqeKfaU5PvmIXphLLLQHcWC1skKMVkKD4A7xilk4p7PvNwIF:EY2VkeHXfGP5LUHrCH1kKsA8lLqLpwj/
      MD5:A7BB6F50D352036F0EA21360DD0EF52B
      SHA1:E939731191E8661BE9AEEC55E5A2F1AF0D3BEBE9
      SHA-256:A573F4957050777752602E86281A2880CF11E8C3CE8DB150A713DBA4EC88C8F4
      SHA-512:3D323D4496708D049216A4DDA6BEE3BCE784251C7451DEFDFBE2EEAC10807F15153FC18364DF9C64B8ACD8E45BD243BC98A31A36F46AB321CA82036A771802B2
      Malicious:false
      Preview:.PNG........IHDR...h...7.............tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:812A279B4AE611E4A8DDFA6A09D43ECF" xmpMM:DocumentID="xmp.did:812A279C4AE611E4A8DDFA6A09D43ECF"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:812A27994AE611E4A8DDFA6A09D43ECF" stRef:documentID="xmp.did:812A279A4AE611E4A8DDFA6A09D43ECF"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.W.0....IDATx..\.LTY...h..F.v....]./.......D%...h.NOzF....!c....Q...w..c..Ah....QA.w....~.o....6.'.$7.z.._..w.=..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex-right-gray.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 114 x 55, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):5411
      Entropy (8bit):7.9398177576350735
      Encrypted:false
      SSDEEP:96:mSMllcHitlIxv9vk7C1+I4wWHLihk/xLey8GIZKJv8A9M+SU82fHPlcAH2dtUb:mSHIIHUCD4wateyfIZK+A+nwB2dtUb
      MD5:AE28B7396F5DA30CDC2D88A1338AEBDE
      SHA1:310F097B4C88264A53A368417DB15A183EB6FAE7
      SHA-256:39748CF5551486A339987F337C4449D29FED342E4230F2ED7DC727913691850D
      SHA-512:26598A7D24FF75C49B9D9A759CACFBE6EEFA184FBC745172843CE19DCEABF1B452E36DF56DB7B8027CFC0420BABFAC2AB0B7AFF5E500DC992C37A46D5F9F476F
      Malicious:false
      Preview:.PNG........IHDR...r...7......H......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex\yabrowser-plus-600.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 600 x 92, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):21861
      Entropy (8bit):7.968447899710426
      Encrypted:false
      SSDEEP:384:Gwm8PQnmUZ/lWRNrVQG2ODD6FW2gf9XMUlS8Xn9Y9jVttBfKqOYVz8nndjE:48onmUZwrVO6OW2gTny9BH/tVz8djE
      MD5:D4E46EDF2708B61BCB69014FC48C624D
      SHA1:4B7D4565A8CC09C4B37AA477C43D2BA99A9D7043
      SHA-256:5968C3CC283B8AB050511667261F0F9ACF11EB621BDE66ECE5361C02BE6B250C
      SHA-512:5FC0EC1FD12E60B8B86EF127013CAC6AA4DCCA52E9D2EAFCECDFDA85ED651025FAFB6145C8E2EE7840952CD8265E8FB440551C472A9D863EAFAE424E9D0B4150
      Malicious:false
      Preview:.PNG........IHDR...X...\......h......pHYs................6iCCPPhotoshop ICC profile..x...J.P.@...P+.qpx.((..`.-E...!...Ji.^^.~..[..w...QpP...@q...!........r...u.a.a.k.n:..|9...S.....n....$....+..y.;...|.*.L..n.. *@.B....0.~.A...:i.@<..^./@)...()..A|.f..|0..3.}.0ut..jI:Rg.S-..eI....<.e:.dr?...&........b..n:r.jY{..3.......Xz,ZA8T..*......x..oazR..+....V...../..O..ZOb... cHRM..z%..............R....X..:....o.Z....S.IDATx..]wx...=.%.4... .&(..Aj(JQ....RD.. ..).*...#...J.B."-.@ ....3.?...,.itx....6....=..{.}o$EQ D..!B..."...(.$Izj....N....!B...1.F..#./. ...3.6.6...T.&X........"..~.%.....)..d.$.`............n.).F.,.L....."D.,A...zR.Kr.H...aH8.!.:.....&.....%.. X.`9t r:..G...y.H...VL.. 0!D.,A...z...>3..l..o_.+V.2...L..!?.oEQn...p...7o..m.6.=#.St...".e"T.xP..2e..../...~ .rA.f..P..QQ....$I..e9x...7n...$0!D....`.'.0!+..'+.b.|....@...".&K8eM.>.$.....,..\....7.p.e....T.P.@.'............~.e..]...E./.e$Xz\.<<<.|.......b.%.............?..?. 00pOXX.>...."..s$X..66..e.....2

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex\yabrowser-plus.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 665 x 102, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):14599
      Entropy (8bit):7.949164301930348
      Encrypted:false
      SSDEEP:384:eHhkf/1H1uZ/HNe272Y4dyvOOVlhku8Wp9gokeP:6h0tH14lexsFlt7PNP
      MD5:A77CBA13FA4F1047CB2EC6A8A30EC117
      SHA1:F7606291B4B028337B062CF6D36434C0A86FCE44
      SHA-256:35224E4F473E4C41808E63A0C0E26C5A59675F88764C77604FF13E9863DF7A7C
      SHA-512:05F3D446DD720011A4966BAE140CE4AFA4A2A505CEA8F32B89FC5397128A369BEFE638F489038378D36CC7BE3B23E0C3875FE0302B2393ADE73C3AF51B2D656D
      Malicious:false
      Preview:.PNG........IHDR.......f...........sBIT....|.d... .IDATx^.}..\U....)$M:....Dy.@BPB...x...H$F.."..*a.A..>Fe....A......$...+<.dP.C....sU.y._}V.z........^.....}.....Z{. ...E@.P...E@.P...<#..s}Z."..(..."..(..."@.$.h.Q...E.......^.\.P...E...B..u*..}jZN....D.3..E@.P.... .....3..{.aNta....mD.(q.T.J..i...E@.P.v .W..E&.3.;.K..(.^..VE....O..tY.L%H.P...E._..K2Mr)'..e..;...dr..5UUU.I$...X..HD....W....=.....&lv....%.T../..3..g....yE...8{..T..)Y...CMY.&J..Y".v.n.......N.-.....f......!.^..|V.m...........G.lv.-[.onn^.Y. .........T.*.).....@.......u'h"O...?..x..uh.%...^K./.ah.....$...z.xU.7n<j.!.E%.&^.d....!..eE....3k..."...!p...L.~.$h"&Qx,.PF..%Y.......E[...@....\...;...u{2.<%J.ae...T....E.{35t...~_........+.%..OF;w:....KI0.<.~.w;t.=.'.).!j7.......UY.hQ.1...`_..~....x../N.4.{Bd.]..e X......E.LoP.....kG9M.Iz4(4...wsIu.N...*{6..L.......,.u...8...8e.$.p..IS.L...h.G3..zO." uL..T...K.(a.@0........<.f.<.G.q.4}F.f..C.t-.d..;..2..By0M\.....d.KF1.....$.F..P=..|z.".

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex\yabrowser-title.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 218 x 41, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3413
      Entropy (8bit):7.888159483737473
      Encrypted:false
      SSDEEP:48:AchYfIZQibBNuONn7Uj9iBYAV3UfYQPfIjDLUxrs4fByMhe/tAKidVTNH5OUDQh7:xt6ibB4O97UgN2AQ6XMdHOtH2n5OUDe
      MD5:6F8555C5607DD659DE56D22A359C828B
      SHA1:E5519753771E635C2F938450E84878F5523E002C
      SHA-256:7E51B47C7A96500F8022B9E029D32E3D5E84AE3A78960D194843CBD77C048B57
      SHA-512:9F59FDFCD932CE7F6BA757D69824A005915059A2E95012813CD6FB1F24173D7B1D9C2B9AC25F0980225F1D07D02276981CC252FD1396A5F88F53469787E7DAEE
      Malicious:false
      Preview:.PNG........IHDR.......).....S.7l....sBIT....|.d.....IDATx^.]......D.v.....c..$>A...>....>...D>A...>A...>..G..2~......7....a}.l...`!i...".'Y,V.K........G)..R.~.R........]...9:..g......&P.&.]..P.."..{..i..K]_.{.ZMB.~..mVq......W...}.....VI.2...aJi.$f...l...(..'M;.......wW......o....1}Y.vx%.....U..M6......2...~..N..m>..Ai...B;.GF.]..HC. .r.j..I.......5.6.........S*.;..h..{.'... .S.X..y...Cz./.h_^..~....*)....T....h.../..}^K._.r).... ....D..'....6.*..@...w...SJ...1..V.rI_..(..T.1'..:...o3..gM)Q..*.m.Y.sc...t....h..r...x.2.6........@..y55.<{~hD...../[.d..t.m.r..0....T......#.Ev...;....T@k*.4F4...eJ..~L.Lh....J].....l@&R.............o.iY+........8Z.}.......y..C......U..H>..-t.Hd.~:...v,..V..o...c.#.>n....=F.J......kj..!"Z....h9.Z....l5.q.(..}.......d.h18...4...l...h.....cd|.\D.e...Zd#.,....$r^.;.%.Zg..L.9N.y.....+..(...=..g..@y/.4,.......y1?...h.{.!..^.....OC.x(..4..F..D..1.C."4.&.F JKs.-..3.+......T.........h.K..x......?F.q...C..=.O........8..q..

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex\yasovetnik-screenshot.jpg

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2020:02:22 14:32:10], baseline, precision 8, 327x127, components 3
      Category:dropped
      Size (bytes):27505
      Entropy (8bit):7.2519321520542865
      Encrypted:false
      SSDEEP:768:LRYy35Ri8LYy35js7Ie/3i4t5bLl7bqmy:1TLVs7ImZt1Ap
      MD5:D9A31A1AB0D82640C717B743C52E4ACC
      SHA1:2BEA9E0B3B880423CCD02581241027FD6D62FE2E
      SHA-256:F88EF77BA384C701CEA4FC329847DE073396098498F757D276286ACC8B493743
      SHA-512:C9804169E3F6DA1A3E1943E20493B5232EBAD1541E32294DD49E9D7DB4F42697B8C106E495C5D48B9C725F8F7F7737609453BCECAD30210131638FA8226F22A7
      Malicious:false
      Preview:.....eExif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS6 (Windows).2020:02:22 14:32:10..........................G.......................................................&.(................................./.......H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch....

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yandex\yasovetnik-title.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 239 x 38, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3212
      Entropy (8bit):7.8941312435452495
      Encrypted:false
      SSDEEP:96:EHnWj+YcswgwrI8Of+1MEvO/+E7y2CVtw8/BjIzr6DCeq4Ze:on0PTwrIdm1rE+5VtJ8zr6DCMM
      MD5:C1C1E5B936BA7D20C26402CEFCFAF971
      SHA1:A99E5861D79DFCBAB209C88DAD7080CF332BA53D
      SHA-256:C9D16D45B706A08AF9D26861358FDBA4A4009F07334A765209B5A891744E90D8
      SHA-512:47EEEF22899AD5CA17C6488AD413E901FEECBD485EBDE3AB9297CEFEEEB5EAC7ADDFCEEEDAE2EF1996215971F83AC43BB6D732105CE09AF28AF3C2116960441B
      Malicious:false
      Preview:.PNG........IHDR.......&.....,.......sBIT....|.d....CIDATx^.].\....@.}.2T%.1f.IV......+HX.a.... a........Te.]P.O.7..J.Q.....p..x.C.._RK.C.|..b..^)....).<......._....8....R./..g.R.W.....R..N.<..80D#..x.O..?.e`....Cg......d7T|PJyz6..N.=.~.x..P..w.7...M.n.p...._.RP.....m........?>.v6..wUV.-.|.Z.....r.r.\............#.c.&...j4........8....e)....'...pf.~3x.n..X.g....X...{u[8..-x_,..f....3x.1.D..I|.q..-...D...^!....D..c..........W...e..iu....9...../._......*..o...c{....~...-}.9..q.y.k.......2(...B..-]m...&.{U.....k.X<.....jE.;..9..l.)>H.........=.'l *..X..3')0.....n..A;.E.........0..X...1.?D..^J.....{...5....o#.v...F.x.P.%r.|.wL^.2].%..r...}....1....0(\..z...:t..}.:....NFCm.2gk.x..I%A...C.}....A..@......n.(*........b .[...#Cz.U..j...g~.$..Z.....q8.?.1Nay........(...Dz%.....B..V.T>.[.r..C>....C..-.(.....a.z.&.K4<...0...L..._m..=..{......./h...g...AV."Y.Q.j.....*.wo...5...Pi3.....y......l.=.N..C>...@.[....xBC..J...+4.G......F...Z...z[

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yes-en.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 150 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3901
      Entropy (8bit):7.898592464130967
      Encrypted:false
      SSDEEP:96:LSMllcHitlIxv9vk7C1+I4wWHLihk/xOQtowZVgEdLOlHnl:LSHIIHUCD4wa/ZrgEROll
      MD5:B150DDCA6CB149A640B5601382858813
      SHA1:EC95A5D1E716AD11B86048ED57232292C89A6A6B
      SHA-256:78BCFEB7F4F3920BB8F9BF320B1205CEDB9F355C7ABE75A3CFCFF60339E90DD5
      SHA-512:89B912865F0FE50E7C0F5964AE2DF6C0022FDBE6730929F68492C150ADBBD313E88A2BFA68FAAD5D77C1997947B28A4DBA85DF9F26D52B3AC6E2ADDD6C7CE12C
      Malicious:false
      Preview:.PNG........IHDR.......2.......".....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\img\yes.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 150 x 50, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):3508
      Entropy (8bit):7.892242540470251
      Encrypted:false
      SSDEEP:96:LSMllcHitlIxv9vk7C1+I4wWHLihk/xi/IIwlQ:LSHIIHUCD4waM/IIwlQ
      MD5:CAC234B9C61E2C4F00FB75BA8C30CF36
      SHA1:1CBF460831146C29779DCC73EA23910F0305EF56
      SHA-256:A6B5762081AC064AFC7E84D5EAF1D97857DF9EF1D269CED7EE775D406925139B
      SHA-512:AD842C49255D87C6865A62E735043F08BBDC55979F6AE1544172FA133E75DD5754EDED950567797FF125589B8B58EF6356574C07E6F829A9CA7CF57B242E0BBC
      Malicious:false
      Preview:.PNG........IHDR.......2.......".....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\index.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):17584
      Entropy (8bit):5.334137494451316
      Encrypted:false
      SSDEEP:384:7q2LjfsgDG1Vv4EAxVLip75+L8+oiB48oqNwjOSbyi/iHi+iT4:7hvsgBjYv6CPT4
      MD5:53D0CF49D0DD47DBAC1599CAD52C643C
      SHA1:86F8EA054431EF361ACFCC71C57B6D8BC2294FA1
      SHA-256:E3F719E94936599E9B5B3C42FDD96B59BCED725094CAAA9499BD8F9A3A7F6BEF
      SHA-512:BDD484CFE4DDAE21E758CC82775FDAAA9F908070C71835EA1F1155051F9996127612C4E6FDA115466A9AAF06209257A7B988BFE170CFCEE79036F5F01F086C63
      Malicious:false
      Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">..<html>..<head>..<meta http-equiv="X-UA-Compatible" content="IE=edge" />..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<script id="w8xmainAuto-4-80-1327-0" src='./js/jquery.min.1.6.4.js' type='text/javascript' >..</script>....<script id="w8xmainAuto-4-80-1328-0" src='./js/jquery-ui.min.1.8.0.js' type='text/javascript' >..</script>..<style>....progressbarContainer { position:absolute;left:30px;top:295px;width:755px; }....ui-progressbar { margin-top:-5px;height:10px;text-align: left; }....ui-progressbar .ui-progressbar-value {margin: -1px; height:100%; }.......ui-widget { font-family: Verdana,Arial,sans-serif/*{ffDefault}*/; font-size: 1.1em/*{fsDefault}*/; }....ui-widget .ui-widget { font-size: 1em; }....ui-widget input, .ui-widget select, .ui-widget textarea, .ui-widget button { font-family: Verdana,Arial,sans-serif/*{ffDefault}*/; font-size: 1em; }....ui-wid

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\index.template

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):6526
      Entropy (8bit):5.424015834651287
      Encrypted:false
      SSDEEP:96:7qtLnljcEFAHHNVmccnokSY8AkwNMHW/ERo+7Gi/iVERo+7GieQbGiTZCbp:7qpFoHNkccn/SkGyi/iHi+iT4
      MD5:CC8EF30AAE72DAE57491775DE8D9BF68
      SHA1:9E91EF6F43E528D0D507B7B8F7F53F164D173A60
      SHA-256:C41C7ECE07F92A9EB8BC56849BCD8FCA2ED1A83FFA4BA9186F7AFC1A35C6E4E9
      SHA-512:2CCCA655E2784A84B637ACF083458BBE1FB4D885B50B45185E2A7657FDBB1901CCDF3376A52ED694D921B2426D549C5071151FE5FE0417F180BB15FE7DD8350A
      Malicious:false
      Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">..<html>..<head>..<meta http-equiv="X-UA-Compatible" content="IE=edge" />..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<script id="w8xmainAuto-4-80-1327-0" src='./js/jquery.min.1.6.4.js' type='text/javascript' >..</script>....<script id="w8xmainAuto-4-80-1328-0" src='./js/jquery-ui.min.1.8.0.js' type='text/javascript' >..</script>..<style>....progressbarContainer { position:absolute;left:30px;top:295px;width:755px; }....ui-progressbar { margin-top:-5px;height:10px;text-align: left; }....ui-progressbar .ui-progressbar-value {margin: -1px; height:100%; }.......ui-widget { font-family: Verdana,Arial,sans-serif/*{ffDefault}*/; font-size: 1.1em/*{fsDefault}*/; }....ui-widget .ui-widget { font-size: 1em; }....ui-widget input, .ui-widget select, .ui-widget textarea, .ui-widget button { font-family: Verdana,Arial,sans-serif/*{ffDefault}*/; font-size: 1em; }....ui-wid

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\install-min.template

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):424
      Entropy (8bit):5.231681242477565
      Encrypted:false
      SSDEEP:6:dWoHnAqlfbpSRGvzyq2wuscwRxMQmhVao2q2osbDHnAnoOCyq+KXuLrO8g6xfdT8:8Ubp/vzyWHm+oUHhOJ2X1+FT8
      MD5:95130D201B9E29A8D9E1A256DCFF2B1E
      SHA1:42CF9F0F6B502F7FD511DF71C8977FF6E24A98CB
      SHA-256:E2E327016B20676152CCAFBE32623D013BCEB3370D0566F14946070F343710B2
      SHA-512:C40764856DC326A4660BA4B46FDC9EB09F9ABC13F2880E40788C6250B90FDBAE74D076718247D62F4BDEA967FEE84D7E4A3717D501CAE556847336282099C507
      Malicious:false
      Preview:<div id="##PAGE_ID##" class='selPage' style="width:300px;height:240px">...<div style="position:absolute;left:80px;top:30px;"><img src="./img/mediaget-logo.png"></div>...<div class='progressbarContainer' style="position:absolute;left:30px;top:190px;width:240px;">....<div id="progressbar"></div>....<div style="color:grey;text-align: center;font-size: 12px;">##Downloaded## <span id="process">0</span>%</div>...</div>..</div>

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\js\jquery-ui.min.1.8.0.js

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:ASCII text, with very long lines (58946), with CRLF, CR, LF line terminators
      Category:dropped
      Size (bytes):207176
      Entropy (8bit):5.22161198174035
      Encrypted:false
      SSDEEP:3072:WpAlcXnwc+NAdbvTdaVhr4aoaj7/cEItIwCkGWCs3T:WqaB+NuchrbrsEItImGWfj
      MD5:A4FDD77E182BD2FABE300A47B5617A35
      SHA1:E002B335C75B5EDEFCD251962F61F53A2AB8E0F2
      SHA-256:8B59592D67EADC703AF6CDD5BA8D077F9F9485D01FB6405555614335F89BE99B
      SHA-512:DDCCCDE1C129F8F71FB39685ABC615C4202B8B3DFC12CEDD7D9CCA2F97B308FC14B64497826421FA9DF3D1CF54BDAE9C085051AF0A8D393CD3D556A6578D4085
      Malicious:false
      Preview:/*!.. * jQuery UI 1.8.. *.. * Copyright (c) 2010 AUTHORS.txt (http://jqueryui.com/about).. * Dual licensed under the MIT (MIT-LICENSE.txt).. * and GPL (GPL-LICENSE.txt) licenses... *.. * http://docs.jquery.com/UI.. */./*. * jQuery UI 1.8. *. * Copyright (c) 2010 AUTHORS.txt (http://jqueryui.com/about). * Dual licensed under the MIT (MIT-LICENSE.txt). * and GPL (GPL-LICENSE.txt) licenses.. *. * http://docs.jquery.com/UI. */.jQuery.ui||(function(a){a.ui={version:"1.8",plugin:{add:function(c,d,f){var e=a.ui[c].prototype;for(var b in f){e.plugins[b]=e.plugins[b]||[];e.plugins[b].push([d,f[b]])}},call:function(b,d,c){var f=b.plugins[d];if(!f||!b.element[0].parentNode){return}for(var e=0;e<f.length;e++){if(b.options[f[e][0]]){f[e][1].apply(b.element,c)}}}},contains:function(d,c){return document.compareDocumentPosition?d.compareDocumentPosition(c)&16:d!==c&&d.contains(c)},hasScroll:function(e,c){if(a(e).css("overflow")=="hidden"){return false}var b=(c&&c=="left")?"scrollLeft":"scrollTop",d=fa

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\js\jquery.min.1.6.4.js

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with very long lines (32769), with CRLF line terminators
      Category:dropped
      Size (bytes):91671
      Entropy (8bit):5.368573359674578
      Encrypted:false
      SSDEEP:1536:wttlIQq8jYAJohe7evhKHIJvuUO7prb3qJz34yfbvTXYActjaO7UX5X8BKg1hJOw:IJjxpIpuVkRECra92Zp8++
      MD5:EA75B2A8F1B4241A872B1CBDDBAED154
      SHA1:18678DD78C1F5A3525127B442BC70375FAF09C16
      SHA-256:4A62927A380E201C4EE51321DCC1E6B1F7DFBF82049CF349DF990629E01E9178
      SHA-512:DC69CD4703DCBA3C8F4A52058C44A34FA7C0B6096BED20F30CE3DAB872461EB6DDA9D0D381137B9CB022219AD92CA7F5F25D3964ED33D5F41E9FC05EFA5330FD
      Malicious:false
      Preview:/*! jQuery v1.6.4 http://jquery.com/ | http://jquery.org/license */..(function(a,b){function cu(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cr(a){if(!cg[a]){var b=c.body,d=f("<"+a+">").appendTo(b),e=d.css("display");d.remove();if(e==="none"||e===""){ch||(ch=c.createElement("iframe"),ch.frameBorder=ch.width=ch.height=0),b.appendChild(ch);if(!ci||!ch.createElement)ci=(ch.contentWindow||ch.contentDocument).document,ci.write((c.compatMode==="CSS1Compat"?"<!doctype html>":"")+"<html><body>"),ci.close();d=ci.createElement(a),ci.body.appendChild(d),e=f.css(d,"display"),b.removeChild(ch)}cg[a]=e}return cg[a]}function cq(a,b){var c={};f.each(cm.concat.apply([],cm.slice(0,b)),function(){c[this]=a});return c}function cp(){cn=b}function co(){setTimeout(cp,0);return cn=f.now()}function cf(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}function ce(){try{return new a.XMLHttpRequest}catch(b){}}function b$(a,c){a.dataFilter&&(c=a.dataFilter(c,a.d

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\mediaget-logo.png

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:PNG image data, 136 x 135, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):14680
      Entropy (8bit):7.975231268423949
      Encrypted:false
      SSDEEP:192:TSHIIHUCD4waY5iW8C6HYTSH4DduFk09rhQ+zXckMC2a03SIDwwdv9YPjBKCvJNQ:G50wL5VzSH4keQ5zNjQNwwdvUVZWKT2
      MD5:A27C51E0821FF975C33C70578BBE1D97
      SHA1:E067C98EC18DA0264209247A898958334778DDFC
      SHA-256:29EBD96D14DEE8E335A674BF093AF7ABFD1CBD931B3277516FBCD037366D1344
      SHA-512:4ECFD3CE91179FD6E59C8FA97322EF36A46C773FD608577343D96C97492D39F6DA42E7926C67883A3C48782A5293D1FA71D043380ACC0D8A41538241F1ED0395
      Malicious:false
      Preview:.PNG........IHDR.....................pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\preloader.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):352
      Entropy (8bit):5.266036294387012
      Encrypted:false
      SSDEEP:6:h4QK/TJyVK50RfHmf7JY7E8Mjq2UpeaMQoNev1d7rv0SyZRWAtfGb:hPCxSmtGEzj6pXoNKd7b0rZzBGb
      MD5:3E2A88C55776A6118C91B8B11D5211A3
      SHA1:E42024445C7859365C52C305B08B50152BD1E256
      SHA-256:57B689D69089B3DE9BE51928FE6C9A08664F986BC68EBABBB886BF3C26B1EC03
      SHA-512:706232D6C903955385AB95248E46BF293ED457AAF56B4095B023C782892D5A702B1DA1E69F3DE8FA81A9140D1E0F90C0DFCA5F7D28071DA3E3318DBBA9477F26
      Malicious:false
      Preview:<!DOCTYPE html>..<html>.. <head>.. <style>.. body {....background-color: rgb(230,230,230);.. }.. </style>.. </head>.. <body>.. <div style="position:absolute;left:40px;top:40px;"><img src="mediaget-logo.png"></div>.. <div style='position:absolute;left:230px;top:150px; font-size: 20px; face: Calibri'><b>Please wait...</b></div>.. </body>..</html>

      C:\Users\user\AppData\Local\Temp\mediaget-installer-tmp\stub.html

      Download File
      Process:C:\Users\user\Desktop\ExeFile (200).exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):262
      Entropy (8bit):5.186582224778847
      Encrypted:false
      SSDEEP:6:hn8FQiowadCc4svmz2vyW3tL6QcjWR0NNEXW0YFb/0MIYpfGu:hnMQbwuOCvyg96Qclfd/LIYNGu
      MD5:3CBCD0750AF01FCE7CAEBAA5CC3A53C7
      SHA1:F3C8BB3D74D60C45A7B36A636D1D42DAF8E73611
      SHA-256:337518A9EEB31E8DB3F44146FB601167E09FD5F4F541A9D75769165A975A2CA9
      SHA-512:3AD80DF1CEE12F7B714B36C6F40A67A6C4B1DFB0447E1FDF8092B4F11E4D17CE68043EDC102160B5D61485504BB0BF22EF71C7C222F7D82DB0F92757B9D2CFFB
      Malicious:false
      Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">..<html>..<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<title></title>..</head>..<body>..<center>..</center>..</body>..</html>..

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
      Entropy (8bit):7.9604031747484205
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.66%
      • UPX compressed Win32 Executable (30571/9) 0.30%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:ExeFile (200).exe
      File size:796'552 bytes
      MD5:f5d9021bf02680122ef5de324eb173b2
      SHA1:e69e5676df042c1c54d9167d43646d5a89e4384c
      SHA256:4df448b9c01fb42bdf6482f214bdb005a27396206c8b81a40bc63782c2404eca
      SHA512:2245761ffeffbf90d321b74684a25bf75c73e16594806c14b81a2afb9605e358f5b3a5d7ddd177fb5deb207cc29e065381a4cb15bb95b798ef48b5d321693450
      SSDEEP:24576:fEifyPr6VykH1rBM6B8pfrCeG01qPx1q90i8dcE3b:f5y8JpBQ+eWyocI
      TLSH:CE052350CC23711EF4A2DCBDA9B3E46D28B2B521DEBB2927C224ED4D5E6B2F7911510C
      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........2._.\\_.\\_.\\A..\].\\A..\Q.\\...\W.\\x]1\W.\\_.]\..\\x]'\D.\\A..\9.\\A..\Q.\\V..\V.\\V..\^.\\A..\b.\\A..\^.\\_..\^.\\A..\^.\

      File Icon

      Icon Hash:0b1944568dc9670e

      Static PE Info

      General

      Entrypoint:0x5542f0
      Entrypoint Section:UPX1
      Digitally signed:true
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Time Stamp:0x5F356889 [Thu Aug 13 16:21:29 2020 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:5
      OS Version Minor:0
      File Version Major:5
      File Version Minor:0
      Subsystem Version Major:5
      Subsystem Version Minor:0
      Import Hash:4df93d97d4492252024a19a15300482f

      Authenticode Signature

      Signature Valid:true
      Signature Issuer:CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US
      Signature Validation Error:The operation completed successfully
      Error Number:0
      Not Before, Not After
      • 31/08/2020 20:00:00 01/09/2023 19:59:59
      Subject Chain
      • CN=Global Microtrading PTE. LTD, OU=IT, O=Global Microtrading PTE. LTD, L=Singapore, C=SG
      Version:3
      Thumbprint MD5:3571D2A43D0452D16321E8A34FDD412C
      Thumbprint SHA-1:7B6E285393B4F4A57241D0AFD183649D83EFAB30
      Thumbprint SHA-256:D3F6324BE081B932A99FACD45590264DCA6FD06DB6681B3D868FD65301B16209
      Serial:1DDA30FE3206C23D83CBDB7638C09051

      Entrypoint Preview

      Instruction
      pushad
      mov esi, 004FD000h
      lea edi, dword ptr [esi-000FC000h]
      push edi
      jmp 00007F493C7DE6DDh
      nop
      mov al, byte ptr [esi]
      inc esi
      mov byte ptr [edi], al
      inc edi
      add ebx, ebx
      jne 00007F493C7DE6D9h
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      jc 00007F493C7DE6BFh
      mov eax, 00000001h
      add ebx, ebx
      jne 00007F493C7DE6D9h
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      adc eax, eax
      add ebx, ebx
      jnc 00007F493C7DE6DDh
      jne 00007F493C7DE6FAh
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      jc 00007F493C7DE6F1h
      dec eax
      add ebx, ebx
      jne 00007F493C7DE6D9h
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      adc eax, eax
      jmp 00007F493C7DE6A6h
      add ebx, ebx
      jne 00007F493C7DE6D9h
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      adc ecx, ecx
      jmp 00007F493C7DE724h
      xor ecx, ecx
      sub eax, 03h
      jc 00007F493C7DE6E3h
      shl eax, 08h
      mov al, byte ptr [esi]
      inc esi
      xor eax, FFFFFFFFh
      je 00007F493C7DE747h
      sar eax, 1
      mov ebp, eax
      jmp 00007F493C7DE6DDh
      add ebx, ebx
      jne 00007F493C7DE6D9h
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      jc 00007F493C7DE69Eh
      inc ecx
      add ebx, ebx
      jne 00007F493C7DE6D9h
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      jc 00007F493C7DE690h
      add ebx, ebx
      jne 00007F493C7DE6D9h
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      adc ecx, ecx
      add ebx, ebx
      jnc 00007F493C7DE6C1h
      jne 00007F493C7DE6DBh
      mov ebx, dword ptr [esi]
      sub esi, FFFFFFFCh
      adc ebx, ebx
      jnc 00007F493C7DE6B6h
      add ecx, 02h
      cmp ebp, FFFFFB00h
      adc ecx, 02h
      lea edx, dword ptr [edi+ebp]
      cmp ebp, FFFFFFFCh
      jbe 00007F493C7DE6E0h
      mov al, byte ptr [edx]

      Rich Headers

      Programming Language:
      • [IMP] VS2008 build 21022
      • [ASM] VS2008 build 21022
      • [ C ] VS2005 build 50727
      • [IMP] VS2005 build 50727
      • [ C ] VS2008 build 21022
      • [ C ] VS2008 SP1 build 30729
      • [C++] VS2008 SP1 build 30729
      • [C++] VS2008 build 21022
      • [RES] VS2008 build 21022
      • [LNK] VS2008 build 21022

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x1bc59c0x304.rsrc
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1550000x6759c.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0xbf4000x3388UPX0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1bc8a00x10.rsrc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1544d40x48UPX1
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      UPX00x10000xfc0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      UPX10xfd0000x580000x576006673a2846b78919c209dac22fbeb5ad7False0.9912011579041488data7.9199376549288605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x1550000x680000x67a00daaa512576535c06f65ebe99b93c7cbbFalse0.9743619948733414data7.961300068530892IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      ARCHIVE_7Z0x1553480x5eccb7-zip archive data, version 0.3RussianRussia1.000324492208324
      ARCHIVE_7Z0x1b40180x3b967-zip archive data, version 0.3RussianRussia1.0007211223285695
      RT_ICON0x1b7bb40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.44543568464730293
      RT_ICON0x1ba1600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.5372889305816135
      RT_ICON0x1bb20c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.4840163934426229
      RT_ICON0x1bbb980x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.4583333333333333
      RT_DIALOG0x140fe80x110dataEnglishUnited States1.0404411764705883
      RT_ACCELERATOR0x1410f80x70dataEnglishUnited States1.0982142857142858
      RT_GROUP_ICON0x1bc0040x3edataEnglishUnited States0.8064516129032258
      RT_VERSION0x1bc0480x21cdataEnglishUnited States0.4962962962962963
      RT_MANIFEST0x1bc2680x334ASCII text, with very long lines (588), with CRLF line terminatorsEnglishUnited States0.5073170731707317
      None0x1416f80xaadataEnglishUnited States1.0647058823529412

      Imports

      DLLImport
      ADVAPI32.dllFreeSid
      COMCTL32.dllImageList_GetIcon
      CRYPT32.dllCertOpenStore
      GDI32.dllBitBlt
      KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
      MSVCR90.dllfeof
      ole32.dllOleRun
      OLEAUT32.dllVariantChangeType
      PSAPI.DLLEnumProcesses
      SHELL32.dll
      SHLWAPI.dllPathCombineW
      USER32.dllGetDC
      WININET.dllInternetOpenW
      WS2_32.dllgetpeername

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      RussianRussia
      EnglishUnited States

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Aug 20, 2024 16:27:54.256258965 CEST4971380192.168.2.5185.130.105.44
      Aug 20, 2024 16:27:54.261780024 CEST8049713185.130.105.44192.168.2.5
      Aug 20, 2024 16:27:54.261887074 CEST4971380192.168.2.5185.130.105.44
      Aug 20, 2024 16:27:54.262022972 CEST4971380192.168.2.5185.130.105.44
      Aug 20, 2024 16:27:54.266940117 CEST8049713185.130.105.44192.168.2.5
      Aug 20, 2024 16:27:54.874775887 CEST8049713185.130.105.44192.168.2.5
      Aug 20, 2024 16:27:54.875000000 CEST4971380192.168.2.5185.130.105.44
      Aug 20, 2024 16:29:44.140434027 CEST4971380192.168.2.5185.130.105.44
      Aug 20, 2024 16:29:44.146547079 CEST8049713185.130.105.44192.168.2.5
      Aug 20, 2024 16:29:44.146626949 CEST4971380192.168.2.5185.130.105.44

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Aug 20, 2024 16:27:54.226974010 CEST4951653192.168.2.51.1.1.1
      Aug 20, 2024 16:27:54.246649981 CEST53495161.1.1.1192.168.2.5
      Aug 20, 2024 16:28:21.234510899 CEST5356480162.159.36.2192.168.2.5

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Aug 20, 2024 16:27:54.226974010 CEST192.168.2.51.1.1.10xcab6Standard query (0)install.mediaget.comA (IP address)IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Aug 20, 2024 16:27:54.246649981 CEST1.1.1.1192.168.2.50xcab6No error (0)install.mediaget.comlb-ks-1.mediaget.comCNAME (Canonical name)IN (0x0001)false
      Aug 20, 2024 16:27:54.246649981 CEST1.1.1.1192.168.2.50xcab6No error (0)lb-ks-1.mediaget.com185.130.105.44A (IP address)IN (0x0001)false
      Aug 20, 2024 16:27:54.246649981 CEST1.1.1.1192.168.2.50xcab6No error (0)lb-ks-1.mediaget.com193.0.201.29A (IP address)IN (0x0001)false

      HTTP Request Dependency Graph

      • install.mediaget.com

      HTTP Packets

      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      0192.168.2.549713185.130.105.44801868C:\Users\user\Desktop\ExeFile (200).exe
      TimestampBytes transferredDirectionData
      Aug 20, 2024 16:27:54.262022972 CEST359OUTGET /index2.php HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
      Host: install.mediaget.com
      Content-Length: 124
      Cache-Control: no-cache
      Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 6d 65 64 69 61 67 65 74 49 6e 73 74 61 6c 6c 65 72 20 66 69 6c 65 5f 6e 61 6d 65 3d 22 45 78 65 46 69 6c 65 20 28 32 30 30 29 2e 65 78 65 22 20 61 63 74 69 6f 6e 3d 22 73 74 61 72 74 22 20 73 74 61 74 56 65 72 73 69 6f 6e 3d 22 33 39 39 22 2f 3e 0a 0a
      Data Ascii: <?xml version="1.0" encoding="UTF-8"?><mediagetInstaller file_name="ExeFile (200).exe" action="start" statVersion="399"/>
      Aug 20, 2024 16:27:54.874775887 CEST192INHTTP/1.1 200 OK
      Content-Type: text/html; charset=UTF-8
      Date: Tue, 20 Aug 2024 14:27:54 GMT
      Server: openresty
      Vary: Accept-Encoding
      X-Powered-By: PHP/5.6.32
      Content-Length: 9
      Data Raw: 38 38 30 37 35 31 39 36 37
      Data Ascii: 880751967


      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      System Behavior

      General

      Target ID:0
      Start time:10:27:52
      Start date:20/08/2024
      Path:C:\Users\user\Desktop\ExeFile (200).exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\ExeFile (200).exe"
      Imagebase:0xce0000
      File size:796'552 bytes
      MD5 hash:F5D9021BF02680122EF5DE324EB173B2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:false

      Disassembly

      Reset < >

        Executed Functions

        Function 00D16C20 Relevance: 74.3, APIs: 29, Strings: 13, Instructions: 783networkfilesleepCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00D16CD0
        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00D17173
        • GetLastError.KERNEL32 ref: 00D1718A
        • GetLastError.KERNEL32 ref: 00D16CEA
          • Part of subcall function 00D1D850: FormatMessageW.KERNEL32(00001100,00000000,?,00000800,?,00000000,00000000,?,?,?,?), ref: 00D1D8DF
          • Part of subcall function 00D1D850: GetLastError.KERNEL32(?,?,?,?), ref: 00D1D8E9
          • Part of subcall function 00D1D850: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D1D98E
          • Part of subcall function 00D1D850: LocalFree.KERNEL32(?), ref: 00D1D951
          • Part of subcall function 00CEAE10: std::_String_base::_Xlen.LIBCPMT ref: 00CEAE5F
        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D16E6A
        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00D16E88
        • InternetConnectW.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00D16EFD
        • HttpOpenRequestW.WININET(?,GET,?,00000000,00000000,00000000,84000000,00000000), ref: 00D16F74
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • InternetQueryOptionW.WININET ref: 00D16FB1
        • InternetSetOptionW.WININET(?,0000001F,?,00000004), ref: 00D16FC9
        • HttpSendRequestW.WININET(?,00000000,00000000,?,?), ref: 00D16FF9
        • HttpQueryInfoW.WININET ref: 00D17029
        • GetTickCount.KERNEL32 ref: 00D17065
        • GetTickCount.KERNEL32 ref: 00D17086
        • InternetReadFile.WININET(?,?,0000FFFF,?), ref: 00D170BA
        • GetLastError.KERNEL32 ref: 00D170C8
        • GetTickCount.KERNEL32 ref: 00D17329
        • GetLastError.KERNEL32 ref: 00D173F0
        • GetLastError.KERNEL32 ref: 00D17430
          • Part of subcall function 00CF8CA0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00CF8D3A
        • GetLastError.KERNEL32 ref: 00D174AF
        • SetEndOfFile.KERNEL32(?), ref: 00D1754A
        • GetLastError.KERNEL32 ref: 00D175CD
        • CloseHandle.KERNEL32(?), ref: 00D17663
        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00D17695
        • Sleep.KERNEL32(000003E8), ref: 00D176A3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLast$File$Internet$CountHttpTick$ByteCharCreateIos_base_dtorMultiOpenOptionQueryRequestWidestd::ios_base::_$CloseConnectFormatFreeHandleInfoLocalMessagePointerReadSendSleepString_base::_WriteXlenstd::_
        • String ID: - $404$Can't create file $Can't open internet connection: $Can't open internet request: $Can't open internet session: $Can't send internet request: $Error in InternetReadFile: $GET$Not Found$Unable to write in file: $https$not found
        • API String ID: 3689052399-209034117
        • Opcode ID: 2418b56cfa049c2f55ab2919d63cb6f12f2e77398c321c9d56d77b443dd5b2b5
        • Instruction ID: 6d72eea8a4636679dd416097868992700afd14b6519d72928abe62e38e8bd1d4
        • Opcode Fuzzy Hash: 2418b56cfa049c2f55ab2919d63cb6f12f2e77398c321c9d56d77b443dd5b2b5
        • Instruction Fuzzy Hash: F36281B1508781AFD730DF65D885BABB7F8BB98304F144A1DF19993291DB70A848CB72
        Function 00D283C0 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 227libraryloaderthreadCOMMON
        Download Yara Rule
        APIs
        • InterlockedIncrement.KERNEL32(00DB7454), ref: 00D283EC
        • CloseHandle.KERNEL32(00000000,00000000), ref: 00D284DB
        • RtlInitializeCriticalSection.NTDLL(0000009C), ref: 00D2852D
        • CreateSemaphoreW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00D2853E
        • CreateSemaphoreW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00D2854B
        • CreateThread.KERNEL32(00000000,00010000,Function_00047760,00000000,00000000,00000007), ref: 00D28571
        • LoadLibraryW.KERNEL32(dbghelp.dll), ref: 00D28588
        • GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 00D2859D
        • LoadLibraryW.KERNEL32(rpcrt4.dll), ref: 00D285A7
        • GetProcAddress.KERNEL32(00000000,UuidCreate), ref: 00D285B6
        • RtlInitializeCriticalSection.NTDLL(00DB7434), ref: 00D285F8
        • RtlEnterCriticalSection.NTDLL(00DB7434), ref: 00D2860D
        • SetUnhandledExceptionFilter.KERNEL32(00D28180,00000000), ref: 00D2866A
        • RtlLeaveCriticalSection.NTDLL(00DB7434), ref: 00D286AB
          • Part of subcall function 00D27800: CloseHandle.KERNEL32(?,00000000,00000000,00D28512), ref: 00D27812
          • Part of subcall function 00D27800: CloseHandle.KERNEL32(?,00000000,00000000,00D28512), ref: 00D2781C
          • Part of subcall function 00D27800: CloseHandle.KERNEL32(?,00000000,00000000,00D28512), ref: 00D27826
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CloseCriticalHandleSection$Create$AddressInitializeLibraryLoadProcSemaphore$EnterExceptionFilterIncrementInterlockedLeaveThreadUnhandled
        • String ID: MiniDumpWriteDump$UuidCreate$dbghelp.dll$rpcrt4.dll
        • API String ID: 57612072-801898421
        • Opcode ID: e917a48c7e06c41a006219f2ece5967ccb6316585c4b480bba6fe068f7076a15
        • Instruction ID: 808d9b9d1b7f5cfe58e39a47c1a8f54d58f8c5784242e6f281211dc09c3e51ee
        • Opcode Fuzzy Hash: e917a48c7e06c41a006219f2ece5967ccb6316585c4b480bba6fe068f7076a15
        • Instruction Fuzzy Hash: 0C81B0B1905B40AFC7209F799881A6ABBE5FF98704F44492EE59A93351DB30A804DB72
        Function 00D14570 Relevance: 26.7, APIs: 4, Strings: 11, Instructions: 434synchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00CEB030: std::_String_base::_Xlen.LIBCPMT ref: 00CEB08C
          • Part of subcall function 00D19360: RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000002,00000000,?,?,0000000F,00000010,00000000,?,00000000,00000000), ref: 00D1939B
          • Part of subcall function 00D1B130: GetModuleFileNameW.KERNEL32(00000000,?,00000105,DFD45DFC), ref: 00D1B1B8
          • Part of subcall function 00D25AB0: GetCurrentProcessId.KERNEL32(DFD45DFC,00000000), ref: 00D25B29
        • CreateMutexW.KERNEL32(00000000,00000001,?,?,?,?,--crashed,00000009,?), ref: 00D14808
        • GetLastError.KERNEL32(?,?,?,--crashed,00000009,?), ref: 00D14812
          • Part of subcall function 00D1CF50: MessageBoxW.USER32(00000000,?,-00000004,00000010), ref: 00D1CFC6
          • Part of subcall function 00CF4320: Sleep.KERNEL32(00000064,00000000,DFD45DFC), ref: 00CF43A9
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Create$CurrentErrorFileLastMessageModuleMutexNameProcessSleepString_base::_Xlenstd::_
        • String ID: ) - $--crashed$--loader$--reseller$--silent$--subid$--test$-installer-singleapplication-mutex$Unable to create temporary directory ($false$hasDownloadedUpdate
        • API String ID: 2873531572-663848665
        • Opcode ID: 7356bdd7ba7c9049490d5b95c3228223de1e02387066f85c1d79d9137f2e58c9
        • Instruction ID: 442444efbd395ee419d43a40ef666f8982287da85e91ae85b80660e1948f23b4
        • Opcode Fuzzy Hash: 7356bdd7ba7c9049490d5b95c3228223de1e02387066f85c1d79d9137f2e58c9
        • Instruction Fuzzy Hash: 69F195B1408780AAD724FB74F852AAFB7E8AF94300F44092DF59552152EF35DA48DBB3
        Function 00D19C90 Relevance: 15.4, APIs: 10, Instructions: 364fileCOMMON
        Download Yara Rule
        APIs
        • GetFileAttributesW.KERNEL32(?,00000010,00000000), ref: 00D19D7F
        • DeleteFileW.KERNEL32(?), ref: 00D19D8B
        • FindFirstFileW.KERNEL32(00000000,?), ref: 00D19E5A
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: File$AttributesDeleteFindFirst
        • String ID:
        • API String ID: 1749635688-0
        • Opcode ID: 0a891d54630eab947fac78295605dfba4de2e17bf6b3555eca30f2a147cb1a2f
        • Instruction ID: 7491a53e5fa893af7c29b8ecdcaf8330603c2558b222442cb55b986d20700f4f
        • Opcode Fuzzy Hash: 0a891d54630eab947fac78295605dfba4de2e17bf6b3555eca30f2a147cb1a2f
        • Instruction Fuzzy Hash: EDD11471409341ABD720EB28E854BEFB7E5AF95300F080A1DF58597295EB35D984CBB3
        Function 00D85107 Relevance: 10.6, APIs: 7, Instructions: 59memoryCOMMON
        Download Yara Rule
        APIs
        • GetProcessHeap.KERNEL32(00000000,0000000D,?,00D010CE,?,00D005AB,00000000), ref: 00D85088
        • RtlAllocateHeap.NTDLL(00000000,?,00D005AB), ref: 00D8508F
          • Part of subcall function 00D84FA0: IsProcessorFeaturePresent.KERNEL32(0000000C,00D85076,?,00D010CE,?,00D005AB,00000000), ref: 00D84FA2
        • RtlInterlockedPopEntrySList.NTDLL(00B3E288), ref: 00D8509C
        • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00D005AB,00000000), ref: 00D850B1
        • RtlInterlockedPopEntrySList.NTDLL(?), ref: 00D850CA
        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00D005AB,00000000), ref: 00D850DE
        • RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 00D850F5
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: EntryInterlockedList$HeapVirtual$AllocAllocateFeatureFreePresentProcessProcessorPush
        • String ID:
        • API String ID: 1137860932-0
        • Opcode ID: fd9ca7116582777fce8f3ec228664c862fd0e48b8f3f8f1f3fbddf4cb67472df
        • Instruction ID: 3922b84c1ef7e08d9c92af970630813a05ffdb087a678bfe3edfc3db034dd6d9
        • Opcode Fuzzy Hash: fd9ca7116582777fce8f3ec228664c862fd0e48b8f3f8f1f3fbddf4cb67472df
        • Instruction Fuzzy Hash: 6C012D36648B11E7DB317B38BC0CB6A37A9AB80791F190122F985D6398DF21DC40CBB5
        Function 00D048A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • FindResourceW.KERNEL32(00000000,?,ARCHIVE_7Z,?,00000000), ref: 00D048F4
        • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00D04917
        • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00D04925
        • LockResource.KERNEL32(00000000,?,00000000), ref: 00D04930
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Resource$ByteCharMultiWide$FindLoadLockSizeof
        • String ID: ARCHIVE_7Z
        • API String ID: 1289833662-1362570139
        • Opcode ID: 5b9e54f6c21de72ce943c5c371eaa0c552a5720bfd14b25fd67cdfb9eada1dc2
        • Instruction ID: 6e59bc2d6735e4234c4722ca029ecac99ceed1123922011d147ebb4672445954
        • Opcode Fuzzy Hash: 5b9e54f6c21de72ce943c5c371eaa0c552a5720bfd14b25fd67cdfb9eada1dc2
        • Instruction Fuzzy Hash: 1F2190B2504309AFC610EF29FC45E1BB7E8EB84B11F14492EF44AD3250DA35E9088B76
        Function 00E342F0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryA.KERNEL32(?), ref: 00E3442A
        • GetProcAddress.KERNEL32(?,00E2CFF9), ref: 00E34448
        • ExitProcess.KERNEL32(?,00E2CFF9), ref: 00E34459
        • VirtualProtect.KERNEL32(00CE0000,00001000,00000004,?,00000000), ref: 00E344A7
        • VirtualProtect.KERNEL32(00CE0000,00001000), ref: 00E344BC
        Memory Dump Source
        • Source File: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
        • String ID:
        • API String ID: 1996367037-0
        • Opcode ID: ae3aef0ed4a2de46403f7ca819e42a16f40707c9fbdfcb5131a5df5c3187834b
        • Instruction ID: d40e87703871eb104ce8ec52762fe1ff1164c75ea4a4c2ae507f605064f6d98e
        • Opcode Fuzzy Hash: ae3aef0ed4a2de46403f7ca819e42a16f40707c9fbdfcb5131a5df5c3187834b
        • Instruction Fuzzy Hash: D55105F2A542124AD7209E789CC86B4BFA4EB51328F281778C5F6E73C5E7A47806C760
        Function 00D22640 Relevance: 6.0, APIs: 4, Instructions: 50processCOMMON
        Download Yara Rule
        APIs
        • CreateToolhelp32Snapshot.KERNEL32 ref: 00D22677
        • Process32FirstW.KERNEL32(00000000,00000002), ref: 00D22684
        • Process32NextW.KERNEL32(00000000,?), ref: 00D226A9
        • FindCloseChangeNotification.KERNEL32(00000000,00000000,00000002), ref: 00D226B8
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
        • String ID:
        • API String ID: 3243318325-0
        • Opcode ID: 5cf5a8af482a6cf2852305024149e9d7d866eba87d591386c789b8d165bfb81c
        • Instruction ID: 5d5cb2f23261eca38ee9dfb490795fa36e0e546f517ed1860fc528102d358d29
        • Opcode Fuzzy Hash: 5cf5a8af482a6cf2852305024149e9d7d866eba87d591386c789b8d165bfb81c
        • Instruction Fuzzy Hash: ED017172605311BBE621EB64AC8AA7F73E8FFA4354F440929F54496240E7749D0487B2
        Function 00D06030 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107pipeCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • CreateNamedPipeW.KERNEL32(?,40080003,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00D060B1
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$CreateNamedPipe
        • String ID: CreateNamedPipe failed: $\\.\pipe\
        • API String ID: 3952897411-3071662798
        • Opcode ID: aca7be49148cb5be0a21987f39a2267ba3af041c8b6ef09e8be78dfc937411a5
        • Instruction ID: 07eb8b1b427d960ea74f332221517ba1b2e247e4f7bf47e41edc23ec381ebbd7
        • Opcode Fuzzy Hash: aca7be49148cb5be0a21987f39a2267ba3af041c8b6ef09e8be78dfc937411a5
        • Instruction Fuzzy Hash: 3D315EB2408340AFE710EF689C85B5BB7E8EB94354F444A2DF55983382E735E9188B73
        Function 00D08140 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 353windowthreadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 00D08171
        • RtlEnterCriticalSection.NTDLL(00DB6BB8), ref: 00D08185
        • RtlLeaveCriticalSection.NTDLL(00DB6BB8), ref: 00D0819E
        • LoadBitmapW.USER32(00CE0000,000000CD), ref: 00D08200
        • GetDlgItem.USER32(?,000003EB), ref: 00D0823C
        • ShowWindow.USER32(?,00000000,?,000003EB,?), ref: 00D08252
        • LoadBitmapW.USER32(00CE0000,000000CE), ref: 00D0828F
        • SetWindowLongW.USER32(?,000000F0,00000000,?,000003EB,?), ref: 00D082BB
        • ShowWindow.USER32(000000F0,00000000,?,000000F0,00000000,?,000003EB,?), ref: 00D082C6
        • ShowWindow.USER32(?,00000000,?,000000F0,00000000,?,000003EB,?), ref: 00D082D4
        • GetDlgItem.USER32(?,000003E8), ref: 00D082E2
        • LoadImageW.USER32(00CE0000,000000DB), ref: 00D08322
        • 73A0A570.USER32(00000000), ref: 00D0832F
        • MulDiv.KERNEL32(0000000A,00000000), ref: 00D08347
        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,000001F4,00000000,00000000,00000000,00000001,00000000,00000000,00000004,00000000,Tahoma), ref: 00D08375
        • SetWindowPos.USER32(?,00000000,00000000,00000000,000002A8,00000136,00000202), ref: 00D08396
          • Part of subcall function 00D08630: GetParent.USER32 ref: 00D08663
          • Part of subcall function 00D08630: GetWindowRect.USER32(?,?), ref: 00D0867C
          • Part of subcall function 00D08630: MonitorFromWindow.USER32(?,00000002), ref: 00D086B0
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • SetWindowTextW.USER32(?,?), ref: 00D0840A
        • InterlockedDecrement.KERNEL32(?), ref: 00D08423
        • LoadImageW.USER32(00CE0000,00000080), ref: 00D0853A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Window$Load$Show$BitmapByteCharCriticalImageItemMultiSectionWide$A570CreateCurrentDecrementEnterFontFromInterlockedLeaveLongMonitorParentRectTextThread
        • String ID: Quit installation$Tahoma
        • API String ID: 367893165-1570944880
        • Opcode ID: 108f109689dbc00174116b42af2e34d95e9ce050f788f2317cd45913e7367f4f
        • Instruction ID: 00de9db4a6674628220256d2be736304124ee8b9a5780a3222ab6cd8d24d9574
        • Opcode Fuzzy Hash: 108f109689dbc00174116b42af2e34d95e9ce050f788f2317cd45913e7367f4f
        • Instruction Fuzzy Hash: 81D167B1504705AFD710EF64DC85A6BBBE8FF84704F044A1EF59A87291EB74A908CB72
        Function 00D03650 Relevance: 36.1, APIs: 2, Strings: 18, Instructions: 1093COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: FailCnt: $ $!$CRC error$Can't allocate memory$Can't close output file $Can't create directory $Can't open output file $Can't write output file $Decoder doesn't support this archive$Error $Memory$Resource: $SZ_ERROR_FAIL: $Sha1: $Size: $Unable to load resource $Unable to open
        • API String ID: 0-33340204
        • Opcode ID: 45c8cc6fbb7547df1bc8b1485f88557594a543b38534d390bc0696a1331c3b28
        • Instruction ID: e5ce3254f85817591cf4aba1e1e55b886191fb0e02842d3ff0191990eff9be8e
        • Opcode Fuzzy Hash: 45c8cc6fbb7547df1bc8b1485f88557594a543b38534d390bc0696a1331c3b28
        • Instruction Fuzzy Hash: 50A25BB15083809BD730EB69D885BABB7E9AFD5304F444E1DF29987281DB70A548CB73
        Function 00D10E00 Relevance: 24.3, APIs: 16, Instructions: 316memoryCOMMON
        Download Yara Rule
        APIs
        • FindResourceW.KERNEL32(00CE0000,?,000000F0,DFD45DFC), ref: 00D10E42
        • LoadResource.KERNEL32(00CE0000,00000000), ref: 00D10E66
        • LockResource.KERNEL32(00000000), ref: 00D10E6D
        • FindResourceW.KERNEL32(00CE0000,?,00000005), ref: 00D10E7D
        • LoadResource.KERNEL32(00CE0000,00000000), ref: 00D10E90
        • LockResource.KERNEL32(00000000), ref: 00D10E9B
        • GetWindow.USER32(?,00000005), ref: 00D10EE1
        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00D10F41
        • GlobalFix.KERNEL32(00000000), ref: 00D10F52
        • GlobalUnWire.KERNEL32(00000000), ref: 00D10F6F
        • MapDialogRect.USER32(?,?), ref: 00D1102A
        • SetWindowContextHelpId.USER32(?,00000000), ref: 00D11094
        • SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000013), ref: 00D110DD
        • SysFreeString.OLEAUT32(?), ref: 00D110F5
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Resource$GlobalWindow$FindLoadLock$AllocContextDialogFreeHelpRectStringWire
        • String ID:
        • API String ID: 3021818-0
        • Opcode ID: 10df99ca443dfc8c63a215b9c0650f6f01f52a9357e99a4186ffafbbacb592c8
        • Instruction ID: eb0889af7948157a7acbf8269885a002fb280124a95befdb6de577daaecdb756
        • Opcode Fuzzy Hash: 10df99ca443dfc8c63a215b9c0650f6f01f52a9357e99a4186ffafbbacb592c8
        • Instruction Fuzzy Hash: 93B18BB4508355AFC714DF14E881AAFBBE8FB88B40F144919FA85D7290DA74D8C1CBB2
        Function 00CFFE90 Relevance: 21.1, APIs: 14, Instructions: 113windowsleepCOMMON
        Download Yara Rule
        APIs
        • CallWindowProcW.USER32(?,?,?,?,?), ref: 00CFFEB1
        • GetDlgCtrlID.USER32(?), ref: 00CFFECA
        • GetParent.USER32(?), ref: 00CFFED8
        • SetCapture.USER32(?), ref: 00CFFEE4
        • PeekMessageW.USER32(00000202,?,00000202,00000202,00000001), ref: 00CFFEFF
        • SendMessageW.USER32(00000000,00000111,?,?), ref: 00CFFF27
        • Sleep.KERNEL32(?), ref: 00CFFF2D
        • PeekMessageW.USER32(00000202,?,00000202,00000202,00000001), ref: 00CFFF4D
        • SendMessageW.USER32(00000000,00000111,?,?), ref: 00CFFF6A
        • ReleaseCapture.USER32 ref: 00CFFF6C
        • SendMessageW.USER32(?,00000202,00000000,00000000), ref: 00CFFF7F
        • GetCursorPos.USER32(?), ref: 00CFFF8E
        • ScreenToClient.USER32(?,?), ref: 00CFFF9D
        • SendMessageW.USER32(?,00000200,00000000,?), ref: 00CFFFBD
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Message$Send$CapturePeek$CallClientCtrlCursorParentProcReleaseScreenSleepWindow
        • String ID:
        • API String ID: 1184555794-0
        • Opcode ID: 534e3cb02ecb8ce926c95c4b541923e410b2533143b6099f9780fe1d675c4fee
        • Instruction ID: fb29c0a0e7badb3963354992a3218b491ecceb73d3830bdfd186f678a0f9f20f
        • Opcode Fuzzy Hash: 534e3cb02ecb8ce926c95c4b541923e410b2533143b6099f9780fe1d675c4fee
        • Instruction Fuzzy Hash: EA310975204300ABD354CF65DD89E3BB7E9EF88B01F00890EFA96C3691DA70E905CB61
        Function 00D075E0 Relevance: 19.7, APIs: 13, Instructions: 172windowCOMMON
        Download Yara Rule
        APIs
        • BeginPaint.USER32(?,?,DFD45DFC), ref: 00D07627
        • GetClientRect.USER32(?,?), ref: 00D07641
        • SelectObject.GDI32(00000000,?), ref: 00D0767B
        • StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00D076AA
        • SelectObject.GDI32(00000000,?), ref: 00D076B1
        • StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00D076EB
        • DrawIconEx.USER32(?,?,?,?,00000000,00000000,00000000,00000000,00000003), ref: 00D07711
        • SelectObject.GDI32(?,?), ref: 00D0773E
        • SetBkMode.GDI32(?,00000001), ref: 00D07747
        • DrawTextW.USER32(?,?,000000FF,?,00000124), ref: 00D07771
        • InterlockedDecrement.KERNEL32(?), ref: 00D0778A
        • DeleteDC.GDI32(00000000), ref: 00D077A5
        • EndPaint.USER32(?,?), ref: 00D077B5
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ObjectSelect$DrawPaintStretch$BeginClientDecrementDeleteIconInterlockedModeRectText
        • String ID:
        • API String ID: 784994728-0
        • Opcode ID: c849a00208fe48593eabacbe7f62d01d6b9b9ccde7b37ddb3f9a6e900e1a52fb
        • Instruction ID: 02ac75cbdc0b370f4f3584962c68bf80393ae619a8952019ce7fb10bd9d86bfb
        • Opcode Fuzzy Hash: c849a00208fe48593eabacbe7f62d01d6b9b9ccde7b37ddb3f9a6e900e1a52fb
        • Instruction Fuzzy Hash: 6D51F4B1208700AFD214DB69DC85F6BB7E9FBC8B14F508A0DF59AD3290DA70E805CB65
        Function 00D02F90 Relevance: 18.3, APIs: 12, Instructions: 279memoryCOMMON
        Download Yara Rule
        APIs
        • SysFreeString.OLEAUT32(?), ref: 00D03052
        • SysStringByteLen.OLEAUT32(?), ref: 00D03133
        • SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 00D0313B
        • SysFreeString.OLEAUT32(?), ref: 00D03155
        • VariantInit.OLEAUT32 ref: 00D031C1
        • VariantClear.OLEAUT32(?), ref: 00D03250
        • SysFreeString.OLEAUT32(?), ref: 00D0325B
        • VariantInit.OLEAUT32(?), ref: 00D0327E
        • VariantChangeType.OLEAUT32 ref: 00D03295
        • VariantClear.OLEAUT32(?), ref: 00D032E6
          • Part of subcall function 00D19BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000001,000000FF,00000000,00000000,00000000,00000000,00000000,?,00000001), ref: 00D19C1F
          • Part of subcall function 00D19BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000001,000000FF,?,00000000,00000000,00000000), ref: 00D19C3E
        • VariantClear.OLEAUT32(?), ref: 00D032ED
        • SysFreeString.OLEAUT32(?), ref: 00D032F4
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: StringVariant$ByteFree$Clear$CharInitMultiWide$AllocChangeType
        • String ID:
        • API String ID: 497852104-0
        • Opcode ID: e89a1bd87a0de83d0d379d71293d6f95e736c9a344da9be836ebce229c1c3559
        • Instruction ID: 969dbe5210ad879a2a934362c090bd18142323fac8a11fb65d047d6a66269750
        • Opcode Fuzzy Hash: e89a1bd87a0de83d0d379d71293d6f95e736c9a344da9be836ebce229c1c3559
        • Instruction Fuzzy Hash: 84B15B71608340AFC720EF68D884B6BB7E8EF98700F14491DF59997291D771EA448BB3
        Function 00D154F0 Relevance: 18.1, APIs: 12, Instructions: 90COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D101F0: RtlEnterCriticalSection.NTDLL(00DB78D0), ref: 00D101FC
          • Part of subcall function 00D101F0: RegisterClipboardFormatW.USER32(WM_ATLGETHOST), ref: 00D1020D
          • Part of subcall function 00D101F0: RegisterClipboardFormatW.USER32(WM_ATLGETCONTROL), ref: 00D10219
          • Part of subcall function 00D101F0: GetClassInfoExW.USER32(00CE0000,AtlAxWin90,?), ref: 00D10240
          • Part of subcall function 00D101F0: LoadCursorW.USER32 ref: 00D1027E
          • Part of subcall function 00D101F0: RegisterClassExW.USER32 ref: 00D102A1
          • Part of subcall function 00D101F0: GetClassInfoExW.USER32(00CE0000,AtlAxWinLic90,?), ref: 00D102EA
          • Part of subcall function 00D101F0: LoadCursorW.USER32 ref: 00D10322
          • Part of subcall function 00D101F0: RegisterClassExW.USER32 ref: 00D10345
        • FindResourceW.KERNEL32 ref: 00D15516
        • FindResourceW.KERNEL32(?,?,000000F0), ref: 00D15529
        • LoadResource.KERNEL32(?,00000000), ref: 00D15539
        • LockResource.KERNEL32(00000000), ref: 00D1553C
        • LoadResource.KERNEL32(?,00000000), ref: 00D1554E
        • LockResource.KERNEL32(00000000), ref: 00D15555
        • CreateDialogIndirectParamW.USER32(?,00000000,?,?,?), ref: 00D1557E
        • GetLastError.KERNEL32 ref: 00D1558A
        • GlobalHandle.KERNEL32(00000000), ref: 00D15599
        • GlobalFree.KERNEL32(00000000), ref: 00D155A0
        • GetLastError.KERNEL32 ref: 00D155A8
        • SetLastError.KERNEL32(00000000), ref: 00D155BF
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Resource$ClassLoadRegister$ErrorLast$ClipboardCursorFindFormatGlobalInfoLock$CreateCriticalDialogEnterFreeHandleIndirectParamSection
        • String ID:
        • API String ID: 826518874-0
        • Opcode ID: 067abfeeb842c1087bf5c4dcd2dd9af60268b596050c823b7e46dbcb53d21ab7
        • Instruction ID: 718f94dc400f226ce982890ab6f262907bb4df5b85b34bab9eb44fb922d73d25
        • Opcode Fuzzy Hash: 067abfeeb842c1087bf5c4dcd2dd9af60268b596050c823b7e46dbcb53d21ab7
        • Instruction Fuzzy Hash: 64215A71204701BBD210AFA4BC48AABB7ADEFC9752F05051AF904E3300DB79DD098AB2
        Function 00D07CF0 Relevance: 16.8, APIs: 11, Instructions: 257commemoryCOMMON
        Download Yara Rule
        APIs
        • OleUninitialize.OLE32 ref: 00D07D92
        • OleInitialize.OLE32(00000000), ref: 00D07DA0
        • GetWindowTextLengthW.USER32(?), ref: 00D07DA7
        • GetWindowTextW.USER32(?,00000000,00000001), ref: 00D07DFE
        • SetWindowTextW.USER32(?,Function_000B5924), ref: 00D07E0A
        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00D07E26
        • GlobalFix.KERNEL32(00000000), ref: 00D07E42
        • GlobalUnWire.KERNEL32(00000000), ref: 00D07E5D
        • SysFreeString.OLEAUT32(00000000), ref: 00D07E95
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: GlobalTextWindow$AllocFreeInitializeLengthStringUninitializeWire
        • String ID:
        • API String ID: 1289996212-0
        • Opcode ID: 219f346c71a03b6e3edf38b5d66b33cec2164fe3210a67b6f8044538cab12aec
        • Instruction ID: 12478f4c21276181b5cb6fcea3911c1a8d40dc3b12b7e06a9f95c522fb4b67cf
        • Opcode Fuzzy Hash: 219f346c71a03b6e3edf38b5d66b33cec2164fe3210a67b6f8044538cab12aec
        • Instruction Fuzzy Hash: 96916B75905206AFDB11DBA4CC85FAEBBB8EF88310F144649F50AEB290DB74AD41CB71
        Function 00D1DCF0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 293COMMON
        Download Yara Rule
        APIs
        • GetFileAttributesW.KERNEL32(00000000,DFD45DFC,?,?,?,00000000), ref: 00D1DD5C
        • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000), ref: 00D1DD6B
        • GetLastError.KERNEL32(?,00000000), ref: 00D1DD75
        • GetFileAttributesW.KERNEL32(00000000,?,00000000), ref: 00D1DD8C
        • CreateDirectoryW.KERNEL32(?,00000000,DFD45DFC,?,?,?,00000000), ref: 00D1DDAC
        • GetFileAttributesW.KERNEL32(00000000,?,00000000), ref: 00D1E041
        • GetLastError.KERNEL32(?,00000000), ref: 00D1DDBA
          • Part of subcall function 00D19BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000001,000000FF,00000000,00000000,00000000,00000000,00000000,?,00000001), ref: 00D19C1F
          • Part of subcall function 00D19BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000001,000000FF,?,00000000,00000000,00000000), ref: 00D19C3E
          • Part of subcall function 00D1D850: FormatMessageW.KERNEL32(00001100,00000000,?,00000800,?,00000000,00000000,?,?,?,?), ref: 00D1D8DF
          • Part of subcall function 00D1D850: GetLastError.KERNEL32(?,?,?,?), ref: 00D1D8E9
          • Part of subcall function 00D1D850: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D1D98E
          • Part of subcall function 00CEAE10: std::_String_base::_Xlen.LIBCPMT ref: 00CEAE5F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: AttributesErrorFileLast$ByteCharCreateDirectoryMultiWide$FormatIos_base_dtorMessageString_base::_Xlenstd::_std::ios_base::_
        • String ID: exists and is not a directory
        • API String ID: 2742050257-940336721
        • Opcode ID: fe514e984b81efb5e0729fad22ea2ebd5e2f881b1172e47b35e94d449967eef1
        • Instruction ID: bc04223744b5db9d483c9cc3574e3c1b9bafb790f23568dd0b113bb523126af4
        • Opcode Fuzzy Hash: fe514e984b81efb5e0729fad22ea2ebd5e2f881b1172e47b35e94d449967eef1
        • Instruction Fuzzy Hash: D5B1C3B1808380ABD720EB68E845B9BB7E9EF99704F044D1EF58997341DB759484CBB3
        Function 00D1E8F0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 175COMMON
        Download Yara Rule
        APIs
        • EnumProcesses.PSAPI(?,00001000,?,DFD45DFC,00000000,?,0000000F,00000000,00000000,00D8C67D,000000FF,00D1FD74,00000000,00100001), ref: 00D1E945
        • GetCurrentProcessId.KERNEL32(?,00001000,?,DFD45DFC,00000000,?,0000000F,00000000,00000000,00D8C67D,000000FF,00D1FD74,00000000,00100001), ref: 00D1E9E3
        • OpenProcess.KERNEL32(?,00000000,?), ref: 00D1EA15
        • GetModuleBaseNameW.PSAPI(00000000,00000000,?,000003E8), ref: 00D1EA35
        • FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,?,00000000,00000026,00000000,00000000,000000FF), ref: 00D1EA9C
          • Part of subcall function 00D05DF0: GetLastError.KERNEL32(00000010,?,00D45DE7), ref: 00D05DFA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Process$BaseChangeCloseCurrentEnumErrorFindLastModuleNameNotificationOpenProcesses
        • String ID: not found$EnumProcesses error: $Process
        • API String ID: 2225575167-343186101
        • Opcode ID: e1bdff6dd807c6092d8e6ef12a3c8045548f95660a325bbe06e5b44cc9c7f010
        • Instruction ID: 1488f2a62b03f95581525934052e6c344dc90589e46760b4be1370979b259033
        • Opcode Fuzzy Hash: e1bdff6dd807c6092d8e6ef12a3c8045548f95660a325bbe06e5b44cc9c7f010
        • Instruction Fuzzy Hash: 2E6193B1508380ABD320EB64E845BEBB7E9EF84704F504A1DF58987281DF75E584C7B2
        Function 00D1F260 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 170fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,DFD45DFC,0000000F,?,00000000), ref: 00D1F2A3
        • GetFileSizeEx.KERNEL32(00000000,?), ref: 00D1F333
        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00D1F38B
        • FindCloseChangeNotification.KERNEL32(00000000), ref: 00D1F3AF
          • Part of subcall function 00D05DF0: GetLastError.KERNEL32(00000010,?,00D45DE7), ref: 00D05DFA
          • Part of subcall function 00CEAE10: std::_String_base::_Xlen.LIBCPMT ref: 00CEAE5F
        • CloseHandle.KERNEL32(00000000), ref: 00D1F488
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: File$Close$ChangeCreateErrorFindHandleLastNotificationReadSizeString_base::_Xlenstd::_
        • String ID: CreateFile error: $GetFileSizeEx error: $ReadFile error:
        • API String ID: 2865982651-1889545721
        • Opcode ID: ce0aa43ae9f529f7c1616bb1ec357a42d2b1de3349d3ff7e92aa72ebca1c1b2f
        • Instruction ID: edbe58719b6354f019f01a5befdc7aa7946fb990bcc825404872fab6c548bbd8
        • Opcode Fuzzy Hash: ce0aa43ae9f529f7c1616bb1ec357a42d2b1de3349d3ff7e92aa72ebca1c1b2f
        • Instruction Fuzzy Hash: 14518DB1508380AFD720EB64D885BABB7E8EF94704F404E2DF59597281DB74E8448B73
        Function 00D03A47 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 261COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: FailCnt: $!$Memory$SZ_ERROR_FAIL: $Sha1: $Size:
        • API String ID: 0-4105679911
        • Opcode ID: d4b7f5bc2ca8894204327a94171c1835742e06dcc23e3f20c31a51edb391ac3b
        • Instruction ID: 7b4360f681ad0bd5f6f243fc90b638cd3c8673d7597dad254db9220391fd56c9
        • Opcode Fuzzy Hash: d4b7f5bc2ca8894204327a94171c1835742e06dcc23e3f20c31a51edb391ac3b
        • Instruction Fuzzy Hash: E8A150B19083819BC770EF64D885BEFB7E9ABD5304F444A1DF69D87281DB70A5088B63
        Function 00D3DFE0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 190COMMON
        Download Yara Rule
        APIs
        • AssocQueryStringW.SHLWAPI(00000000,00000002,http,open,00000000,?), ref: 00D3E031
        • AssocQueryStringW.SHLWAPI(00000000,00000002,http,open,?,?), ref: 00D3E051
          • Part of subcall function 00CF8CA0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00CF8D3A
          • Part of subcall function 00CEAD10: std::_String_base::_Xlen.LIBCPMT ref: 00CEAD4A
          • Part of subcall function 00CEAD10: std::_String_base::_Xlen.LIBCPMT ref: 00CEAD61
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: AssocQueryStringString_base::_Xlenstd::_$Ios_base_dtorstd::ios_base::_
        • String ID: E_POINTER$ S_FALSE $AssocQueryStringW$http$open
        • API String ID: 3378744118-2736408121
        • Opcode ID: be72ec37ed95773da196ffe55987c9e21542a92a17164978d496d464d1a4e8a6
        • Instruction ID: c837e08a6cc613e0abd6ac4854e928521fe6826cb9f88d7d1ab9ee1bb8aefff4
        • Opcode Fuzzy Hash: be72ec37ed95773da196ffe55987c9e21542a92a17164978d496d464d1a4e8a6
        • Instruction Fuzzy Hash: BE619FB2D01258AFCF14EBE8DD81AEEB7B9EB54710F14451AF405A7281DB74AA04CBB1
        Function 00D1F8B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 353COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D1A5F0: RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?,0000000F,00000000,00D92949,00000000,DFD45DFC,0000000F,00000000,00000010,00000000), ref: 00D1A650
          • Part of subcall function 00CEAE10: std::_String_base::_Xlen.LIBCPMT ref: 00CEAE5F
          • Part of subcall function 00D1A5F0: RegQueryValueExW.ADVAPI32 ref: 00D1A6D9
          • Part of subcall function 00D1A5F0: RegCloseKey.ADVAPI32(?), ref: 00D1A6E8
        • SHGetSpecialFolderPathW.SHELL32 ref: 00D1FC67
        • GetModuleFileNameExW.PSAPI(00000000,00000000,00000000,00000104,00000026,00000000,00000000,000000FF,?,?,?,?,?,?,00D92949,000000FF), ref: 00D1FD85
        • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104,00000026,00000000,00000000,000000FF,?,?,?,?,?,?,00D92949), ref: 00D1FD8B
          • Part of subcall function 00D19BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000001,000000FF,00000000,00000000,00000000,00000000,00000000,?,00000001), ref: 00D19C1F
          • Part of subcall function 00D19BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000001,000000FF,?,00000000,00000000,00000000), ref: 00D19C3E
          • Part of subcall function 00D19670: GetFileAttributesW.KERNEL32(00000000,?,00000000,00000000,000000FF,?,?,?,00D92949,00000000,DFD45DFC,0000000F,00000000,00000010,00000000), ref: 00D1969C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharCloseFileMultiWide$AttributesFolderHandleModuleNameOpenPathQuerySpecialString_base::_ValueXlenstd::_
        • String ID: SOFTWARE\$Software\
        • API String ID: 3206570634-1851597529
        • Opcode ID: 672f7ee1be472bac82f5b2e7953f02c8fa21e6f2bbe5bd5b865a8ceb43f20ddd
        • Instruction ID: 91f48ec8b4e3a85fa81e3767dbd6468e091eb338b9de54052fd40a63554a86c9
        • Opcode Fuzzy Hash: 672f7ee1be472bac82f5b2e7953f02c8fa21e6f2bbe5bd5b865a8ceb43f20ddd
        • Instruction Fuzzy Hash: C8D183B14083C0AED730EB65E841BEBB7E9AF95700F444A1DF58952282EF75A548CB73
        Function 00D18E60 Relevance: 9.0, APIs: 6, Instructions: 37sleepCOMMON
        Download Yara Rule
        APIs
        • ShowWindow.USER32(00000000,00000005,?,?,00D06FDE,?,00000001,00CE8BA4), ref: 00D18E70
        • SetForegroundWindow.USER32(00000000), ref: 00D18E77
        • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,00D06FDE,?,00000001,00CE8BA4), ref: 00D18E90
        • Sleep.KERNEL32(00000064,?,?,00D06FDE,?,00000001,00CE8BA4), ref: 00D18E94
        • SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,00D06FDE,?,00000001,00CE8BA4), ref: 00D18EA7
        • ShowWindow.USER32(00000001,00000000,00D06FDE,?,00000001,00CE8BA4), ref: 00D18EB3
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Window$Show$ForegroundSleep
        • String ID:
        • API String ID: 810539981-0
        • Opcode ID: 7dd6add5128fcfa397ad2429d108d2cb645da60dd1f55435b7dd032a01f0c541
        • Instruction ID: 13c88aa845dd6347ef3609090b8f0aa3d97943c98667fb4280badc17497da4b0
        • Opcode Fuzzy Hash: 7dd6add5128fcfa397ad2429d108d2cb645da60dd1f55435b7dd032a01f0c541
        • Instruction Fuzzy Hash: 37F030313897517AFA316754EC0EF9F3A689BC5F21F354205F310BA2E08AF465418B79
        Function 00D0A380 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(00DB6BB8), ref: 00D0A3E5
        • GetModuleFileNameW.KERNEL32(00CE0000,?,00000104), ref: 00D0A454
        • LoadTypeLib.OLEAUT32(?,?), ref: 00D0A47B
        • LoadRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D0A4A6
        • RtlLeaveCriticalSection.NTDLL(00DB6BB8), ref: 00D0A5B1
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalLoadSectionType$EnterFileLeaveModuleName
        • String ID:
        • API String ID: 2487232618-0
        • Opcode ID: 22c3e35e47ecd831180bea2c43f4a66356ed0c17696ce7b23f997251173bdc84
        • Instruction ID: 90270804d539b234000c8dc431495635a901b8a2b6f6369d19663503ec9157b2
        • Opcode Fuzzy Hash: 22c3e35e47ecd831180bea2c43f4a66356ed0c17696ce7b23f997251173bdc84
        • Instruction Fuzzy Hash: 0B713975604341DFC724DF68D888A6AB7E5FB88310F14892DE18ECB2A1D674E945CB72
        Function 00D01E60 Relevance: 7.6, APIs: 5, Instructions: 103windowsleepthreadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00CEAE10: std::_String_base::_Xlen.LIBCPMT ref: 00CEAE5F
        • GetCurrentThreadId.KERNEL32 ref: 00D01F0D
        • SendMessageW.USER32(00000000), ref: 00D01F2E
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D01F44
        • Sleep.KERNEL32(00000064), ref: 00D01F52
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D01F5E
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Message$Peek$CurrentSendSleepString_base::_ThreadXlenstd::_
        • String ID:
        • API String ID: 3621029273-0
        • Opcode ID: abe736b0a6798ee137caadeba519d63502170b0fd8f596c8e7f4dad4d8a089f5
        • Instruction ID: 5be6aec7c3a87466bf6ba442b726e6b426376cf058e8e5f27ed9c07ac8a2c795
        • Opcode Fuzzy Hash: abe736b0a6798ee137caadeba519d63502170b0fd8f596c8e7f4dad4d8a089f5
        • Instruction Fuzzy Hash: 74315EB1508344AFD320DF59DC80B6BBBE8FF98750F504A2EB59983390DA719804CB62
        Function 00D01C50 Relevance: 7.6, APIs: 5, Instructions: 52windowsleepthreadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 00D01C61
        • SendMessageW.USER32(00000000), ref: 00D01C95
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D01CA4
        • Sleep.KERNEL32(00000064), ref: 00D01CB2
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D01CC1
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Message$Peek$CurrentSendSleepThread
        • String ID:
        • API String ID: 3626649275-0
        • Opcode ID: f31381ed6010b98c15ae5b641ba4dd298180b4d17b8b9706090bda21de363f3a
        • Instruction ID: bb1d991a724085243a39f82af92687d07d441d12319faf563587a3be5fca3197
        • Opcode Fuzzy Hash: f31381ed6010b98c15ae5b641ba4dd298180b4d17b8b9706090bda21de363f3a
        • Instruction Fuzzy Hash: 3D0175352803057BE710DB61DC85FAAB7A8EB88B54F040519FB04DA2C0D7B1E949CBB6
        Function 00D1A5F0 Relevance: 6.1, APIs: 4, Instructions: 124registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?,0000000F,00000000,00D92949,00000000,DFD45DFC,0000000F,00000000,00000010,00000000), ref: 00D1A650
        • RegQueryValueExW.ADVAPI32 ref: 00D1A6D9
        • RegCloseKey.ADVAPI32(?), ref: 00D1A6E8
        • RegCloseKey.ADVAPI32(?), ref: 00D1A706
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharCloseMultiWide$OpenQueryValue
        • String ID:
        • API String ID: 3924453400-0
        • Opcode ID: 1f58bc1976f8367622ffdbd5db129e46dd8f9f6bfc13305b8cdee085725a04ff
        • Instruction ID: ac20c98a30f068ced64ab0b0f0a45c025446c56353ad18edf01a3280217b229f
        • Opcode Fuzzy Hash: 1f58bc1976f8367622ffdbd5db129e46dd8f9f6bfc13305b8cdee085725a04ff
        • Instruction Fuzzy Hash: F9415FB1509341ABC710DF19EC81A6BBBE8FB89714F484A2DF58593241DB39E944CBB2
        Function 00D1F4B0 Relevance: 6.1, APIs: 4, Instructions: 107registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • RegOpenKeyExW.KERNEL32(?,?,00000000,00000008,?,0000000F,?,?,?,?,?,?,?,SOFTWARE\Clients\StartMenuInternet,00000022,DFD45DFC), ref: 00D1F521
        • RegEnumKeyW.ADVAPI32 ref: 00D1F562
        • RegCloseKey.KERNEL32(?), ref: 00D1F5B4
          • Part of subcall function 00D19BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000001,000000FF,00000000,00000000,00000000,00000000,00000000,?,00000001), ref: 00D19C1F
          • Part of subcall function 00D19BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000001,000000FF,?,00000000,00000000,00000000), ref: 00D19C3E
        • RegEnumKeyW.ADVAPI32(?,00000001,00000000,000003E8), ref: 00D1F5A9
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$Enum$CloseOpen
        • String ID:
        • API String ID: 3469212518-0
        • Opcode ID: b8bff46f7ee5337083e34f903a73869b3dd84a6eda9687409ac0b3898e1331cb
        • Instruction ID: 6207596b839fe82cf1141cb2fc8ce11737a38a62383a1cfceb141337c15e2a1b
        • Opcode Fuzzy Hash: b8bff46f7ee5337083e34f903a73869b3dd84a6eda9687409ac0b3898e1331cb
        • Instruction Fuzzy Hash: 37316BB1A08341ABD610DF26EC45A5BBBEDEFD5B54F04092EF44993280DB74D9098BB2
        Function 00D0DC50 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
        Download Yara Rule
        APIs
        • GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 00D0DC86
        • FlushInstructionCache.KERNEL32(00000000), ref: 00D0DC8D
          • Part of subcall function 00D85107: GetProcessHeap.KERNEL32(00000000,0000000D,?,00D010CE,?,00D005AB,00000000), ref: 00D85088
          • Part of subcall function 00D85107: RtlAllocateHeap.NTDLL(00000000,?,00D005AB), ref: 00D8508F
        • SetLastError.KERNEL32(0000000E), ref: 00D0DCA7
          • Part of subcall function 00D0DA80: RaiseException.KERNEL32(C0000005,00000001,?,?), ref: 00D0DA92
          • Part of subcall function 00D0DA80: GetCurrentThreadId.KERNEL32 ref: 00D0DAAC
          • Part of subcall function 00D0DA80: RtlEnterCriticalSection.NTDLL(?), ref: 00D0DAB9
          • Part of subcall function 00D0DA80: RtlLeaveCriticalSection.NTDLL(?), ref: 00D0DAC9
        • CreateWindowExW.USER32(?,?,?,?,?,00000000,000000E9,?,?,?,00CE0000,?), ref: 00D0DD23
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalCurrentHeapProcessSection$AllocateCacheCreateEnterErrorExceptionFlushInstructionLastLeaveRaiseThreadWindow
        • String ID:
        • API String ID: 2100251101-0
        • Opcode ID: 056324f6dc3f62ba2309e30999e2a62158a9176a1f267e92bbc97cf069b54118
        • Instruction ID: a41517644965d5834f0948a9c2605f50993f66ded3dfaeb979a8a4867da473a0
        • Opcode Fuzzy Hash: 056324f6dc3f62ba2309e30999e2a62158a9176a1f267e92bbc97cf069b54118
        • Instruction Fuzzy Hash: 9D216D72614310AFE3209F68DC48F67B7E9EFC8714F09864AB4499B290C670EC04CBB5
        Function 00D119B0 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON
        Download Yara Rule
        APIs
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D119CD
        • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00D119EF
        • TranslateMessage.USER32(?), ref: 00D11A0C
        • DispatchMessageW.USER32(?), ref: 00D11A13
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Message$CallbackDispatchDispatcherPeekTranslateUser
        • String ID:
        • API String ID: 1533324876-0
        • Opcode ID: fd802f20eb0b097b2e9d02c468c48879ddf2a492c9b0a6b32959b46a1a3b0cf5
        • Instruction ID: 6d65b65f235af7ca39fbd6dd1c69a0287f210c823e658e33f75edf149ff2da17
        • Opcode Fuzzy Hash: fd802f20eb0b097b2e9d02c468c48879ddf2a492c9b0a6b32959b46a1a3b0cf5
        • Instruction Fuzzy Hash: 7711A5393413007BE2305659FCA9FBA72E8EF46741F290116F3A1D62D0EF50EC828AB1
        Function 00D226E0 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
        Download Yara Rule
        APIs
        • OpenProcess.KERNEL32(00000410,00000000,00000104,?,00000010,00D25B50,00000000,?,00000104), ref: 00D226EF
        • GetProcessImageFileNameW.PSAPI(00000000,00D25B50,00000010,?,00000010,00D25B50,00000000,?,00000104), ref: 00D22706
        • GetLastError.KERNEL32(00000000,00D25B50,00000010,?,00000010,00D25B50,00000000,?,00000104), ref: 00D2270F
        • CloseHandle.KERNEL32(00000000,00000000,00D25B50,00000010,?,00000010,00D25B50,00000000,?,00000104), ref: 00D22718
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Process$CloseErrorFileHandleImageLastNameOpen
        • String ID:
        • API String ID: 1297415806-0
        • Opcode ID: 24864ae6f7862565dab9ccd16b7a5ab273d94ea0b114cdb71a439fab4b79272c
        • Instruction ID: f5a1329d5c2f005c04290624d97d6822e89ab733b625b2d0dded6d6de95a9c7a
        • Opcode Fuzzy Hash: 24864ae6f7862565dab9ccd16b7a5ab273d94ea0b114cdb71a439fab4b79272c
        • Instruction Fuzzy Hash: 53E0ED7A245721BB9211AB16FC08DBB77A9EBD5751B05452AFA00D3340D6709C058AB2
        Function 00D1E3E0 Relevance: 4.6, APIs: 3, Instructions: 109fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D19BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000001,000000FF,00000000,00000000,00000000,00000000,00000000,?,00000001), ref: 00D19C1F
          • Part of subcall function 00D19BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000001,000000FF,?,00000000,00000000,00000000), ref: 00D19C3E
        • CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000002,00000080,00000000), ref: 00D1E4A6
        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00D1E4D9
        • CloseHandle.KERNEL32(00000000), ref: 00D1E4F0
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharFileMultiWide$CloseCreateHandleWrite
        • String ID:
        • API String ID: 411705059-0
        • Opcode ID: bd33efd50473ea57af7cddb45a5a84c2b44c294fae0110dbf42881c5f2fb7385
        • Instruction ID: 1cca508753cb021fe342c8c07c57e101d446a3735d6a919729f055e986261f75
        • Opcode Fuzzy Hash: bd33efd50473ea57af7cddb45a5a84c2b44c294fae0110dbf42881c5f2fb7385
        • Instruction Fuzzy Hash: 6D31CE71548300BBD610EB24FC46FABB7A8EB95714F400A19F991A32D1EB74D948CB72
        Function 00D16AC0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 101sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000064,DFD45DFC,?,?,?), ref: 00D16B1F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Sleep
        • String ID: ms$disconnected by timeout
        • API String ID: 3472027048-1600369010
        • Opcode ID: 9749c8303f9e97b1e8841b19b5c13fabe8b6a6ed6a31330eec8e50839405c407
        • Instruction ID: 512f57c9f2323f848c77308311dbff70176eea64d76a80b2db9de9479c91387a
        • Opcode Fuzzy Hash: 9749c8303f9e97b1e8841b19b5c13fabe8b6a6ed6a31330eec8e50839405c407
        • Instruction Fuzzy Hash: 3D31B276108780AFE725DB24D841BEBBBE5FB95710F044A2DE496832D1DB38E848C772
        Function 00D097E0 Relevance: 4.6, APIs: 3, Instructions: 101COMMON
        Download Yara Rule
        APIs
        • VariantInit.OLEAUT32 ref: 00D0989D
        • DispCallFunc.OLEAUT32(?,00000000,?,?,?,?,?,?), ref: 00D098CA
        • VariantClear.OLEAUT32(?), ref: 00D098D7
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Variant$CallClearDispFuncInit
        • String ID:
        • API String ID: 47416843-0
        • Opcode ID: eb8ded1b052dcb590daeb6dee4a4a30340deb48ba871a9e3655405d671324e51
        • Instruction ID: eec3d894b6ee57690dee42338e7956668e59fd174c1dc3b27850598dd3468104
        • Opcode Fuzzy Hash: eb8ded1b052dcb590daeb6dee4a4a30340deb48ba871a9e3655405d671324e51
        • Instruction Fuzzy Hash: 3C314876904315ABC714CF58D884AAAF7E5FBC5750F488A2EF9498B341D330E944CBA2
        Function 00D19360 Relevance: 4.6, APIs: 3, Instructions: 87registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000002,00000000,?,?,0000000F,00000010,00000000,?,00000000,00000000), ref: 00D1939B
        • RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D193FF
        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00D1940F
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$CloseCreateValue
        • String ID:
        • API String ID: 2853857722-0
        • Opcode ID: fe1ced56e0ad8c3d2cd7c366b11c217971c07601cb3e4d93c30891120656d078
        • Instruction ID: b8073a399e84b1821fe4fda046925d269ad3b407ec0ae696050a5cbec5131f83
        • Opcode Fuzzy Hash: fe1ced56e0ad8c3d2cd7c366b11c217971c07601cb3e4d93c30891120656d078
        • Instruction Fuzzy Hash: 3D218EB24043047BD610EF55EC41DABBBADEBC9354F48490DF84993201EA36EA49CBB2
        Function 00D0D190 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 428COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: AXWIN
        • API String ID: 0-1948516679
        • Opcode ID: 0c0d7fbfe0f5dedc5b2ca273c30701facb696d44566781d87672d048b49a3cad
        • Instruction ID: 1ca36f3fdadf0c164eec01a8ce1594e25f63d5256e8c2987dddbc0107804cd8f
        • Opcode Fuzzy Hash: 0c0d7fbfe0f5dedc5b2ca273c30701facb696d44566781d87672d048b49a3cad
        • Instruction Fuzzy Hash: 08F10474204705AFD710DFA8C880F2AB7EABF89704F24495DE65A8B3A5DB71EC05CB61
        Function 00D005E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117COMMON
        Download Yara Rule
        APIs
        • CallWindowProcW.USER32(?,?,?,?,?), ref: 00D013CF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CallProcWindow
        • String ID: $
        • API String ID: 2714655100-3993045852
        • Opcode ID: fc53d245d632178784464eb8491c0262e2ab1fd94577bc8dc684399593e53d70
        • Instruction ID: 9efe3dcad06069f82d47c0757816a237d6d731cc913cebb0c05fd80badbec35d
        • Opcode Fuzzy Hash: fc53d245d632178784464eb8491c0262e2ab1fd94577bc8dc684399593e53d70
        • Instruction Fuzzy Hash: 544116B5608700AFC324DF19D88492BFBF8FB88714F548A1EF59AC36A1D731E9408B61
        Function 00D1A170 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
        Download Yara Rule
        APIs
        • SHGetSpecialFolderPathW.SHELL32 ref: 00D1A201
          • Part of subcall function 00D8614D: __onexit.MSVCRT ref: 00D86155
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FolderPathSpecial__onexit
        • String ID: C:\Users\user
        • API String ID: 1587657709-4201852577
        • Opcode ID: 79aa56ffa701a02f6a3686c808562a86c3b2a5ffcd30c60829768a031f90fce7
        • Instruction ID: 67aea410bfa0a8e3aaa9ecc4ffafad62228c5fbc315d22a3ca907d63d2227389
        • Opcode Fuzzy Hash: 79aa56ffa701a02f6a3686c808562a86c3b2a5ffcd30c60829768a031f90fce7
        • Instruction Fuzzy Hash: D42105B1549341EBD710AF24EC46B4B7ED4EB05B14F040619F485963D1DBBAD4488BB3
        Function 00D10A00 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
        Download Yara Rule
        APIs
        • CreateWindowExW.USER32(?,AtlAxWinLic90,?,?,?,?,?,?,?,?,00CE0000,?), ref: 00D10A4E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CreateWindow
        • String ID: AtlAxWinLic90
        • API String ID: 716092398-3795641830
        • Opcode ID: 25ecc665cc130d0e3aa0b8ab6f8edf2a8e3c905d89023d19cac38d0303b50650
        • Instruction ID: 7b1a3fcb4ed93b70ef98ddcccca24bd34657edab806fdd08eb9fa052c485c9b6
        • Opcode Fuzzy Hash: 25ecc665cc130d0e3aa0b8ab6f8edf2a8e3c905d89023d19cac38d0303b50650
        • Instruction Fuzzy Hash: 77F0C472204201AF8344DB59DD48C5BFBFEEFD9B20B1A855EB544E7224D6B0EC418BA1
        Function 00D02040 Relevance: 3.2, APIs: 2, Instructions: 171threadwindowCOMMON
        Download Yara Rule
        APIs
        • PostThreadMessageW.USER32(?,00000004,?,00000000), ref: 00D0218E
        • PostThreadMessageW.USER32(00000000,00000005,?,00000000), ref: 00D021C3
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: MessagePostThread
        • String ID:
        • API String ID: 1836367815-0
        • Opcode ID: 773bea1655199b62b9a712291a87d24f0dab43879d9db4eb4fc418980775613e
        • Instruction ID: 619ca07a5d7112b80d76696377e26ec862e884a193752a27dc93afb0eb7d8f11
        • Opcode Fuzzy Hash: 773bea1655199b62b9a712291a87d24f0dab43879d9db4eb4fc418980775613e
        • Instruction Fuzzy Hash: FC518E76204A009FC318EB28D891F5BB3E5FF99714F10862DE14A877A0EB31B944CBA5
        Function 00D073E0 Relevance: 3.2, APIs: 2, Instructions: 171COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: cbfe732b207a16ca19a133cb3caf173df1190581e6044e2e0bfe156a93a5509d
        • Instruction ID: 497fde979386ce19f826b3a87139aaaad7f4a6735bafdcafaad2adb919ca44ff
        • Opcode Fuzzy Hash: cbfe732b207a16ca19a133cb3caf173df1190581e6044e2e0bfe156a93a5509d
        • Instruction Fuzzy Hash: FE517074908755AFC720DF588C44BBA7BE4EB48700F44892EF9899A2D0E774EC4587B2
        Function 00D24CB0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 116sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000064), ref: 00D24D49
          • Part of subcall function 00D1C650: GetTempPathW.KERNEL32(00000104,?,DFD45DFC,?,?), ref: 00D1C6D8
          • Part of subcall function 00D03560: TerminateThread.KERNEL32(0000000F,00000002,0000000F,00000000,00D24E26), ref: 00D0357A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: PathSleepTempTerminateThread
        • String ID: Unpacking resource
        • API String ID: 4147224453-2729382032
        • Opcode ID: 408cf72cb878e29f6917548b766096c75ec17ad26b16070615d10b9c48d47e64
        • Instruction ID: f2e67ef0115a9f7fe7c65019450332e0c254f28309be6dbdb4ed6ef0c969917c
        • Opcode Fuzzy Hash: 408cf72cb878e29f6917548b766096c75ec17ad26b16070615d10b9c48d47e64
        • Instruction Fuzzy Hash: 044182B1408380AED731EB64E841BAFB7E8AF95704F044D2DF59997282EB359548CB73
        Function 00CEAD10 Relevance: 3.1, APIs: 2, Instructions: 104COMMON
        Download Yara Rule
        APIs
        • std::_String_base::_Xlen.LIBCPMT ref: 00CEAD4A
        • std::_String_base::_Xlen.LIBCPMT ref: 00CEAD61
          • Part of subcall function 00D85A98: __EH_prolog3.LIBCMT ref: 00D85A9F
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: String_base::_Xlenstd::_$H_prolog3
        • String ID:
        • API String ID: 1152720618-0
        • Opcode ID: f3544e633cde66cd7c6b78c365f430316785f6106b58a1741290f541f16da870
        • Instruction ID: f20c08ad0b9b67716a345fe9a2b3bf5f0de7b4b0cd88bcd289f8f3c6400d72a2
        • Opcode Fuzzy Hash: f3544e633cde66cd7c6b78c365f430316785f6106b58a1741290f541f16da870
        • Instruction Fuzzy Hash: 9C31C1323006808FC724DE5AD9C0A6AF3E5DB91722B504A2EE562C7A51E770FE4587A2
        Function 00D0A2A0 Relevance: 3.1, APIs: 2, Instructions: 75COMMON
        Download Yara Rule
        APIs
        • VariantInit.OLEAUT32(?), ref: 00D0A2D7
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • VariantClear.OLEAUT32(?), ref: 00D0A35B
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiVariantWide$ClearInit
        • String ID:
        • API String ID: 3205066715-0
        • Opcode ID: b15acae88bbf975ae787846e2f82264c0c899edc84833229946eac30c13d01d1
        • Instruction ID: 5f79826675f6a71a3f825cdd994b08fd70df1a994dff3090853bbc91ba63abac
        • Opcode Fuzzy Hash: b15acae88bbf975ae787846e2f82264c0c899edc84833229946eac30c13d01d1
        • Instruction Fuzzy Hash: 7621F8B1504701AFC210DF6AD884A5BB7F9EFD8710F148A1EF059C7250D775E905CB62
        Function 00CE7040 Relevance: 2.7, APIs: 2, Instructions: 164sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000064,?,?,?,?,?,00000000,?,?,?,00000000,?,00CE8C5B,00000000,?,00000001), ref: 00CE710E
        • Sleep.KERNEL32(00000064,?,?,?,?,?,00000000,?,?,?,00000000,?,00CE8C5B,00000000,?,00000001), ref: 00CE7183
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Sleep
        • String ID:
        • API String ID: 3472027048-0
        • Opcode ID: 1a037f9eee43b1d218da6c26248bb90459b5c94da3562531c172dca321cc3622
        • Instruction ID: 1cd9cd7aa0a7484189b910f9319f5af09a2172d62a8b5d2d777f0f77b5da3b2f
        • Opcode Fuzzy Hash: 1a037f9eee43b1d218da6c26248bb90459b5c94da3562531c172dca321cc3622
        • Instruction Fuzzy Hash: 924101307047546BCA24BB7A8C82F7EB296AF95740F204619F20ADB3A1DE64DD0193E2
        Function 00CEB030 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
        Download Yara Rule
        APIs
        • std::_String_base::_Xlen.LIBCPMT ref: 00CEB08C
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: String_base::_Xlenstd::_
        • String ID:
        • API String ID: 1541887531-0
        • Opcode ID: 0672383fc62bee0c354efbb29f6a059a33eeb1e4e76b2528704f294be6db7bb7
        • Instruction ID: c26b2cfb9fbf2fc637663a18f215e054df5c7a147fcc80ce551363ca1f7dffad
        • Opcode Fuzzy Hash: 0672383fc62bee0c354efbb29f6a059a33eeb1e4e76b2528704f294be6db7bb7
        • Instruction Fuzzy Hash: AB21D8723046848FD724EA4EE58097FF3AADBD1710B50091EE1728B691D771BD4587A1
        Function 00D02230 Relevance: 1.6, APIs: 1, Instructions: 80windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(00000000), ref: 00D022ED
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: MessageSend
        • String ID:
        • API String ID: 3850602802-0
        • Opcode ID: 7345b3906290b8f7c781dbfe4b9d8c350f9f62e63d7e91934b205af58715e1ff
        • Instruction ID: 4e1134c345ec1aa9abce95c0f52d4929a0cce80426ec5b8dfc5801c073a2f119
        • Opcode Fuzzy Hash: 7345b3906290b8f7c781dbfe4b9d8c350f9f62e63d7e91934b205af58715e1ff
        • Instruction Fuzzy Hash: 9C217CB2605611AFC714DF64D880E2BB7E9EB88B60F10061EF95597390CB30ED05CBB2
        Function 00D1A9B0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
        Download Yara Rule
        APIs
        • SHGetSpecialFolderPathW.SHELL32 ref: 00D1AA41
          • Part of subcall function 00D8614D: __onexit.MSVCRT ref: 00D86155
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FolderPathSpecial__onexit
        • String ID:
        • API String ID: 1587657709-0
        • Opcode ID: ef42883362bceb14bd8afa4c75def577587fc0a6ee8dd46dc78d33ddc18386bb
        • Instruction ID: 4bef6e104b9bd0754062f1697cb8e9581e6a89c4f10a91486c18900dbda6c4d7
        • Opcode Fuzzy Hash: ef42883362bceb14bd8afa4c75def577587fc0a6ee8dd46dc78d33ddc18386bb
        • Instruction Fuzzy Hash: 8B21D1B1549340EBE7109F24AD06B477FD4EB45714F080618F4459A3D2DBB9D444CBB3
        Function 00CE3B30 Relevance: 1.5, APIs: 1, Instructions: 46fileCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FileWrite
        • String ID:
        • API String ID: 3934441357-0
        • Opcode ID: b82459c5a4118072d5ad241b0a83fe6f05cc42a5474a84f6bba5e676a3fc06b2
        • Instruction ID: db5e06c37d11d999a6e21669dbb8b5bf728b219ff15c1cd4b6a620bc05d43298
        • Opcode Fuzzy Hash: b82459c5a4118072d5ad241b0a83fe6f05cc42a5474a84f6bba5e676a3fc06b2
        • Instruction Fuzzy Hash: 95016276605391AFE7148E09EC44B6BF3A8FF84721F04412AED55A3240D770EE1487B2
        Function 00D17770 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
        Download Yara Rule
        APIs
        • CreateThread.KERNEL32(00000000,00000000,00D16C20,?,00000000,?), ref: 00D177B2
          • Part of subcall function 00D19670: GetFileAttributesW.KERNEL32(00000000,?,00000000,00000000,000000FF,?,?,?,00D92949,00000000,DFD45DFC,0000000F,00000000,00000010,00000000), ref: 00D1969C
          • Part of subcall function 00D19C90: GetFileAttributesW.KERNEL32(?,00000010,00000000), ref: 00D19D7F
          • Part of subcall function 00D19C90: DeleteFileW.KERNEL32(?), ref: 00D19D8B
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: File$Attributes$CreateDeleteThread
        • String ID:
        • API String ID: 1886009219-0
        • Opcode ID: 9c8da6c3d51ca1210f27ba5fa2532a766c611dcb19778b249331e2b0d7531cb0
        • Instruction ID: 5258e1a9d6947906b26521ed435da4df7d8f875cd8b645804c08f482c4500b7f
        • Opcode Fuzzy Hash: 9c8da6c3d51ca1210f27ba5fa2532a766c611dcb19778b249331e2b0d7531cb0
        • Instruction Fuzzy Hash: FDF09071145300BAE6315724FC19BEBB6B5AB41B15F08051DF58A591D1EBB164C8C2B1
        Function 00CE8FA0 Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
        Download Yara Rule
        APIs
        • CreateThread.KERNEL32(00000000,00000000,Function_00008B00,00000000), ref: 00CE8FDD
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CreateThread
        • String ID:
        • API String ID: 2422867632-0
        • Opcode ID: f8b7f06891267670c2112c018ceba55fe0ead2d2746de89837eecaa53a90fa5e
        • Instruction ID: 642e0842f1f0c096004d189cd04f7cb49ed7b48f7186baff4e41f137426e598f
        • Opcode Fuzzy Hash: f8b7f06891267670c2112c018ceba55fe0ead2d2746de89837eecaa53a90fa5e
        • Instruction Fuzzy Hash: D3F082B1645321EBE7208F99AC01B43BFE8EB04B21F10412AF55AD7390E7B4D804C7E9
        Function 00D01D70 Relevance: 1.5, APIs: 1, Instructions: 33windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(00000000), ref: 00D01DC2
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: MessageSend
        • String ID:
        • API String ID: 3850602802-0
        • Opcode ID: 4e01bcb00e65991f97a1cb5ebb3aca35b471451fb4a754c4c1ca74a4182f7f5c
        • Instruction ID: 0a2405cb4836cb83cde1eae08ac943931db5bad592c04bfcc5f484d498ef4214
        • Opcode Fuzzy Hash: 4e01bcb00e65991f97a1cb5ebb3aca35b471451fb4a754c4c1ca74a4182f7f5c
        • Instruction Fuzzy Hash: DDF0E272200210AFE3209B24CC49F677B94DB80720F154525F2158F2E2CBB1D801CBF0
        Function 00D047F0 Relevance: 1.5, APIs: 1, Instructions: 27threadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00CEAE10: std::_String_base::_Xlen.LIBCPMT ref: 00CEAE5F
        • CreateThread.KERNEL32(00000000,00000000,Function_00023650,?,00000000,0000000F), ref: 00D04831
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CreateString_base::_ThreadXlenstd::_
        • String ID:
        • API String ID: 1129344639-0
        • Opcode ID: 356b77203459ec82f31bde7b1edc9c763b19a6695e0544165b1dce9e681e8397
        • Instruction ID: 32fde623ecb3701f832461071ed500a908231120b8fa1aef99a8d053633ab002
        • Opcode Fuzzy Hash: 356b77203459ec82f31bde7b1edc9c763b19a6695e0544165b1dce9e681e8397
        • Instruction Fuzzy Hash: 42F030321483207FE320DB54CC05F977BA4AB54720F104B0DB2AA562D0DBB0B404C7A5
        Function 00D19670 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • GetFileAttributesW.KERNEL32(00000000,?,00000000,00000000,000000FF,?,?,?,00D92949,00000000,DFD45DFC,0000000F,00000000,00000010,00000000), ref: 00D1969C
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$AttributesFile
        • String ID:
        • API String ID: 364578359-0
        • Opcode ID: 3ed9668b7be904957eb2ac36dd16a18c50c4ab9555c74f4b398614b4b78d9160
        • Instruction ID: 738a52dee830094ba7229a27ae07ee7466ec6e89634b29a8aaffafe287a9ffcb
        • Opcode Fuzzy Hash: 3ed9668b7be904957eb2ac36dd16a18c50c4ab9555c74f4b398614b4b78d9160
        • Instruction Fuzzy Hash: 0BE0D8B64553217BC200AF14BC016DF7798EF41321F480619FC58A7240E7359A5C87F7
        Function 00D07011 Relevance: 1.5, APIs: 1, Instructions: 16windowCOMMON
        Download Yara Rule
        APIs
        • IsDialogMessageW.USER32(?,?), ref: 00D07029
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: DialogMessage
        • String ID:
        • API String ID: 547518314-0
        • Opcode ID: 0c4781b78e072726d3c0dd049b4ccadca283abe2063dd1dc36b99ab8801d172a
        • Instruction ID: fe60de73cce8ef232a59eeb51c165d92cab07ab79ef06a8f1cd4d1488ac4b267
        • Opcode Fuzzy Hash: 0c4781b78e072726d3c0dd049b4ccadca283abe2063dd1dc36b99ab8801d172a
        • Instruction Fuzzy Hash: EAC08CB5800240AFD758CB00D8A4FF6B3A4EF54704F004C1DB540C3E09C2399C9ACB20
        Function 00CE3A40 Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00D03D29,?,?), ref: 00CE3A57
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: acd9b5c621a6e4fb6da7e61468cfe6aacc00fbb75d9520da4149feb1b9050116
        • Instruction ID: f8f3c9c48ee6cfc52e9cafadabdd2792b28565fc9485f7fc4ef333ac4ce95313
        • Opcode Fuzzy Hash: acd9b5c621a6e4fb6da7e61468cfe6aacc00fbb75d9520da4149feb1b9050116
        • Instruction Fuzzy Hash: 12D0C974384300BBE6304B74DC4AF1677A0AB89B15F208A55F7A5FA2E0D7B1A9919B14
        Function 00CE3A80 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
        Download Yara Rule
        APIs
        • FindCloseChangeNotification.KERNEL32(00000000,?,00D042F9,?), ref: 00CE3A8D
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ChangeCloseFindNotification
        • String ID:
        • API String ID: 2591292051-0
        • Opcode ID: 9c5e0e4ce8c82ec6ee667a33ac7280ef94279932f11a51d8f6a0ea060441bc72
        • Instruction ID: 67cb4bfdd7f89a26724bfffeca431b9356fae5d2846fc3e0b5ec2454973c0107
        • Opcode Fuzzy Hash: 9c5e0e4ce8c82ec6ee667a33ac7280ef94279932f11a51d8f6a0ea060441bc72
        • Instruction Fuzzy Hash: 2BD0C7352543519BD7109F7DFC48455B7989F553747104B6AE4F4E33E0D33099914B54
        Function 00D8614D Relevance: 1.5, APIs: 1, Instructions: 12COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: __onexit
        • String ID:
        • API String ID: 1448380652-0
        • Opcode ID: 18df6e88158e6ef15c1797887b805ccb06412361fbc7add706a09e5bbcfb0787
        • Instruction ID: 8ea6f9bd2d4639bdb12c2605261378f9ecfc086a5760b72cdb942e8e3a4b2964
        • Opcode Fuzzy Hash: 18df6e88158e6ef15c1797887b805ccb06412361fbc7add706a09e5bbcfb0787
        • Instruction Fuzzy Hash: A3B0923209810E2A5E2069B6E805C353A89C6D16B17501222F40DCA4A1DD62D81551A4
        Function 09AD234E Relevance: .7, Instructions: 710COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4607071089.0000000009AD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 09AD0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3b6bf67b360ee758fedcd232b4440686b8f418a8af1c5891de60949bc9d3fe85
        • Instruction ID: 4db81f232adc671486a44972e1313d7e14199d170cbda7c56c6014d57aecd932
        • Opcode Fuzzy Hash: 3b6bf67b360ee758fedcd232b4440686b8f418a8af1c5891de60949bc9d3fe85
        • Instruction Fuzzy Hash: 5E52DD30A06215DFDB24CF84C891B69B3B5FF88B54F15805AED266B356C771EC42CBA1
        Function 09A10DFF Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10D3F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10D17 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10D1F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10D77 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10D47 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10D4F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10CDF Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10C07 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10C67 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10C6F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10F8F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10F97 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10F9F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10FE7 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10BE7 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10BEF Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10FC7 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10FCF Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10BCF Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10BD7 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10FD7 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10FDF Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10BDF Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10F27 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10F3F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10F57 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10EAF Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10EF7 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10EFF Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10E3F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10E57 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:
        Function 09A10E5F Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4606848874.0000000009A10000.00000010.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction ID: 29ef40d6ad3d64bd86e61066eae1e1e71934b733a3a5730cd108ab7eee8fff46
        • Opcode Fuzzy Hash: e7a459ed6dcab961a6b50d07d8bbf35c19cecd138bdd1e6825e6ca3582f51178
        • Instruction Fuzzy Hash:

        Non-executed Functions

        Function 00D7C890 Relevance: 157.8, APIs: 4, Strings: 86, Instructions: 299COMMON
        Download Yara Rule
        APIs
        • GetLastError.KERNEL32(AcquireCredentialsHandle,?,00000000), ref: 00D7C8AE
        Strings
        • SEC_E_STRONG_CRYPTO_NOT_SUPPORTED, xrefs: 00D7CB6B
        • SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 00D7CCD7
        • SEC_I_LOCAL_LOGON, xrefs: 00D7CCA9
        • SEC_E_NO_S4U_PROT_SUPPORT, xrefs: 00D7CAD5
        • SEC_E_KDC_CERT_EXPIRED, xrefs: 00D7CA2B
        • SEC_E_ENCRYPT_FAILURE, xrefs: 00D7C9BD
        • SEC_E_NOT_OWNER, xrefs: 00D7CA8F
        • SEC_E_UNSUPPORTED_PREAUTH, xrefs: 00D7CBB1
        • SEC_I_COMPLETE_NEEDED, xrefs: 00D7CC94
        • AcquireCredentialsHandle, xrefs: 00D7C8A6
        • SEC_E_SMARTCARD_LOGON_REQUIRED, xrefs: 00D7CB61
        • SEC_E_KDC_UNKNOWN_ETYPE, xrefs: 00D7CA53
        • SEC_E_NO_TGT_REPLY, xrefs: 00D7CADF
        • SEC_E_SMARTCARD_CERT_EXPIRED, xrefs: 00D7CB4D
        • SEC_E_WRONG_PRINCIPAL, xrefs: 00D7CBCF
        • SEC_E_ILLEGAL_MESSAGE, xrefs: 00D7C9C7
        • SEC_E_QOP_NOT_SUPPORTED, xrefs: 00D7CB11
        • SEC_E_UNFINISHED_CONTEXT_DELETED, xrefs: 00D7CB93
        • SEC_E_LOGON_DENIED, xrefs: 00D7CA5D
        • SEC_I_NO_LSA_CONTEXT, xrefs: 00D7CCB0
        • %s - %s, xrefs: 00D7CD03
        • SEC_E_CANNOT_INSTALL, xrefs: 00D7C945
        • SEC_I_RENEGOTIATE, xrefs: 00D7CCB7
        • SEC_E_NO_IP_ADDRESSES, xrefs: 00D7CAB7
        • SEC_E_ISSUING_CA_UNTRUSTED_KDC, xrefs: 00D7CA21
        • SEC_E_REVOCATION_OFFLINE_C, xrefs: 00D7CB1B
        • SEC_E_TOO_MANY_PRINCIPALS, xrefs: 00D7CB89
        • SEC_E_KDC_UNABLE_TO_REFER, xrefs: 00D7CA49
        • SEC_E_REVOCATION_OFFLINE_KDC, xrefs: 00D7CB25
        • SEC_E_CERT_WRONG_USAGE, xrefs: 00D7C96D
        • SEC_E_DOWNGRADE_DETECTED, xrefs: 00D7C9B3
        • SEC_E_KDC_INVALID_REQUEST, xrefs: 00D7CA3F
        • SEC_E_ALGORITHM_MISMATCH, xrefs: 00D7C91D
        • SEC_E_CERT_UNKNOWN, xrefs: 00D7C963
        • SEC_E_TIME_SKEW, xrefs: 00D7CB7F
        • CRYPT_E_REVOKED, xrefs: 00D7CBD9
        • SEC_E_INVALID_TOKEN, xrefs: 00D7CA0D
        • SEC_E_NO_KERB_KEY, xrefs: 00D7CAC1
        • SEC_E_NO_IMPERSONATION, xrefs: 00D7CAAD
        • SEC_E_CRYPTO_SYSTEM_INVALID, xrefs: 00D7C98B
        • SEC_E_INCOMPLETE_MESSAGE, xrefs: 00D7C9DB
        • SEC_E_MULTIPLE_ACCOUNTS, xrefs: 00D7CA7B
        • No error, xrefs: 00D7CC60
        • SEC_E_UNKNOWN_CREDENTIALS, xrefs: 00D7CB9D
        • SEC_I_CONTINUE_NEEDED, xrefs: 00D7CBDF, 00D7CC6A
        • SEC_E_SECPKG_NOT_FOUND, xrefs: 00D7CB2F
        • SEC_E_INVALID_HANDLE, xrefs: 00D7C9F9
        • SEC_E_CONTEXT_EXPIRED, xrefs: 00D7C977
        • SEC_E_INVALID_PARAMETER, xrefs: 00D7CA03
        • SEC_E_DECRYPT_FAILURE, xrefs: 00D7C995
        • SEC_I_SIGNATURE_NEEDED, xrefs: 00D7CCBE
        • SEC_E_CROSSREALM_DELEGATION_FAILURE, xrefs: 00D7C981
        • SEC_E_BAD_BINDINGS, xrefs: 00D7C927
        • SEC_E_MUST_BE_KDC, xrefs: 00D7CA85
        • SEC_I_COMPLETE_AND_CONTINUE, xrefs: 00D7CC8D
        • SEC_I_CONTEXT_EXPIRED, xrefs: 00D7CC9B
        • SEC_E_CERT_EXPIRED, xrefs: 00D7C959
        • SEC_E_WRONG_CREDENTIAL_HANDLE, xrefs: 00D7CBC5
        • SEC_E_SECURITY_QOS_FAILED, xrefs: 00D7CB39
        • SEC_E_CANNOT_PACK, xrefs: 00D7C94F
        • SEC_E_DELEGATION_REQUIRED, xrefs: 00D7C9A9
        • SEC_E_KDC_CERT_REVOKED, xrefs: 00D7CA35
        • SEC_E_INSUFFICIENT_MEMORY, xrefs: 00D7C9E5
        • SEC_I_INCOMPLETE_CREDENTIALS, xrefs: 00D7CCA2
        • SEC_E_NO_PA_DATA, xrefs: 00D7CACB
        • Unknown error, xrefs: 00D7CCC5
        • SEC_E_OUT_OF_SEQUENCE, xrefs: 00D7CAE9
        • %s (0x%08X), xrefs: 00D7CBE0
        • SEC_E_UNSUPPORTED_FUNCTION, xrefs: 00D7CBA7
        • SEC_E_NO_CREDENTIALS, xrefs: 00D7CAA3
        • SEC_E_TARGET_UNKNOWN, xrefs: 00D7CB75
        • SEC_E_MESSAGE_ALTERED, xrefs: 00D7CA71
        • SEC_E_INTERNAL_ERROR, xrefs: 00D7C9EF
        • SEC_E_UNTRUSTED_ROOT, xrefs: 00D7CBBB
        • SEC_E_MAX_REFERRALS_EXCEEDED, xrefs: 00D7CA67
        • SEC_E_BUFFER_TOO_SMALL, xrefs: 00D7C93B
        • SEC_E_SHUTDOWN_IN_PROGRESS, xrefs: 00D7CB43
        • SEC_E_INCOMPLETE_CREDENTIALS, xrefs: 00D7C9D1
        • SEC_E_DELEGATION_POLICY, xrefs: 00D7C99F
        • SEC_E_SMARTCARD_CERT_REVOKED, xrefs: 00D7CB57
        • SEC_E_NO_AUTHENTICATING_AUTHORITY, xrefs: 00D7CA99
        • SEC_E_PKINIT_CLIENT_FAILURE, xrefs: 00D7CAF3
        • SEC_E_POLICY_NLTM_ONLY, xrefs: 00D7CB07
        • SEC_E_BAD_PKGID, xrefs: 00D7C931
        • SEC_E_PKINIT_NAME_MISMATCH, xrefs: 00D7CAFD
        • SEC_E_ISSUING_CA_UNTRUSTED, xrefs: 00D7CA17
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLast
        • String ID: %s (0x%08X)$%s - %s$AcquireCredentialsHandle$CRYPT_E_REVOKED$No error$SEC_E_ALGORITHM_MISMATCH$SEC_E_BAD_BINDINGS$SEC_E_BAD_PKGID$SEC_E_BUFFER_TOO_SMALL$SEC_E_CANNOT_INSTALL$SEC_E_CANNOT_PACK$SEC_E_CERT_EXPIRED$SEC_E_CERT_UNKNOWN$SEC_E_CERT_WRONG_USAGE$SEC_E_CONTEXT_EXPIRED$SEC_E_CROSSREALM_DELEGATION_FAILURE$SEC_E_CRYPTO_SYSTEM_INVALID$SEC_E_DECRYPT_FAILURE$SEC_E_DELEGATION_POLICY$SEC_E_DELEGATION_REQUIRED$SEC_E_DOWNGRADE_DETECTED$SEC_E_ENCRYPT_FAILURE$SEC_E_ILLEGAL_MESSAGE$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_E_INCOMPLETE_CREDENTIALS$SEC_E_INCOMPLETE_MESSAGE$SEC_E_INSUFFICIENT_MEMORY$SEC_E_INTERNAL_ERROR$SEC_E_INVALID_HANDLE$SEC_E_INVALID_PARAMETER$SEC_E_INVALID_TOKEN$SEC_E_ISSUING_CA_UNTRUSTED$SEC_E_ISSUING_CA_UNTRUSTED_KDC$SEC_E_KDC_CERT_EXPIRED$SEC_E_KDC_CERT_REVOKED$SEC_E_KDC_INVALID_REQUEST$SEC_E_KDC_UNABLE_TO_REFER$SEC_E_KDC_UNKNOWN_ETYPE$SEC_E_LOGON_DENIED$SEC_E_MAX_REFERRALS_EXCEEDED$SEC_E_MESSAGE_ALTERED$SEC_E_MULTIPLE_ACCOUNTS$SEC_E_MUST_BE_KDC$SEC_E_NOT_OWNER$SEC_E_NO_AUTHENTICATING_AUTHORITY$SEC_E_NO_CREDENTIALS$SEC_E_NO_IMPERSONATION$SEC_E_NO_IP_ADDRESSES$SEC_E_NO_KERB_KEY$SEC_E_NO_PA_DATA$SEC_E_NO_S4U_PROT_SUPPORT$SEC_E_NO_TGT_REPLY$SEC_E_OUT_OF_SEQUENCE$SEC_E_PKINIT_CLIENT_FAILURE$SEC_E_PKINIT_NAME_MISMATCH$SEC_E_POLICY_NLTM_ONLY$SEC_E_QOP_NOT_SUPPORTED$SEC_E_REVOCATION_OFFLINE_C$SEC_E_REVOCATION_OFFLINE_KDC$SEC_E_SECPKG_NOT_FOUND$SEC_E_SECURITY_QOS_FAILED$SEC_E_SHUTDOWN_IN_PROGRESS$SEC_E_SMARTCARD_CERT_EXPIRED$SEC_E_SMARTCARD_CERT_REVOKED$SEC_E_SMARTCARD_LOGON_REQUIRED$SEC_E_STRONG_CRYPTO_NOT_SUPPORTED$SEC_E_TARGET_UNKNOWN$SEC_E_TIME_SKEW$SEC_E_TOO_MANY_PRINCIPALS$SEC_E_UNFINISHED_CONTEXT_DELETED$SEC_E_UNKNOWN_CREDENTIALS$SEC_E_UNSUPPORTED_FUNCTION$SEC_E_UNSUPPORTED_PREAUTH$SEC_E_UNTRUSTED_ROOT$SEC_E_WRONG_CREDENTIAL_HANDLE$SEC_E_WRONG_PRINCIPAL$SEC_I_COMPLETE_AND_CONTINUE$SEC_I_COMPLETE_NEEDED$SEC_I_CONTEXT_EXPIRED$SEC_I_CONTINUE_NEEDED$SEC_I_INCOMPLETE_CREDENTIALS$SEC_I_LOCAL_LOGON$SEC_I_NO_LSA_CONTEXT$SEC_I_RENEGOTIATE$SEC_I_SIGNATURE_NEEDED$Unknown error
        • API String ID: 1452528299-2953340572
        • Opcode ID: f365177da4bb017d5e6f5025def2022e67de2fe0c945a9eec21fa354bf1f223f
        • Instruction ID: 5f2a727d37089655383e830281e398f3315e3264421a6e5fdffbf3fb98e0df2a
        • Opcode Fuzzy Hash: f365177da4bb017d5e6f5025def2022e67de2fe0c945a9eec21fa354bf1f223f
        • Instruction Fuzzy Hash: B7A115A2628240EFC3324A9C4869575A656E787340B28ED2FF58FCB340F616CE466777
        Function 00D008E0 Relevance: 95.0, APIs: 63, Instructions: 541windowCOMMON
        Download Yara Rule
        APIs
        • CopyRect.USER32(?,?), ref: 00D00986
        • SetBkMode.GDI32(?,00000001), ref: 00D0098F
        • CreateSolidBrush.GDI32(00000000), ref: 00D009AD
        • FrameRect.USER32(?,?,00000000), ref: 00D009B8
        • InflateRect.USER32(?,000000FF,000000FF), ref: 00D009C7
        • DeleteObject.GDI32(00000000), ref: 00D009D2
        • GetSysColor.USER32(00000010), ref: 00D00A22
        • CreateSolidBrush.GDI32(00000000), ref: 00D00A29
        • FrameRect.USER32(?,?,00000000), ref: 00D00A34
        • DeleteObject.GDI32(00000000), ref: 00D00A43
        • GetSysColor.USER32(00000014), ref: 00D00A56
        • CreatePen.GDI32(00000000,00000000,00000000), ref: 00D00A63
        • GetSysColor.USER32(00000016), ref: 00D00A6B
        • CreatePen.GDI32(00000000,00000000,00000000), ref: 00D00A72
        • GetSysColor.USER32(00000010), ref: 00D00A7A
        • CreatePen.GDI32(00000000,00000000,00000000), ref: 00D00A81
        • GetSysColor.USER32(00000015), ref: 00D00A89
        • CreatePen.GDI32(00000000,00000000,00000000), ref: 00D00A90
        • GetSysColor.USER32(00000010), ref: 00D00AB1
        • GetSysColor.USER32(00000014), ref: 00D00AB6
        • SelectObject.GDI32(?,?), ref: 00D00AD8
        • MoveToEx.GDI32(?,?,?,00000000), ref: 00D00AEC
        • LineTo.GDI32(?,?,?), ref: 00D00B03
        • LineTo.GDI32(?,?,?), ref: 00D00B10
        • SelectObject.GDI32(?,?), ref: 00D00B18
        • MoveToEx.GDI32(?,?,?,00000000), ref: 00D00B29
        • LineTo.GDI32(?,?,?), ref: 00D00B3C
        • LineTo.GDI32(?,?,?), ref: 00D00B4A
        • SelectObject.GDI32(?,DFD45DFC), ref: 00D00B52
        • MoveToEx.GDI32(?,?,?,00000000), ref: 00D00B62
        • LineTo.GDI32(?,?,?), ref: 00D00B75
        • LineTo.GDI32(?,?,?), ref: 00D00B84
        • SelectObject.GDI32(?,?), ref: 00D00B8C
        • MoveToEx.GDI32(?,?,?,00000000), ref: 00D00B9F
        • LineTo.GDI32(?,?,?), ref: 00D00BB6
        • LineTo.GDI32(?,?,?), ref: 00D00BC6
        • SelectObject.GDI32(?,?), ref: 00D00BCE
        • DeleteObject.GDI32(DFD45DFC), ref: 00D00BDF
        • DeleteObject.GDI32(?), ref: 00D00BEA
        • DeleteObject.GDI32(?), ref: 00D00BF5
        • DeleteObject.GDI32(?), ref: 00D00C00
        • GetWindowTextLengthW.USER32(?), ref: 00D00C14
        • GetWindowTextW.USER32(?,?,00000001), ref: 00D00C44
        • CopyRect.USER32(?,?), ref: 00D00C54
        • SetBkColor.GDI32(?,00FFFFFF), ref: 00D00CA3
        • OffsetRect.USER32(?,00000001,00000001), ref: 00D00CF9
        • DrawTextW.USER32(?,?,000000FF,?,00000411), ref: 00D00D29
        • OffsetRect.USER32(?,?,?), ref: 00D00D61
        • SetBkMode.GDI32(?,00000001), ref: 00D00D66
        • OffsetRect.USER32(?,00000001,00000001), ref: 00D00D7C
        • GetSysColor.USER32(00000014), ref: 00D00D80
        • SetTextColor.GDI32(?,00000000), ref: 00D00D88
        • DrawTextW.USER32(?,?,000000FF,?,00000011), ref: 00D00D99
        • OffsetRect.USER32(?,000000FF,000000FF), ref: 00D00DA8
        • GetSysColor.USER32(00000010), ref: 00D00DAC
        • SetTextColor.GDI32(?,00000000), ref: 00D00DB4
        • DrawTextW.USER32(?,?,000000FF,?,00000011), ref: 00D00DF8
        • InflateRect.USER32(?,000000FD,000000FD), ref: 00D00E36
        • DrawFocusRect.USER32(?,?), ref: 00D00E42
        • InterlockedDecrement.KERNEL32(?), ref: 00D00E5C
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Color$ObjectRect$Line$Text$CreateDelete$Select$DrawMoveOffset$BrushCopyFrameInflateModeSolidWindow$DecrementFocusInterlockedLength
        • String ID:
        • API String ID: 954328197-0
        • Opcode ID: 7fe244bad9de0a21befa5d2c9b166112ead78e2727070b09a3eeddd50357d68a
        • Instruction ID: 9453bf88486c0dfa657939e729446763aae990569e8859a6a0cc9139873e3c73
        • Opcode Fuzzy Hash: 7fe244bad9de0a21befa5d2c9b166112ead78e2727070b09a3eeddd50357d68a
        • Instruction Fuzzy Hash: 5C024971209344BFE744DB68CC89FAFBBA8EF89714F044609FA9583291DA749845CB72
        Function 00D70AF0 Relevance: 81.9, Strings: 64, Instructions: 1889COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: %s$%s $%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s$%s%s$%s%s=%s$%s?%s$%x$*$0$100-continue$;type=$;type=%c$?%s$Accept$Accept-Encoding$Accept-Encoding: %s$Accept: */*$Chunky upload is not supported by HTTP 1.0$Content-Length$Content-Length: %I64d$Content-Length: 0$Content-Range$Content-Range: bytes %s%I64d/%I64d$Content-Range: bytes %s/%I64d$Content-Range: bytes 0-%I64d/%I64d$Content-Type$Content-Type: application/x-www-form-urlencoded$Cookie$Cookie: $Could not seek stream$Could only read %I64d bytes from the input$Expect$Expect:$Failed sending HTTP POST request$Failed sending HTTP request$Failed sending POST request$Failed sending PUT request$File already completely uploaded$GET$HEAD$Host$Host:$Host: %s%s%s$Host: %s%s%s:%d$Host:%s$OPTIONS$POST$PUT$Proxy-Connection$Proxy-Connection: Keep-Alive$Range$Range: bytes=%s$Referer$Referer: %s$Transfer-Encoding$Transfer-Encoding:$Transfer-Encoding: chunked$User-Agent$chunked$ftp$ftp://%s:%s@%s$http$multipart/form-data$upload completely sent off: %I64d out of %I64d bytes
        • API String ID: 0-908190744
        • Opcode ID: 56d33f7b0d6435da1d6cc29e61e374abdbdc2a9f6d7594395d5a299ee6b111d5
        • Instruction ID: 71f083a166943b95d99ebaf9065430f5e2a8f869a8720d03bc6d49c2fb74972b
        • Opcode Fuzzy Hash: 56d33f7b0d6435da1d6cc29e61e374abdbdc2a9f6d7594395d5a299ee6b111d5
        • Instruction Fuzzy Hash: 9DE2C375604701ABD724DF68DC82BA7B7E8EB44305F48862DF95D86282F770E948CB72
        Function 00D6ADC0 Relevance: 53.3, APIs: 13, Strings: 17, Instructions: 846COMMON
        Download Yara Rule
        Strings
        • schannel: Failed to read cert file %s, xrefs: 00D6B202
        • Microsoft Unified Security Protocol Provider, xrefs: 00D6B508
        • schannel: Failed to import cert file %s, password is bad, xrefs: 00D6B2CB
        • schannel: failed to send initial handshake data: sent %zd of %lu bytes, xrefs: 00D6B855
        • schannel: SNI or certificate check failed: %s, xrefs: 00D6B761
        • schannel: Failed to import cert file %s, last error is 0x%x, xrefs: 00D6B30C
        • schannel: unable to allocate memory, xrefs: 00D6B4A5, 00D6B662
        • Unable to set ciphers to passed via SSL_CONN_CONFIG, xrefs: 00D6B0BD
        • schannel: Failed to get certificate from file %s, last error is 0x%x, xrefs: 00D6B361
        • schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 00D6AEBD
        • Unrecognized parameter passed via CURLOPT_SSLVERSION, xrefs: 00D6B58E
        • schannel: using IP address, SNI is not supported by OS., xrefs: 00D6B5EF
        • schannel: initial InitializeSecurityContext failed: %s, xrefs: 00D6B71F, 00D6B7A3
        • schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc., xrefs: 00D6AE54
        • schannel: Failed to open cert store %x %s, last error is 0x%x, xrefs: 00D6B3D3
        • schannel: AcquireCredentialsHandle failed: %s, xrefs: 00D6B541
        • schannel: Failed to get certificate location or file for %s, xrefs: 00D6B14A
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: Microsoft Unified Security Protocol Provider$Unable to set ciphers to passed via SSL_CONN_CONFIG$Unrecognized parameter passed via CURLOPT_SSLVERSION$schannel: AcquireCredentialsHandle failed: %s$schannel: Failed to get certificate from file %s, last error is 0x%x$schannel: Failed to get certificate location or file for %s$schannel: Failed to import cert file %s, last error is 0x%x$schannel: Failed to import cert file %s, password is bad$schannel: Failed to open cert store %x %s, last error is 0x%x$schannel: Failed to read cert file %s$schannel: SNI or certificate check failed: %s$schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc.$schannel: failed to send initial handshake data: sent %zd of %lu bytes$schannel: initial InitializeSecurityContext failed: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.
        • API String ID: 0-2937074896
        • Opcode ID: 185423d69e55d1a0b7b20c129217d0c2fec3737727555abcfa17ef7a3bbe4fc3
        • Instruction ID: ebcab035166282f14428588c989cc2285faae598ee486221fc579471748eba8e
        • Opcode Fuzzy Hash: 185423d69e55d1a0b7b20c129217d0c2fec3737727555abcfa17ef7a3bbe4fc3
        • Instruction Fuzzy Hash: 8E52B071644301AFD720DF68D881BAAB7E8FB88310F44452EF94997281EB35E944CBB2
        Function 00D80FF0 Relevance: 49.3, APIs: 13, Strings: 15, Instructions: 280fileCOMMON
        Download Yara Rule
        APIs
        • GetFileSizeEx.KERNEL32(00000000,?), ref: 00D810B3
        • GetLastError.KERNEL32(?,00000100), ref: 00D810C7
          • Part of subcall function 00D7C800: GetLastError.KERNEL32(?,?,00000000), ref: 00D7C868
          • Part of subcall function 00D7C800: SetLastError.KERNEL32(?,?,?,00000000), ref: 00D7C877
        • GetLastError.KERNEL32(?,00000100,00000002,?,00000000,00000000), ref: 00D81045
          • Part of subcall function 00D7C800: GetLastError.KERNEL32(00000000,00000000,00000000,?), ref: 00D7C805
        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000002,?,00000000,00000000), ref: 00D8107F
        • GetLastError.KERNEL32(?,00000100), ref: 00D81098
        • CloseHandle.KERNEL32(?), ref: 00D8135B
        Strings
        • schannel: invalid path name for CA file '%s': %s, xrefs: 00D81053
        • M, xrefs: 00D812FA
        • -----BEGIN CERTIFICATE-----, xrefs: 00D811A8
        • schannel: failed to open CA file '%s': %s, xrefs: 00D810A6
        • schannel: failed to add certificate from CA file '%s' to certificate store: %s, xrefs: 00D8131C
        • schannel: added %d certificate(s) from CA file '%s', xrefs: 00D81348
        • schannel: CA file exceeds max size of %u bytes, xrefs: 00D8110D
        • schannel: CA file '%s' is not correctly formatted, xrefs: 00D812AF
        • schannel: failed to determine size of CA file '%s': %s, xrefs: 00D810D5
        • -----END CERTIFICATE-----, xrefs: 00D811D2
        • schannel: failed to read from CA file '%s': %s, xrefs: 00D8128B
        • schannel: failed to extract certificate from CA file '%s': %s, xrefs: 00D812E2
        • M, xrefs: 00D812BD
        • schannel: unexpected content type '%d' when extracting certificate from CA file '%s', xrefs: 00D812EF
        • schannel: did not add any certificates from CA file '%s', xrefs: 00D81333
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLast$File$CloseCreateHandleSize
        • String ID: -----END CERTIFICATE-----$-----BEGIN CERTIFICATE-----$M$M$schannel: CA file '%s' is not correctly formatted$schannel: CA file exceeds max size of %u bytes$schannel: added %d certificate(s) from CA file '%s'$schannel: did not add any certificates from CA file '%s'$schannel: failed to add certificate from CA file '%s' to certificate store: %s$schannel: failed to determine size of CA file '%s': %s$schannel: failed to extract certificate from CA file '%s': %s$schannel: failed to open CA file '%s': %s$schannel: failed to read from CA file '%s': %s$schannel: invalid path name for CA file '%s': %s$schannel: unexpected content type '%d' when extracting certificate from CA file '%s'
        • API String ID: 1770132416-1457334975
        • Opcode ID: 28f9b3b5424656348a7719f290f5e606616c395bf25560cea4ffcc4c6b5de277
        • Instruction ID: df439c9a6be92628e4126f3f36a6b7514d13e86b8719b83f3e2403762701ec4b
        • Opcode Fuzzy Hash: 28f9b3b5424656348a7719f290f5e606616c395bf25560cea4ffcc4c6b5de277
        • Instruction Fuzzy Hash: 1491ACB5504340AFD210EF64DC85A6FB7ECEB89B44F444A1DF685D3240E7B4EA098BB6
        Function 00D13280 Relevance: 37.3, APIs: 17, Strings: 4, Instructions: 506registrystringCOMMON
        Download Yara Rule
        APIs
        • lstrcmpiW.KERNEL32(?,?,?,?,Delete,?,DFD45DFC,?,?,?,?,?,00D8B126,000000FF), ref: 00D13329
        • lstrcmpiW.KERNEL32(?,ForceRemove,?,?,?,?,Delete,?,DFD45DFC,?,?,?,?,?,00D8B126,000000FF), ref: 00D13338
        • CharNextW.USER32(?,?,?,?,?,?,Delete,?,DFD45DFC,?,?,?,?,?,00D8B126,000000FF), ref: 00D13383
        • lstrlenW.KERNEL32(?,?,?,?,?,?,Delete,?,DFD45DFC,?,?,?,?,?,00D8B126,000000FF), ref: 00D13400
        • lstrcmpiW.KERNEL32(?,NoRemove,?,?,?,?,?,Delete,?,DFD45DFC,?,?,?,?,?,00D8B126), ref: 00D1345B
        • lstrcmpiW.KERNEL32(?,Val,?,?,?,?,Delete,?,DFD45DFC,?,?,?,?,?,00D8B126,000000FF), ref: 00D13483
        • RegDeleteValueW.ADVAPI32(?,?,?,?,?,?,?,?,Delete,?,DFD45DFC), ref: 00D1355D
        • RegCloseKey.ADVAPI32(?,?,?,?,?,Delete,?,DFD45DFC,?,?,?,?,?,00D8B126,000000FF), ref: 00D13575
        • CharNextW.USER32(?,?,?,?,?,Delete,?,DFD45DFC,?,?,?,?,?,00D8B126,000000FF), ref: 00D135A8
        • RegOpenKeyExW.ADVAPI32(?,?,00000000,0002001F,?,?,?,?,?,Delete,?,DFD45DFC), ref: 00D135E2
        • RegCloseKey.ADVAPI32(?,?,?,?,?,Delete,?,DFD45DFC,?,?,?,?,?,00D8B126,000000FF), ref: 00D135F7
        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,Delete,?,DFD45DFC), ref: 00D13644
        • RegCloseKey.ADVAPI32(?,?,?,?,?,Delete,?,DFD45DFC,?,?,?,?,?,00D8B126,000000FF), ref: 00D1365F
          • Part of subcall function 00D120C0: CharNextW.USER32 ref: 00D120FD
          • Part of subcall function 00D120C0: CharNextW.USER32(00000000), ref: 00D1211D
          • Part of subcall function 00D120C0: CharNextW.USER32(00000000), ref: 00D12136
          • Part of subcall function 00D120C0: CharNextW.USER32 ref: 00D1213D
          • Part of subcall function 00D120C0: CharNextW.USER32(00000000), ref: 00D1218B
        • lstrlenW.KERNEL32(?,?), ref: 00D13731
        • RegCloseKey.ADVAPI32(?,?), ref: 00D1381B
        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00D13857
          • Part of subcall function 00D123C0: RegCloseKey.ADVAPI32 ref: 00D123CA
        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,Delete,?,DFD45DFC,?,?,?,?,?,00D8B126,000000FF), ref: 00D138FD
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CharNext$Close$lstrcmpi$Deletelstrlen$CreateOpenValue
        • String ID: Delete$ForceRemove$NoRemove$Val
        • API String ID: 294063509-1781481701
        • Opcode ID: 2f4aa5b5ead3eef533b6eff00309bb6dd509ff4224bb8360798f6c3ccd736e10
        • Instruction ID: e22ffb778fb9d7e3b728a0147783494406ba61491702536758600814a0757f97
        • Opcode Fuzzy Hash: 2f4aa5b5ead3eef533b6eff00309bb6dd509ff4224bb8360798f6c3ccd736e10
        • Instruction Fuzzy Hash: 76028271508355BBC724EF65A845AAFB6E8EF85B40F44092EF44693241DF74CE84CBB2
        Function 00D65540 Relevance: 33.6, APIs: 10, Strings: 9, Instructions: 374networkCOMMON
        Download Yara Rule
        APIs
        Strings
        • getsockname() failed with errno %d: %s, xrefs: 00D658FF
        • ost!, xrefs: 00D65649
        • Couldn't bind to interface '%s', xrefs: 00D656E7
        • Name '%s' family %i resolved to '%s' family %i, xrefs: 00D65795
        • Bind to local port %hu failed, trying next, xrefs: 00D65875
        • Couldn't bind to '%s', xrefs: 00D65955
        • Local port: %hu, xrefs: 00D659CB
        • bind failed with errno %d: %s, xrefs: 00D65A0E
        • Local Interface %s is ip %s using address family %i, xrefs: 00D656C5
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: bindhtons
        • String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s$ost!
        • API String ID: 791846173-1513509431
        • Opcode ID: da600d9e4e06674f763e62996e9cf879d229b7dddc3269387fdcd7b086bff9fa
        • Instruction ID: 203e303e4394484b4dfe040a718f8ac72bebfabdc21b8a4691afe1129472f011
        • Opcode Fuzzy Hash: da600d9e4e06674f763e62996e9cf879d229b7dddc3269387fdcd7b086bff9fa
        • Instruction Fuzzy Hash: 87D1C071504701AFD720DF64EC45BAB77E8EF89304F148919F88997245EB70E949CBB2
        Function 00D27970 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 206threadCOMMON
        Download Yara Rule
        APIs
        • FreeLibrary.KERNEL32(?), ref: 00D27988
        • FreeLibrary.KERNEL32(?), ref: 00D27992
        • RtlEnterCriticalSection.NTDLL(00DB7434), ref: 00D279A6
        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00D279BC
        • RtlLeaveCriticalSection.NTDLL(00DB7434), ref: 00D27B1D
        • TerminateThread.KERNEL32(?,00000001), ref: 00D27B37
        • CloseHandle.KERNEL32(?), ref: 00D27B4A
        • RtlDeleteCriticalSection.NTDLL(?), ref: 00D27B59
        • CloseHandle.KERNEL32(?), ref: 00D27B62
        • CloseHandle.KERNEL32(?), ref: 00D27B6B
        • InterlockedDecrement.KERNEL32(00DB7454), ref: 00D27B72
        • RtlDeleteCriticalSection.NTDLL(00DB7434), ref: 00D27B81
        Strings
        • warning: removing Breakpad handler out of order, xrefs: 00D27A26
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalSection$CloseHandle$DeleteFreeLibrary$DecrementEnterExceptionFilterInterlockedLeaveTerminateThreadUnhandled
        • String ID: warning: removing Breakpad handler out of order
        • API String ID: 1612214688-3173292377
        • Opcode ID: a5209605369fb67b2536e85422655df017c7c638585a0c4e95d2fc85345bf5ec
        • Instruction ID: 3ad31412d0ac1ce6584ce911a6ef56f920d89db465463cc2e7face436547bdea
        • Opcode Fuzzy Hash: a5209605369fb67b2536e85422655df017c7c638585a0c4e95d2fc85345bf5ec
        • Instruction Fuzzy Hash: 83719C71604B14DBC630EF79F885A2AB7A5FFA4318B18491DE99A83211DB31F944CB72
        Function 00D68380 Relevance: 22.7, APIs: 15, Instructions: 185networkCOMMON
        Download Yara Rule
        APIs
        • socket.WS2_32 ref: 00D683B1
        • htonl.WS2_32(7F000001), ref: 00D683F0
        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000010,00000004), ref: 00D6841D
        • bind.WS2_32(00000000,00000001,00000010), ref: 00D68434
        • getsockname.WS2_32(00000000,00000001,00000006), ref: 00D6844E
        • listen.WS2_32(00000000,00000001), ref: 00D68460
        • socket.WS2_32(00000002,00000001,00000000), ref: 00D68475
        • connect.WS2_32(00000000,00000001,00000010), ref: 00D6848A
        • accept.WS2_32(00000000,00000000,00000000), ref: 00D6849E
        • send.WS2_32(?,?,?,00000000), ref: 00D684E6
        • recv.WS2_32(FFFFFFFF,?,0000000C,00000000), ref: 00D684FD
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: socket$acceptbindconnectgetsocknamehtonllistenrecvsendsetsockopt
        • String ID:
        • API String ID: 3412115556-0
        • Opcode ID: d2c627878bf996ac3aca73509f9ee1314359b8952a820a474b85830f296a79a5
        • Instruction ID: fd9ccff8bf1b6b3023e9cd0a9026c616712ebe07d65863cbf1099c84eb3119e1
        • Opcode Fuzzy Hash: d2c627878bf996ac3aca73509f9ee1314359b8952a820a474b85830f296a79a5
        • Instruction Fuzzy Hash: 7751C471604300ABD710DF789C85B7AB7A9EF84324F544F1AF2A6D62D0EB71D9098B72
        Function 00CF0920 Relevance: 21.4, APIs: 1, Strings: 11, Instructions: 440COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00CF8CA0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00CF8D3A
        • GetVersionExW.KERNEL32 ref: 00CF0DAB
          • Part of subcall function 00D1A5F0: RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?,0000000F,00000000,00D92949,00000000,DFD45DFC,0000000F,00000000,00000010,00000000), ref: 00D1A650
          • Part of subcall function 00CEAE10: std::_String_base::_Xlen.LIBCPMT ref: 00CEAE5F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Ios_base_dtorOpenString_base::_VersionXlenstd::_std::ios_base::_
        • String ID: '$/$0$1$2$3$4$9$:$installId$installId2
        • API String ID: 400326413-1781109313
        • Opcode ID: 9b30296bebd275c10a2f49f0c745d1fbcf61fb3f219cb3e7634b7c105fd110fd
        • Instruction ID: c78bd564fef407387de1590df273f9cf8453765a1f07617c0c1123fe356060d9
        • Opcode Fuzzy Hash: 9b30296bebd275c10a2f49f0c745d1fbcf61fb3f219cb3e7634b7c105fd110fd
        • Instruction Fuzzy Hash: 8E22FAB1849B849ED361DF2A8491BD7FBE8BFA5304F44491EE1EE83252CB706144CB66
        Function 00D47AB0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 214encryptionCOMMON
        Download Yara Rule
        APIs
        • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,?,00000000,0000000F,00000000), ref: 00D47B2C
        • CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?,?,?,?,00000000,0000000F,00000000), ref: 00D47B47
        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,00000000,0000000F,00000000), ref: 00D47B57
        • CryptHashData.ADVAPI32(?,?,?,00000000,?,?,?,00000000,0000000F,00000000), ref: 00D47B9B
        • CryptDestroyHash.ADVAPI32(?,?,?,?,00000000,0000000F,00000000), ref: 00D47BAA
        • CryptReleaseContext.ADVAPI32(00000002,00000000), ref: 00D47BB6
        • CryptGetHashParam.ADVAPI32 ref: 00D47C12
        • CryptDestroyHash.ADVAPI32(?), ref: 00D47C21
        • CryptDestroyHash.ADVAPI32(?), ref: 00D47C34
        • CryptReleaseContext.ADVAPI32(00000002,00000000), ref: 00D47C40
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Crypt$Hash$Context$DestroyRelease$AcquireCreateDataParam
        • String ID:
        • API String ID: 1920540483-3916222277
        • Opcode ID: 01b38e3918c725114c2b177d78e77139e68ebe41698a6e76a6d221b38642648e
        • Instruction ID: 796b2186d7cb2adef1aee68565099cb3da4d80bad0727023c2aeff4568a63ac3
        • Opcode Fuzzy Hash: 01b38e3918c725114c2b177d78e77139e68ebe41698a6e76a6d221b38642648e
        • Instruction Fuzzy Hash: 887160B1608340AFD724DF68D884A6BB7EAEF98300F54491EF18AC7251D770D948CBB2
        Function 00D532E0 Relevance: 16.9, Strings: 13, Instructions: 606COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: 5$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$Error text not found (please report)$LF)$UCP)$UTF8)$^$no error
        • API String ID: 0-2564216060
        • Opcode ID: fba2795be6f2882e03c45d1c31346a83dc0cf00a8e4cd5f5834942da0329fea6
        • Instruction ID: 454d6f5001b697ea9ca82e3f6883a96a23c44c48f11465be7ffa72ed75f3d880
        • Opcode Fuzzy Hash: fba2795be6f2882e03c45d1c31346a83dc0cf00a8e4cd5f5834942da0329fea6
        • Instruction Fuzzy Hash: 6B32C3B16087419BDB258F28C84176ABBE5EF84345F184A2DFCD9C7291E774CA48CB72
        Function 00D97210 Relevance: 16.0, Strings: 11, Instructions: 2293COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: "col$1 /a$2378$730$avas$n IL$n IL$n YA$n YA$y YA$y YA
        • API String ID: 0-1632682491
        • Opcode ID: 6733ac3907e4ebc2db78f7964d87a0787f3421ae0f64df7a2103d8f9880b1600
        • Instruction ID: 06cd590ec6f675f3b061a0c0577a7677a7e18397a1400a1a3c7d0804381bbd9e
        • Opcode Fuzzy Hash: 6733ac3907e4ebc2db78f7964d87a0787f3421ae0f64df7a2103d8f9880b1600
        • Instruction Fuzzy Hash: B6D2892202DBC21ECF159E349B5B6B6BF69FB13B1171C12CEC4924B4B396105E12D7B9
        Function 00D81390 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 178encryptionCOMMON
        Download Yara Rule
        APIs
        • CertFindExtension.CRYPT32(2.5.29.17,?,?), ref: 00D81434
        • CryptDecodeObjectEx.CRYPT32(00010001,2.5.29.17,?,?), ref: 00D81488
        Strings
        • 2.5.29.17, xrefs: 00D8142F, 00D8147E
        • schannel: Not enough memory to list all host names., xrefs: 00D81552
        • schannel: Null certificate context., xrefs: 00D813EC
        • schannel: CertFindExtension() returned no extension., xrefs: 00D81442
        • schannel: CryptDecodeObjectEx() returned no alternate name information., xrefs: 00D81496
        • schannel: Empty DNS name., xrefs: 00D814D9
        • schannel: Null certificate info., xrefs: 00D8140F
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CertCryptDecodeExtensionFindObject
        • String ID: 2.5.29.17$schannel: CertFindExtension() returned no extension.$schannel: CryptDecodeObjectEx() returned no alternate name information.$schannel: Empty DNS name.$schannel: Not enough memory to list all host names.$schannel: Null certificate context.$schannel: Null certificate info.
        • API String ID: 511918498-2160583098
        • Opcode ID: 3170836b8fa5ae6571aff41b9ec6e1f8853fab1b1222441bfb37cf30f7870f2b
        • Instruction ID: 8a8b8c83dbda9f804237123a6ea42cd3a3ec7a13a8dcc700e4276ef46a8fe1f5
        • Opcode Fuzzy Hash: 3170836b8fa5ae6571aff41b9ec6e1f8853fab1b1222441bfb37cf30f7870f2b
        • Instruction Fuzzy Hash: DC51F576644301AFC710EF58DC8196AB7E8EBC9714F88496EF58587201E3B1D94DCBB2
        Function 00D972B4 Relevance: 14.7, Strings: 10, Instructions: 2236COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: 1 /a$2378$730$avas$n IL$n IL$n YA$n YA$y YA$y YA
        • API String ID: 0-3000818156
        • Opcode ID: 4ee71428fd716692cc287c0a62f0ea2d745c4cf4a5d87c6ef6c53b0d5a357c48
        • Instruction ID: c10c2a08417406f8971e3c8f966bb4c1acbc555c0afb722fe9b83b868be7298e
        • Opcode Fuzzy Hash: 4ee71428fd716692cc287c0a62f0ea2d745c4cf4a5d87c6ef6c53b0d5a357c48
        • Instruction Fuzzy Hash: 38D2AA2202DBC21ECF159E389B5B676BF69FB13B2171C12CEC4924B4B396105E12D7B9
        Function 00D972F0 Relevance: 14.7, Strings: 10, Instructions: 2228COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: 1 /a$2378$730$avas$n IL$n IL$n YA$n YA$y YA$y YA
        • API String ID: 0-3000818156
        • Opcode ID: fbff11e3503e700fdb1df3ef39f767ead67d71d4207af69a4d5aa0a032bf2207
        • Instruction ID: 4334bdcbea1f1d9ac9e11c318f0d8a460e6e80b074262f6808a2e5f7740a1ebc
        • Opcode Fuzzy Hash: fbff11e3503e700fdb1df3ef39f767ead67d71d4207af69a4d5aa0a032bf2207
        • Instruction Fuzzy Hash: 1FD2AB2202DBC21ECF159E389B5B676BF69FB13B1171C12CEC4924B4B396105E12D7B9
        Function 00D97358 Relevance: 14.7, Strings: 10, Instructions: 2187COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: 1 /a$2378$730$avas$n IL$n IL$n YA$n YA$y YA$y YA
        • API String ID: 0-3000818156
        • Opcode ID: e15ee039db857ba162f08b2378a7b2b771bd63e057a41d5c5c0045b500a91768
        • Instruction ID: 6f2da21b09ed88a8e6824a8090a24a2c2384cfc756ca09191f8459bc0c5ba856
        • Opcode Fuzzy Hash: e15ee039db857ba162f08b2378a7b2b771bd63e057a41d5c5c0045b500a91768
        • Instruction Fuzzy Hash: 1CD2AC2202DBC21ECF199E389B5B6B6BF69FB13B1171C12CEC4924B47396105E12D7B9
        Function 00D973E0 Relevance: 14.6, Strings: 10, Instructions: 2141COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: 1 /a$2378$730$avas$n IL$n IL$n YA$n YA$y YA$y YA
        • API String ID: 0-3000818156
        • Opcode ID: 4feddc7a0094f16962da52260b57e210fc232550798480b40df0ffdd777f735c
        • Instruction ID: 8b0784b6945e63d8e3d0df79f3e647eccf25da90772996912a975de26a22c6c1
        • Opcode Fuzzy Hash: 4feddc7a0094f16962da52260b57e210fc232550798480b40df0ffdd777f735c
        • Instruction Fuzzy Hash: A0D29C2202DBC21ECF199E389B5B676BF69FB13B2171C12CEC4924B47396105E12D7B9
        Function 00D97428 Relevance: 14.6, Strings: 10, Instructions: 2124COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: 1 /a$2378$730$avas$n IL$n IL$n YA$n YA$y YA$y YA
        • API String ID: 0-3000818156
        • Opcode ID: a9807fd53ef3e8b819ad9e46b507217882ba075e1c04b2128d26fb600501bad1
        • Instruction ID: 1f8adb0fcc6f7306bbd051123c8079ed17ffbdc3d1a92d2314e31a6f71652be6
        • Opcode Fuzzy Hash: a9807fd53ef3e8b819ad9e46b507217882ba075e1c04b2128d26fb600501bad1
        • Instruction Fuzzy Hash: 33C2AC2202DBC22ECF199E389B5B676BF68FB13B2171C16CFC4914A47396105E12D7B9
        Function 00D97484 Relevance: 14.6, Strings: 10, Instructions: 2102COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: 1 /a$2378$730$avas$n IL$n IL$n YA$n YA$y YA$y YA
        • API String ID: 0-3000818156
        • Opcode ID: 668aabfb295d39e1df5a745335dd6105489da5cddb6a7077d77556417ac9efad
        • Instruction ID: 982a74de007596dcbf8ae9d4e9b42e01f6bc796967905f0830d92f36886eb5c8
        • Opcode Fuzzy Hash: 668aabfb295d39e1df5a745335dd6105489da5cddb6a7077d77556417ac9efad
        • Instruction Fuzzy Hash: F0C2BD2202DBC22DCF199E389B5B676BF69FB03B2171C16CFC4914A47396105E12D7BA
        Function 00D9770C Relevance: 14.4, Strings: 10, Instructions: 1903COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: 1 /a$2378$730$avas$n IL$n IL$n YA$n YA$y YA$y YA
        • API String ID: 0-3000818156
        • Opcode ID: 168fe6211d575081c69c73b9e9d654f2bac96ff5b6a2421574747c3a3d2be23f
        • Instruction ID: 817b8424bd8929bae28fa180dc357dfd9b63be37ef65aa3ed73cc3e37b588400
        • Opcode Fuzzy Hash: 168fe6211d575081c69c73b9e9d654f2bac96ff5b6a2421574747c3a3d2be23f
        • Instruction Fuzzy Hash: AAB2BB3202D7C22DCF299E289B5B6B6BF69FB03F2171C16CFC4914A47395105E12D6BA
        Function 00D6C920 Relevance: 10.6, APIs: 7, Instructions: 79encryptionCOMMON
        Download Yara Rule
        APIs
        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,?,F0000040), ref: 00D6C966
        • CryptCreateHash.ADVAPI32(?,?,00000000,00000000), ref: 00D6C986
        • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00D6C9A0
        • CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000000,?,?,?,?,00000000), ref: 00D6C9C3
        • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000004,?,?,00000000,?,?,?,?,00000000), ref: 00D6C9DE
        • CryptDestroyHash.ADVAPI32(00000000), ref: 00D6C9E9
        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00D6C9FA
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
        • String ID:
        • API String ID: 3606780921-0
        • Opcode ID: 85ea8a0c6e8ae69882d5445b168d54ef37f6bd5a41de19a257c3fd5540960995
        • Instruction ID: b17061fce3fa733082780548ca335ab8ac2f66e45cca572170bd54b47cae021c
        • Opcode Fuzzy Hash: 85ea8a0c6e8ae69882d5445b168d54ef37f6bd5a41de19a257c3fd5540960995
        • Instruction Fuzzy Hash: F621E5B0258301ABE720DF65DC46F2BB7E8AF84B45F44480DB685D6281DB74E908CBB6
        Function 00D74550 Relevance: 8.0, Strings: 6, Instructions: 458COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: %%25%s]$%ld$%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$file$file://%s%s%s$https
        • API String ID: 0-1832275178
        • Opcode ID: c4aa70fe5bea8988ad86ca243e5388ca2ae78c1bd9ee298f0ef438ec69f5bcb6
        • Instruction ID: e402b05aad9ead3d109b019f5c1763d3fe8ea7e866be91868795aca503826f82
        • Opcode Fuzzy Hash: c4aa70fe5bea8988ad86ca243e5388ca2ae78c1bd9ee298f0ef438ec69f5bcb6
        • Instruction Fuzzy Hash: 9BF18B726047419FD726DF59988062BB7E4EF89350F48892DE9898B341FB71EC048BB2
        Function 00D25210 Relevance: 7.6, APIs: 5, Instructions: 127fileCOMMON
        Download Yara Rule
        APIs
        • PathCombineW.SHLWAPI ref: 00D25276
        • FindFirstFileW.KERNEL32(?,?), ref: 00D25289
        • PathCombineW.SHLWAPI(?,?,?), ref: 00D252C0
        • FindNextFileW.KERNEL32(00000000,?), ref: 00D25320
        • FindClose.KERNEL32(00000000), ref: 00D2532F
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Find$CombineFilePath$CloseFirstNext
        • String ID:
        • API String ID: 318233686-0
        • Opcode ID: 74644ed37dcbbd7b273b72cfcbcf1fe960b5ccc3e91e00f90acecf4adabb3738
        • Instruction ID: 6366b85a4134cf541d15dcafa6415dc8f03caed6557cd5978f28df0cfa262e95
        • Opcode Fuzzy Hash: 74644ed37dcbbd7b273b72cfcbcf1fe960b5ccc3e91e00f90acecf4adabb3738
        • Instruction Fuzzy Hash: FE41A4B2108740AFD760DF24E844FABB3E8FF99718F444A1DF59A87285E774A5048B72
        Function 00D32D90 Relevance: 6.9, Strings: 5, Instructions: 643COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CloseEnumOpen$String_base::_Xlenstd::_
        • String ID: Opera$Software\Microsoft\Windows\CurrentVersion\Uninstall$Software\Opera Software$Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall$Software\Wow6432Node\Opera Software
        • API String ID: 1979737782-276245442
        • Opcode ID: 99d929d11633798e521e9c7f659bdcf75a3dbd4077e048b072fea55557a7dd18
        • Instruction ID: a1e59dfad968978ed6d957d5a1a53bc80c23a5432d331ab3d573ae57b07c83c3
        • Opcode Fuzzy Hash: 99d929d11633798e521e9c7f659bdcf75a3dbd4077e048b072fea55557a7dd18
        • Instruction Fuzzy Hash: CD32B4B15083409BD725DF68D981A6FF7E1AB94700F58492CF5C997242EB31EA48CBB3
        Function 00D6E9F0 Relevance: 6.0, APIs: 4, Instructions: 40encryptionCOMMON
        Download Yara Rule
        APIs
        • CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000), ref: 00D6EA14
        • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00D6EA2F
        • CryptDestroyHash.ADVAPI32(?), ref: 00D6EA39
        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00D6EA48
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Crypt$Hash$Param$ContextDestroyRelease
        • String ID:
        • API String ID: 2110207923-0
        • Opcode ID: 436d4fb8df2f6be0eac292c0fd09303dfd38961a7bb967d1944dd8d161ea8fbb
        • Instruction ID: 92c99ed03f17e268a964b65cb106c0e33a408de21ceb34645796651a335f1961
        • Opcode Fuzzy Hash: 436d4fb8df2f6be0eac292c0fd09303dfd38961a7bb967d1944dd8d161ea8fbb
        • Instruction Fuzzy Hash: 19F0C975654310ABE224DB54DC45F6AB3A8AB88B11F14881DF659D7280C7B0A805CBB1
        Function 00D6C770 Relevance: 6.0, APIs: 4, Instructions: 33encryptionCOMMON
        Download Yara Rule
        APIs
        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000040), ref: 00D6C789
        • CryptGenRandom.ADVAPI32(00000000,?,?), ref: 00D6C7A1
        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00D6C7B2
        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00D6C7C4
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Crypt$Context$Release$AcquireRandom
        • String ID:
        • API String ID: 2916321625-0
        • Opcode ID: fa5d6d29666a3406b67eca0b0230a16d3e28b5456568beab90b387881abca55b
        • Instruction ID: f4a67b329405a7f15a9d60ac2d36fef1484ecbc9439031561f866144bfccc4b1
        • Opcode Fuzzy Hash: fa5d6d29666a3406b67eca0b0230a16d3e28b5456568beab90b387881abca55b
        • Instruction Fuzzy Hash: 1DF0DAB9254301BBF714DF60DC4AF2B73A9AB88B01F14480EB649D6280D774D804DBB1
        Function 00D4D2E0 Relevance: 5.8, Strings: 4, Instructions: 787COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: ERCP$VUUU$VUUU$VUUU
        • API String ID: 0-2165971703
        • Opcode ID: 4eaa916aa47260d13270f8697752ec1d64347311ee64e7289bf240dfe425315c
        • Instruction ID: bc5fe5ed66ec73ea8f0c1fc4bbfb2a737f1ba9ccaa9520792af56d5b774a3cba
        • Opcode Fuzzy Hash: 4eaa916aa47260d13270f8697752ec1d64347311ee64e7289bf240dfe425315c
        • Instruction Fuzzy Hash: 99626B71A083858BC735CF18C4807AAB7E3FBD4314F188A2EE8D987291D775D985CB62
        Function 00D28180 Relevance: 4.6, APIs: 3, Instructions: 66threadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D28CC0: RtlEnterCriticalSection.NTDLL(00DB7434), ref: 00D28CC8
          • Part of subcall function 00D28CC0: SetUnhandledExceptionFilter.KERNEL32(?,02912B40,?,00D27C69,DFD45DFC), ref: 00D28CFD
        • GetCurrentThreadId.KERNEL32 ref: 00D281E0
        • SetUnhandledExceptionFilter.KERNEL32(00D28180), ref: 00D2821A
        • RtlLeaveCriticalSection.NTDLL(00DB7434), ref: 00D28242
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalExceptionFilterSectionUnhandled$CurrentEnterLeaveThread
        • String ID:
        • API String ID: 49404816-0
        • Opcode ID: f6686dfa33e1579de7d8cf75e8ddfad120659efd9c4aa45af4d9bdbb00bda12c
        • Instruction ID: 4d89057ada4d9566a4b8429398dca7958605ebcce778323b2133c616127a4a7a
        • Opcode Fuzzy Hash: f6686dfa33e1579de7d8cf75e8ddfad120659efd9c4aa45af4d9bdbb00bda12c
        • Instruction Fuzzy Hash: CB212771609760EFC3219B14EC05B6A77A4FF64B28F18091AF856933D0CB34A80497B6
        Function 00D18A60 Relevance: 4.6, APIs: 3, Instructions: 52memoryCOMMON
        Download Yara Rule
        APIs
        • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D18AA3
        • CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 00D18ABC
        • FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D18ACF
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: AllocateCheckFreeInitializeMembershipToken
        • String ID:
        • API String ID: 3429775523-0
        • Opcode ID: 381fd237eadb63517db25423ffbfefaf9f4bca239a0f7debc3685714159a745b
        • Instruction ID: a2f567a747d865f847fd8506447bcfce2c0ad35da319f2d035e88af74b69b845
        • Opcode Fuzzy Hash: 381fd237eadb63517db25423ffbfefaf9f4bca239a0f7debc3685714159a745b
        • Instruction Fuzzy Hash: 6D015B76209380BFD300DF6898D596BBBE9AB98700F888C1EF186C3251D630D948CB37
        Function 00D511D7 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: \$h$h
        • API String ID: 0-3772022762
        • Opcode ID: c6762ceaceb1ac42a4d285468a327a3ddbf8c72ef0ac6f99cc3e59813d32fc6a
        • Instruction ID: 26850010956453c6a652bf13fbf4372cb1cc51327434be275245bea935e998b2
        • Opcode Fuzzy Hash: c6762ceaceb1ac42a4d285468a327a3ddbf8c72ef0ac6f99cc3e59813d32fc6a
        • Instruction Fuzzy Hash: A1328C745083818FDB25CF28C49076ABBE2BF8A305F188A5EECD987351D771D949CB62
        Function 00D7D670 Relevance: 4.2, Strings: 3, Instructions: 444COMMON
        Download Yara Rule
        Strings
        • %31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 00D7D748
        • %02d:%02d%n, xrefs: 00D7D87B
        • %02d:%02d:%02d%n, xrefs: 00D7D84D
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]
        • API String ID: 0-1523987602
        • Opcode ID: 6126d990c45c6cd0db79fb8d286215b2cfc59c19863128e4addb8d349cd79eb7
        • Instruction ID: 3e8a711e0f939771967b488938c34f184c3057fbeedc2e6c6cfc45cf7bbf9f37
        • Opcode Fuzzy Hash: 6126d990c45c6cd0db79fb8d286215b2cfc59c19863128e4addb8d349cd79eb7
        • Instruction Fuzzy Hash: 05E18EB1A083418BC714DF29C88166AB7F2BFD5314F988A2EF59987391F731D9058B62
        Function 00D28CC0 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(00DB7434), ref: 00D28CC8
        • SetUnhandledExceptionFilter.KERNEL32(?,02912B40,?,00D27C69,DFD45DFC), ref: 00D28CFD
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalEnterExceptionFilterSectionUnhandled
        • String ID:
        • API String ID: 1863718665-0
        • Opcode ID: 3bbbcbb039aa5e6a36682f535e539ced97f7a15750fc89607b7d56f271250bd4
        • Instruction ID: ef2e8042c9e17caa8beec070e0e4b814165c6af21cb07db9a8f660d76c599c06
        • Opcode Fuzzy Hash: 3bbbcbb039aa5e6a36682f535e539ced97f7a15750fc89607b7d56f271250bd4
        • Instruction Fuzzy Hash: 28F0BD75601300DFC714EF68E889D667BA5FF88315B198969E549CB325CA31E802CBB0
        Function 00D6E990 Relevance: 3.0, APIs: 2, Instructions: 20encryptionCOMMON
        Download Yara Rule
        APIs
        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000040), ref: 00D6E9A1
        • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00D6E9BB
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Crypt$AcquireContextCreateHash
        • String ID:
        • API String ID: 1914063823-0
        • Opcode ID: a0195542cd9b8a5e91c93a58a844f5a1e0e173dcb7c7940d6177e04f9bce09b8
        • Instruction ID: cd525a424b0ec75242e9dfc07d4f8124261d55918b6c20549ebf1eaa992d9b41
        • Opcode Fuzzy Hash: a0195542cd9b8a5e91c93a58a844f5a1e0e173dcb7c7940d6177e04f9bce09b8
        • Instruction Fuzzy Hash: A2E01731284310BBFA305B10EC46FA637A8AF05B00F24080AB789BA1D4C7A0B844CB68
        Function 00D28D90 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
        Download Yara Rule
        APIs
        • SetUnhandledExceptionFilter.KERNEL32(00D28180,00D27F42), ref: 00D28D95
        • RtlLeaveCriticalSection.NTDLL(00DB7434), ref: 00D28DBD
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalExceptionFilterLeaveSectionUnhandled
        • String ID:
        • API String ID: 2735283860-0
        • Opcode ID: 55ce75d8608916bf0d6a4c306390b2ef0f723e3175a20484d193390b2f6bb4a1
        • Instruction ID: 1ed03207c753f2cbebeb77f5e82acc0cd08a3a269ba04d684babe75980c4899a
        • Opcode Fuzzy Hash: 55ce75d8608916bf0d6a4c306390b2ef0f723e3175a20484d193390b2f6bb4a1
        • Instruction Fuzzy Hash: 6FC04CB46C9314FF8A1077F4BD0B9683B31FFA0B1B7484571F505A02A2DAA1516897B7
        Function 00D518C3 Relevance: 2.9, Strings: 2, Instructions: 356COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: )$\
        • API String ID: 0-1541953540
        • Opcode ID: 43f52d2eae91a2f1dbd0eefe4bf566e40f93506d3a4e5727def62e95aa04c3a7
        • Instruction ID: eef85e31eb62e25bb41404ce7b1b3dfa746e7e7a792e359ca73a3449350e5b17
        • Opcode Fuzzy Hash: 43f52d2eae91a2f1dbd0eefe4bf566e40f93506d3a4e5727def62e95aa04c3a7
        • Instruction Fuzzy Hash: 45E17C745083858FDB24CF29C48062ABBE1BF9A305F188A6DECD597355D730E949CFA2
        Function 00D58A70 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
        Download Yara Rule
        Strings
        • -----BEGIN PUBLIC KEY-----, xrefs: 00D58A88
        • -----END PUBLIC KEY-----, xrefs: 00D58AB3
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----
        • API String ID: 0-1157147699
        • Opcode ID: 60dfbcab7220033f40e453546012af28544ab27c64e85dbaa24cca90dafb8884
        • Instruction ID: 5d853c54e5a06237bee1db214b5b212ea6b64c713fc2995d215917c4b40ebdd5
        • Opcode Fuzzy Hash: 60dfbcab7220033f40e453546012af28544ab27c64e85dbaa24cca90dafb8884
        • Instruction Fuzzy Hash: E321C5B67043445BDF159A2CEC406B6B7D8CB91362F48057FEC82D3241EA74EC499AB5
        Function 00CE2520 Relevance: 1.7, Strings: 1, Instructions: 450COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: (
        • API String ID: 0-3887548279
        • Opcode ID: 51141bfc0ad47eb6105353893a30759782378d270cb34b69e73447be82d03cad
        • Instruction ID: ea9d76a4f18bea1d5d331a937dc64e8130b4311061a67e311a2498dd968eb781
        • Opcode Fuzzy Hash: 51141bfc0ad47eb6105353893a30759782378d270cb34b69e73447be82d03cad
        • Instruction Fuzzy Hash: 200249356083818FC724CF2AC58072AB7E9FFC9314F14496DE9A597311E771EE468B92
        Function 00CE21F0 Relevance: 1.5, Strings: 1, Instructions: 298COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: (
        • API String ID: 0-3887548279
        • Opcode ID: f8ec92ae8f6702508cc752b15c4a5582b8733fa16180f681bc7460fe5cea1b5e
        • Instruction ID: d2c5e168e68da0c22775a0b0b90be05951b2e20a8d8774ae2e06b41765ab475d
        • Opcode Fuzzy Hash: f8ec92ae8f6702508cc752b15c4a5582b8733fa16180f681bc7460fe5cea1b5e
        • Instruction Fuzzy Hash: 75A191716053459FC724DF5AC880A2EB7E9FFC8360F14492EE995CB311E634EE458B92
        Function 00D6E9D0 Relevance: 1.5, APIs: 1, Instructions: 10encryptionCOMMON
        Download Yara Rule
        APIs
        • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00D6E9E4
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CryptDataHash
        • String ID:
        • API String ID: 4245837645-0
        • Opcode ID: d2d114400f60d75c782d43da1abb037137f52cd1ea58be49a826e9bd0abcfa9b
        • Instruction ID: 4c44261b75453bc1446a6a87ae5c6bd026fdd1623497ae34ac0b37c083eacd99
        • Opcode Fuzzy Hash: d2d114400f60d75c782d43da1abb037137f52cd1ea58be49a826e9bd0abcfa9b
        • Instruction Fuzzy Hash: F5C002B9604301BFDA14CB54C989F1BF7A9EB88710F10CA49B589C7355C670E841DB62
        Function 00D86CB7 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
        Download Yara Rule
        APIs
        • SetUnhandledExceptionFilter.KERNEL32(Function_000A6C75), ref: 00D86CBC
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ExceptionFilterUnhandled
        • String ID:
        • API String ID: 3192549508-0
        • Opcode ID: a748b0d5df82ea2b19fb70a606c69b2c2d8cb1dff0ba7d57dc7733b3948222b5
        • Instruction ID: 7e3c18f79c4cd12b23ff0280ed873906cf511d40c40312190acfbd1cfddf7b00
        • Opcode Fuzzy Hash: a748b0d5df82ea2b19fb70a606c69b2c2d8cb1dff0ba7d57dc7733b3948222b5
        • Instruction Fuzzy Hash: 4A9002E02D22406A860127745C095156BA4DB48712781445561A2C4154DE6080045635
        Function 00D364B0 Relevance: .5, Instructions: 527COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ce3ec24828df197dd804c9942ac1135f9b6bbb8e400fdbdd406f855714e09017
        • Instruction ID: c6760d561cd7f5aeea933733b08b96adefbf740b419b42ab339669f61c140885
        • Opcode Fuzzy Hash: ce3ec24828df197dd804c9942ac1135f9b6bbb8e400fdbdd406f855714e09017
        • Instruction Fuzzy Hash: 171213B0A08381AFD715CF18C49476ABBE5EB89744F68985EF4C187391D270C946CFB6
        Function 00CE61E0 Relevance: .5, Instructions: 480COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5aa8f99e4debf67f8f55d892750649391e3a0b77af247bd3a3bf8d23827b7de6
        • Instruction ID: 08d598694df37ce5e7ef53b53d2b572fbab8a6b5de94fe04fabb90f06ae663f5
        • Opcode Fuzzy Hash: 5aa8f99e4debf67f8f55d892750649391e3a0b77af247bd3a3bf8d23827b7de6
        • Instruction Fuzzy Hash: 21025A72A142918BDB1CCE29C48027DBBE2FBE4384F110A3DE89697794D774DC4ACB91
        Function 00D49040 Relevance: .3, Instructions: 271COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: String_base::_Xlenstd::_
        • String ID:
        • API String ID: 1541887531-0
        • Opcode ID: eece96f1cb929825ef368bac7d446a90f1b8480167b306aafb543bd57a34a3fc
        • Instruction ID: 6037eeb93b7469379eeb40840023b509b570bef4c9a3607b955633ff31ad7eae
        • Opcode Fuzzy Hash: eece96f1cb929825ef368bac7d446a90f1b8480167b306aafb543bd57a34a3fc
        • Instruction Fuzzy Hash: 96A17A71518355AFCB24DF5AC994AABF7F8FB89700F504A1EF48693281D770E940CBA2
        Function 00CE51F0 Relevance: .2, Instructions: 204COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 27f600cdd2684f07d4186551f8ac3c96312f163c9ebca9ff384c278b62a97bc1
        • Instruction ID: 9d06604c42e67260f517b1a09678ab7d271f593f3816d8d0cb146bc0aea09429
        • Opcode Fuzzy Hash: 27f600cdd2684f07d4186551f8ac3c96312f163c9ebca9ff384c278b62a97bc1
        • Instruction Fuzzy Hash: 29710731A087D18FC324CE3E888416EBBE1EBD5345F540B2DE5E9D7291D234994ACBD6
        Function 00CE1000 Relevance: .1, Instructions: 80COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 27c0b7cbb3261303f80241a6f7c7dd1462d1c66990c8602ecc57153a2bb805f7
        • Instruction ID: 06b71a59d439b6119d5f77a690541809677cbf44cbb6d3978cd2cd0a48011a19
        • Opcode Fuzzy Hash: 27c0b7cbb3261303f80241a6f7c7dd1462d1c66990c8602ecc57153a2bb805f7
        • Instruction Fuzzy Hash: E8110D7E374D4647A75C476AAD3367921C2E384305788613CF64BC63C1EE6DD8A48219
        Function 00D816C0 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 312encryptionCOMMON
        Download Yara Rule
        APIs
        • CertOpenStore.CRYPT32(00000002,00000000,00000000,00002000,00000000), ref: 00D81818
        • GetLastError.KERNEL32(?,00000100), ref: 00D8182E
          • Part of subcall function 00D7C800: GetLastError.KERNEL32(00000000,00000000,00000000,?), ref: 00D7C805
        • CertCreateCertificateChainEngine.CRYPT32 ref: 00D818BA
        • GetLastError.KERNEL32(?,00000100), ref: 00D818CE
        • CertFreeCertificateChainEngine.CRYPT32(?), ref: 00D81A9B
        • CertCloseStore.CRYPT32(?,00000000), ref: 00D81AA8
        • CertFreeCertificateChain.CRYPT32(?), ref: 00D81AB7
        • CertFreeCRLContext.CRYPT32(?), ref: 00D81AC6
        Strings
        • schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID, xrefs: 00D81A02
        • schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT, xrefs: 00D819E6
        • 0, xrefs: 00D818AE
        • schannel: failed to create certificate store: %s, xrefs: 00D8183B
        • schannel: CertGetCertificateChain error mask: 0x%08x, xrefs: 00D81A31
        • schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN, xrefs: 00D81A1B
        • schannel: CertGetCertificateChain failed: %s, xrefs: 00D81962
        • schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED, xrefs: 00D819AB
        • schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 00D817EB
        • schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN, xrefs: 00D819CA
        • schannel: failed to create certificate chain engine: %s, xrefs: 00D818DB
        • schannel: Failed to read remote certificate context: %s, xrefs: 00D81775
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Cert$CertificateChainErrorFreeLast$EngineStore$CloseContextCreateOpen
        • String ID: 0$schannel: CertGetCertificateChain error mask: 0x%08x$schannel: CertGetCertificateChain failed: %s$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT$schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN$schannel: Failed to read remote certificate context: %s$schannel: failed to create certificate chain engine: %s$schannel: failed to create certificate store: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.
        • API String ID: 342884902-2670036763
        • Opcode ID: be41e6075f94f8b3579fb09c368880f9f53fc4c4f22ee24e48b8476d68b1a456
        • Instruction ID: 597b7a71acf325b3204ceaf9071ec71c192b868a0ee78dbd5ebfa419ad495d86
        • Opcode Fuzzy Hash: be41e6075f94f8b3579fb09c368880f9f53fc4c4f22ee24e48b8476d68b1a456
        • Instruction Fuzzy Hash: CEB1D4B5600301EBD714EB24CC41B6B77ACEB84744F184A2DF9AAE7281E774D94ACB71
        Function 00D6D3F0 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 186COMMON
        Download Yara Rule
        APIs
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D6D43E
        • __allrem.LIBCMT ref: 00D6D471
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D6D47F
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D6D48F
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D6D4C3
        • __allrem.LIBCMT ref: 00D6D4F3
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D6D501
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D6D511
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D6D544
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D6D577
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D6D59C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem
        • String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
        • API String ID: 632788072-2102732564
        • Opcode ID: bb643c4dca3b2a0cd3c8fdcf3bc3b0aa5b228cb1bb39b66d9f2c5341b9972ea6
        • Instruction ID: ee0bdd750d9e9bda6dd65813b989b7a8efb49249dbb91f283401cfcd150bc689
        • Opcode Fuzzy Hash: bb643c4dca3b2a0cd3c8fdcf3bc3b0aa5b228cb1bb39b66d9f2c5341b9972ea6
        • Instruction Fuzzy Hash: 1A416BE6B803403BF52075697C87F2B612ECBE2F69F240429B606F60D3D9A6BC5041B9
        Function 00CFCE30 Relevance: 26.7, APIs: 1, Strings: 14, Instructions: 455timeCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D19360: RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000002,00000000,?,?,0000000F,00000010,00000000,?,00000000,00000000), ref: 00D1939B
          • Part of subcall function 00D19360: RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D193FF
          • Part of subcall function 00D19360: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00D1940F
        • GetSystemTime.KERNEL32(?), ref: 00CFD3A6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CloseCreateSystemTimeValue
        • String ID: %.4d%.2d%.2d$DisplayIcon$DisplayName$HelpLink$InstallDate$InstallLocation$Publisher$Software\$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor
        • API String ID: 838904857-2577997009
        • Opcode ID: e987f6d6fd2c49ae7f6e49446d4cd24ff50000079a8547afdc2c79ea1c630ad1
        • Instruction ID: ad161dca19c5aba2ddbfeae984b02c6bda8f25edc5f166020bf7da381ef1561b
        • Opcode Fuzzy Hash: e987f6d6fd2c49ae7f6e49446d4cd24ff50000079a8547afdc2c79ea1c630ad1
        • Instruction Fuzzy Hash: 6902B2B1408380AED311EB259851BABBBE8AFD9704F444D1EF5D552242EB759248CFB3
        Function 00D3F0D0 Relevance: 26.6, APIs: 7, Strings: 8, Instructions: 326COMMON
        Download Yara Rule
        APIs
        • EnumProcesses.PSAPI(?,00001000,?,DFD45DFC,75920F00,00000000,00000010,00000000,?,00D9019D,000000FF,00D41052), ref: 00D3F128
        • GetCurrentProcessId.KERNEL32(?,00001000,?,DFD45DFC,75920F00,00000000,00000010,00000000,?,00D9019D,000000FF,00D41052), ref: 00D3F140
        • OpenProcess.KERNEL32(00100411,00000000,?), ref: 00D3F172
        • GetProcessImageFileNameW.PSAPI(00000000,?,00000104), ref: 00D3F190
          • Part of subcall function 00D19BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000001,000000FF,00000000,00000000,00000000,00000000,00000000,?,00000001), ref: 00D19C1F
          • Part of subcall function 00D19BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000001,000000FF,?,00000000,00000000,00000000), ref: 00D19C3E
        • CloseHandle.KERNEL32(00000000,00000000,000000FF,75920F00,00000000,00000010,00000000,?,?,?,?,00000000,00D90545,000000FF,00D30F0F,00000003), ref: 00D3F363
        • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000104), ref: 00D3F39E
          • Part of subcall function 00CEAE10: std::_String_base::_Xlen.LIBCPMT ref: 00CEAE5F
        • EnumWindows.USER32(00D3D220,?), ref: 00D3F56C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Process$ByteCharEnumFileMultiNameWide$CloseCurrentHandleImageModuleOpenProcessesString_base::_WindowsXlenstd::_
        • String ID: Chrome$Firefox$Internet Explorer$Opera$chrome.exe$firefox.exe$iexplore.exe$opera.exe
        • API String ID: 1921377800-2013523961
        • Opcode ID: 4b9b3e204246d0127064a89d44663a237c42e3c53216d8cb66a9266359976b75
        • Instruction ID: db2ae7534a959c916f0ea7dec652fd637d0e43a9ddffd488574aeed8fba7d337
        • Opcode Fuzzy Hash: 4b9b3e204246d0127064a89d44663a237c42e3c53216d8cb66a9266359976b75
        • Instruction Fuzzy Hash: 09D18975908784DFC725EF25D881AEBB7E4EF98700F04492DF59987281DB70A944CBB2
        Function 00D0B790 Relevance: 25.7, APIs: 17, Instructions: 174COMMON
        Download Yara Rule
        APIs
        • BeginPaint.USER32(?,?), ref: 00D0B7B6
        • GetClientRect.USER32(?,?), ref: 00D0B7CF
        • CreateSolidBrush.GDI32(?), ref: 00D0B7DC
        • FillRect.USER32(00000000,?,00000000), ref: 00D0B7EF
        • DeleteObject.GDI32(00000000), ref: 00D0B7F6
        • EndPaint.USER32(?,?), ref: 00D0B805
        • BeginPaint.USER32(?,?), ref: 00D0B83B
        • GetClientRect.USER32(?,?), ref: 00D0B865
        • SelectObject.GDI32(00000000,00000000), ref: 00D0B8A5
        • CreateSolidBrush.GDI32(?), ref: 00D0B8BA
        • FillRect.USER32(00000000,00000000,00000000), ref: 00D0B8CD
        • DeleteObject.GDI32(00000000), ref: 00D0B8D4
        • 73A14D40.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00D0B915
        • SelectObject.GDI32(00000000,?), ref: 00D0B921
        • DeleteDC.GDI32(00000000), ref: 00D0B92C
        • DeleteObject.GDI32(00000000), ref: 00D0B933
        • EndPaint.USER32(?,?), ref: 00D0B942
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Object$DeletePaintRect$BeginBrushClientCreateFillSelectSolid
        • String ID:
        • API String ID: 3591250188-0
        • Opcode ID: c89ef4bbb81e9aac56819a07fe03b98732954ef6ada693248aaa899389244c20
        • Instruction ID: ece8ac1a0d73e6be46b85c01244b90a6528d66bd23c6eea10d1c3ce21212aedd
        • Opcode Fuzzy Hash: c89ef4bbb81e9aac56819a07fe03b98732954ef6ada693248aaa899389244c20
        • Instruction Fuzzy Hash: E2511BB6204702BFD214DB64DC99F6BB7A8FB88711F04461AF65AD6290DB70E904CBB1
        Function 00D06180 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 235sleepfilesynchronizationCOMMON
        Download Yara Rule
        APIs
        • CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 00D06256
        • ConnectNamedPipe.KERNEL32(000000FF,?), ref: 00D06269
          • Part of subcall function 00D06030: CreateNamedPipeW.KERNEL32(?,40080003,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00D060B1
        • GetLastError.KERNEL32 ref: 00D0628B
        • GetTickCount.KERNEL32 ref: 00D06305
        • Sleep.KERNEL32(00000064), ref: 00D06318
        • GetTickCount.KERNEL32 ref: 00D06324
          • Part of subcall function 00D05DF0: GetLastError.KERNEL32(00000010,?,00D45DE7), ref: 00D05DFA
        • WaitForSingleObject.KERNEL32(?,?), ref: 00D06361
        • CloseHandle.KERNEL32(?,?), ref: 00D06376
        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,40000000,00000000), ref: 00D06410
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Create$CountErrorLastNamedPipeTick$CloseConnectEventFileHandleObjectSingleSleepWait
        • String ID: ConnectNamedPipe failed: $CreateFile failed: $InterprocessMessenger::connect$Timeout exceeded$\\.\pipe\
        • API String ID: 624744538-674043421
        • Opcode ID: aa05167eca5d6a346b15b700b64fd59f51a66235f8e44463c8838eedf7ea3101
        • Instruction ID: 79b8ef862c9adacdceb8e092a122d95fa2623575a484f797673809c77bfba079
        • Opcode Fuzzy Hash: aa05167eca5d6a346b15b700b64fd59f51a66235f8e44463c8838eedf7ea3101
        • Instruction Fuzzy Hash: 15918FB1508380AFD710EF64D885B6FB7E8FB95314F444A2DF18983291DB74D9188B76
        Function 00D05A90 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 183COMMON
        Download Yara Rule
        Strings
        • STATUS:ADMIN, xrefs: 00D05CB9
        • ShellExecute for admin-proxy failed - , xrefs: 00D05B65
        • got adminStatus from admin-proxy - , xrefs: 00D05C7C
        • ConnectNamedPipe for admin-proxy failed - , xrefs: 00D05BE4
        • AdministrativeProxy is already running, xrefs: 00D05AD1
        • unable to listen on admin-proxy pipes, xrefs: 00D05AF6
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: AdministrativeProxy is already running$ConnectNamedPipe for admin-proxy failed - $STATUS:ADMIN$ShellExecute for admin-proxy failed - $got adminStatus from admin-proxy - $unable to listen on admin-proxy pipes
        • API String ID: 0-263646754
        • Opcode ID: 0477e398b47c70b6058b55b9e95fde0bbc67ac5e7c14e18ef80b04a7e4e7601c
        • Instruction ID: cbafcfc9cd5ea9eb39d9f4cb1c4fd8dc99f2f8aa4660007d63611eb509b1206c
        • Opcode Fuzzy Hash: 0477e398b47c70b6058b55b9e95fde0bbc67ac5e7c14e18ef80b04a7e4e7601c
        • Instruction Fuzzy Hash: F761B071148381AFD724EB61DC46FABB7E8AF54700F104A0DF59A922D2EF74A508CB72
        Function 00D101F0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 109registryclipboardCOMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(00DB78D0), ref: 00D101FC
        • RegisterClipboardFormatW.USER32(WM_ATLGETHOST), ref: 00D1020D
        • RegisterClipboardFormatW.USER32(WM_ATLGETCONTROL), ref: 00D10219
        • GetClassInfoExW.USER32(00CE0000,AtlAxWin90,?), ref: 00D10240
        • LoadCursorW.USER32 ref: 00D1027E
        • RegisterClassExW.USER32 ref: 00D102A1
        • GetClassInfoExW.USER32(00CE0000,AtlAxWinLic90,?), ref: 00D102EA
        • LoadCursorW.USER32 ref: 00D10322
        • RegisterClassExW.USER32 ref: 00D10345
        • RtlLeaveCriticalSection.NTDLL(00DB78D0), ref: 00D10374
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ClassRegister$ClipboardCriticalCursorFormatInfoLoadSection$EnterLeave
        • String ID: AtlAxWin90$AtlAxWinLic90$WM_ATLGETCONTROL$WM_ATLGETHOST
        • API String ID: 1448039599-2573294316
        • Opcode ID: a03391ac8e0abe93fd794817447be7f5cb915cb6e01d40a22e35a4bb8e0bc86d
        • Instruction ID: 5f7a4898b5552bf4d170a3a9143e659edd7e610c2b61312f8685cf79649a4731
        • Opcode Fuzzy Hash: a03391ac8e0abe93fd794817447be7f5cb915cb6e01d40a22e35a4bb8e0bc86d
        • Instruction Fuzzy Hash: 104118B1518350AFC301DF15EC88A5BBBE8BBC8B14F804A1EF58593390D7B49549CFAA
        Function 00D12830 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 226stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(?,DFD45DFC,?), ref: 00D1288C
        • CharNextW.USER32 ref: 00D12912
        • CharNextW.USER32(00000000), ref: 00D12917
        • CharNextW.USER32(00000000), ref: 00D1291C
        • CharNextW.USER32(00000000), ref: 00D12921
        • CharNextW.USER32(C8000000), ref: 00D129CD
        • CharNextW.USER32(?,00000000), ref: 00D12A38
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CharNext$lstrlen
        • String ID: }}$HKCR$HKCU{Software{Classes
        • API String ID: 2675299387-1142484189
        • Opcode ID: 5ea82029c4de85bfb12317af495b945c44b8e5260e3e94b79f23c86c145a0c5d
        • Instruction ID: 305e1413c0b31ea961313e481905be14ef32d1d63d40d20148cf40a1c17bcef5
        • Opcode Fuzzy Hash: 5ea82029c4de85bfb12317af495b945c44b8e5260e3e94b79f23c86c145a0c5d
        • Instruction Fuzzy Hash: 9C817A70608341ABC724DF28E844ABABBE4EF58314F18491DF5C597280EB36D9A4CB72
        Function 00D1F5F0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 225filesynchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000), ref: 00D1F670
        • WriteFile.KERNEL32(00000000,--quit-application,--quit-application,?,00000000), ref: 00D1F69B
        • CloseHandle.KERNEL32(00000000), ref: 00D1F6A2
        • WaitForSingleObject.KERNEL32(00000000,00002710,?,?,DFD45DFC,00000010,?,?,00000000), ref: 00D1F6D1
        • TerminateProcess.KERNEL32(00000000,00000001,?,?,DFD45DFC,00000010,?,?,00000000), ref: 00D1F6DE
        • WaitForSingleObject.KERNEL32(00000000,00002710,?,?,DFD45DFC,00000010,?,?,00000000), ref: 00D1F6F2
          • Part of subcall function 00D05DF0: GetLastError.KERNEL32(00000010,?,00D45DE7), ref: 00D05DFA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharFileMultiObjectSingleWaitWide$CloseCreateErrorHandleLastProcessTerminateWrite
        • String ID: --quit-application$TerminateProcess failed: $WaitForSingleObject failed: $WaitForSingleObject timed out$WaitForSingleObject unknown error$\\.\pipe\
        • API String ID: 1433193461-2555663530
        • Opcode ID: 581e7d8fce5b7a923593823b60b935268c10b0fdfdfb8ebdcffcaa1ccd3e3c4c
        • Instruction ID: 0f5986b1710559524b893d8c5ef4438fcfef7325d30618b06647e571490a94fd
        • Opcode Fuzzy Hash: 581e7d8fce5b7a923593823b60b935268c10b0fdfdfb8ebdcffcaa1ccd3e3c4c
        • Instruction Fuzzy Hash: 9C6149B25483406FD700AB64AC86BAFB7D8EB84760F440A2DF555932D1EF39E44887B2
        Function 00D23700 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 179COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • FindResourceW.KERNEL32(00000000,?,TEXT), ref: 00D23755
        • LoadResource.KERNEL32(00000000,00000000), ref: 00D23826
        • GetLastError.KERNEL32 ref: 00D23834
          • Part of subcall function 00D1D850: LocalFree.KERNEL32(?), ref: 00D1D951
          • Part of subcall function 00CEAE10: std::_String_base::_Xlen.LIBCPMT ref: 00CEAE5F
        • LockResource.KERNEL32(00000000), ref: 00D238C0
        • GetLastError.KERNEL32 ref: 00D238CA
        • GetLastError.KERNEL32 ref: 00D23765
          • Part of subcall function 00D1D850: FormatMessageW.KERNEL32(00001100,00000000,?,00000800,?,00000000,00000000,?,?,?,?), ref: 00D1D8DF
          • Part of subcall function 00D1D850: GetLastError.KERNEL32(?,?,?,?), ref: 00D1D8E9
          • Part of subcall function 00D1D850: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D1D98E
        • SizeofResource.KERNEL32(00000000,00000000), ref: 00D237F1
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLastResource$ByteCharMultiWide$FindFormatFreeIos_base_dtorLoadLocalLockMessageSizeofString_base::_Xlenstd::_std::ios_base::_
        • String ID: FindResource error: $LoadResource error: $LockResource error: $TEXT$Zero-sized resource
        • API String ID: 3828103314-2387353103
        • Opcode ID: 081d7f20c18c74601d1d8ff7b0f9502a410ca14956cfbb81ccc226f5c7847d91
        • Instruction ID: 1cc7215c0301abed2b9afe5f3b83a927f7471a5a3b2b6f0378c47ca01cc9bf40
        • Opcode Fuzzy Hash: 081d7f20c18c74601d1d8ff7b0f9502a410ca14956cfbb81ccc226f5c7847d91
        • Instruction Fuzzy Hash: 5A5194B2508390AFC710EF259845A6BBBE9AF95704F444D2DF59693381DB34D908CBB3
        Function 00D08630 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 170COMMON
        Download Yara Rule
        APIs
        • GetParent.USER32 ref: 00D08663
        • GetWindow.USER32(?,00000004), ref: 00D0866C
        • GetWindowRect.USER32(?,?), ref: 00D0867C
        • MonitorFromWindow.USER32(?,00000002), ref: 00D086B0
        • GetMonitorInfoW.USER32 ref: 00D086D9
        • GetWindowRect.USER32(?,?), ref: 00D0871F
        • SetWindowPos.USER32(00000000,00000000,00000000,?,000000FF,000000FF,00000015,?,?), ref: 00D087DB
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Window$MonitorRect$FromInfoParent
        • String ID: (
        • API String ID: 568100639-3887548279
        • Opcode ID: 5c1ae684e4f4bba5aa1f7869545016263cb4635fac5d27f0a3f9f6592dde3642
        • Instruction ID: 6d43b3a8d6317926ac8adba0a8795d73aa82276e3ddcf4a4ebb8ff4972393f51
        • Opcode Fuzzy Hash: 5c1ae684e4f4bba5aa1f7869545016263cb4635fac5d27f0a3f9f6592dde3642
        • Instruction Fuzzy Hash: 50515B71208301AFC314DF28CC84B6AB7E9ABC8754F554A2DF985D3394EB30ED058BA2
        Function 00D84FA0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 68memorylibraryloaderCOMMON
        Download Yara Rule
        APIs
        • IsProcessorFeaturePresent.KERNEL32(0000000C,00D85076,?,00D010CE,?,00D005AB,00000000), ref: 00D84FA2
        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00000000,?,00D005AB,00000000), ref: 00D84FBB
        • GetProcAddress.KERNEL32(00000000,InterlockedPushEntrySList), ref: 00D84FD5
        • GetProcAddress.KERNEL32(00000000,InterlockedPopEntrySList), ref: 00D84FE2
        • GetProcessHeap.KERNEL32(00000000,00000008,?,00D005AB,00000000), ref: 00D85014
        • RtlAllocateHeap.NTDLL(00000000,?,00D005AB), ref: 00D85017
        • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00D8502D
        • GetProcessHeap.KERNEL32(00000000,00000000,?,00D005AB,00000000), ref: 00D8503A
        • HeapFree.KERNEL32(00000000,?,00D005AB,00000000), ref: 00D8503D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Heap$AddressProcProcess$AllocateCompareExchangeFeatureFreeInterlockedLibraryLoadPresentProcessor
        • String ID: InterlockedPopEntrySList$InterlockedPushEntrySList$kernel32.dll
        • API String ID: 3762069661-2586642590
        • Opcode ID: ce1826a1968a52ce200889e2be7b491e7f43fbbe69137cbafda856af18843595
        • Instruction ID: 729f917232bdc8bdb0e36307865c52a03d98a56e6edba56e62cb38080c78c510
        • Opcode Fuzzy Hash: ce1826a1968a52ce200889e2be7b491e7f43fbbe69137cbafda856af18843595
        • Instruction Fuzzy Hash: 63115876645741EFDB20AFB5EC88E2A3BE8FB85746B08052BE146D3354DB309840CBB0
        Function 00CFF3A0 Relevance: 19.6, APIs: 13, Instructions: 102COMMON
        Download Yara Rule
        APIs
        • SelectObject.GDI32(00000000,?), ref: 00CFF3EC
        • SelectObject.GDI32(00000000,00000000), ref: 00CFF3F4
        • SetBkColor.GDI32(00000000,?), ref: 00CFF406
        • 73A14D40.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00CFF425
        • SetTextColor.GDI32(00000000,00FFFFFF), ref: 00CFF431
        • SetBkColor.GDI32(00000000,00000000), ref: 00CFF43E
        • 73A14D40.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 00CFF459
        • SetTextColor.GDI32(00000000,?), ref: 00CFF465
        • SetBkColor.GDI32(00000000,?), ref: 00CFF471
        • SelectObject.GDI32(00000000,?), ref: 00CFF479
        • SelectObject.GDI32(00000000,?), ref: 00CFF481
        • DeleteDC.GDI32(00000000), ref: 00CFF48A
        • DeleteDC.GDI32(00000000), ref: 00CFF48D
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Color$ObjectSelect$DeleteText
        • String ID:
        • API String ID: 1164337235-0
        • Opcode ID: 1759b1c818f3fc9fa7e7e9db0a292a2a181177b9bd83d961dbdb8dab80d87517
        • Instruction ID: 0f0a5853470290df9cdfb4c86211e3fbea7546bb7c169ae826563021639f0296
        • Opcode Fuzzy Hash: 1759b1c818f3fc9fa7e7e9db0a292a2a181177b9bd83d961dbdb8dab80d87517
        • Instruction Fuzzy Hash: F5312B71644304BBD210DB659C85F7BBBECEFC9B60F10451EF648A3290D6B4E9058BBA
        Function 00D46050 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 209fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,00000000), ref: 00D460D9
        • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,00000001,?,00000000), ref: 00D461B3
        • CloseHandle.KERNEL32(00000000,?,?,?,00D92A70,?,?,?,?,?,00000001,?,00000000), ref: 00D4624C
        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D46314
          • Part of subcall function 00D05DF0: GetLastError.KERNEL32(00000010,?,00D45DE7), ref: 00D05DFA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharFileMultiWide$CloseCreateErrorHandleIos_base_dtorLastSizestd::ios_base::_
        • String ID: information:$CreateFile error - $Error getting file size - $Error while calculating sha1 - $File $File size: $File's sha1:
        • API String ID: 4176796106-760261076
        • Opcode ID: 41f5fdadcb42e8794578097601f13505a9b53b2b8d641da97e8a26ff7be4cb37
        • Instruction ID: 24f3f02ac334d0fffdcc82f586996ad66744070ca34b75448af40140a79eafda
        • Opcode Fuzzy Hash: 41f5fdadcb42e8794578097601f13505a9b53b2b8d641da97e8a26ff7be4cb37
        • Instruction Fuzzy Hash: 8471D8B1508384AFD720DF24EC46FAFB7D8AB95704F444D2DF58A93241EA7595088BB3
        Function 00D394A0 Relevance: 18.2, APIs: 1, Strings: 11, Instructions: 178sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000064,FusionSeparated showWindow - start,00000022,DFD45DFC), ref: 00D394F2
        Strings
        • fusion-stat, xrefs: 00D395C2
        • FusionSeparated showWindow - showing, xrefs: 00D3954E
        • FusionSeparated showWindow - end, xrefs: 00D39693
        • fusion-installing, xrefs: 00D39587
        • FusionSeparated showWindow - start, xrefs: 00D394DB, 00D3966F
        • No fusion process while wait showing, xrefs: 00D3963F
        • fusion-bundle.exe, xrefs: 00D395D7
        • FusionSeparated showWindow - installing, xrefs: 00D395AC
        • FusionSeparated showWindow - stat, xrefs: 00D3960B
        • fusion-showing, xrefs: 00D39529
        • No fusion process while wait installing, xrefs: 00D39648
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Sleep
        • String ID: FusionSeparated showWindow - end$FusionSeparated showWindow - installing$FusionSeparated showWindow - showing$FusionSeparated showWindow - start$FusionSeparated showWindow - stat$No fusion process while wait installing$No fusion process while wait showing$fusion-bundle.exe$fusion-installing$fusion-showing$fusion-stat
        • API String ID: 3472027048-3675115871
        • Opcode ID: 340ad96eb61aec35b54cf2f1bb91f1635642f0bfbb949864bc14995661ec1508
        • Instruction ID: 250b877c036027d9d1182da83921432fe1d1290a066e7d9fcc153f8ee25cb766
        • Opcode Fuzzy Hash: 340ad96eb61aec35b54cf2f1bb91f1635642f0bfbb949864bc14995661ec1508
        • Instruction Fuzzy Hash: F4515872744340AFCB01EF698892B6FB3D5EB98740F40092DF58693281DAB0D944CBB3
        Function 00D25730 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 243COMMON
        Download Yara Rule
        APIs
        • CoInitialize.OLE32(00000000), ref: 00D2578F
        • SHGetSpecialFolderLocation.SHELL32(00000000,?,?), ref: 00D257A7
        • SHGetSpecialFolderLocation.SHELL32(00000000,?,?), ref: 00D258EE
        • SHBrowseForFolderW.SHELL32 ref: 00D2599F
        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00D259F1
          • Part of subcall function 00CEAE10: std::_String_base::_Xlen.LIBCPMT ref: 00CEAE5F
        • SHGetPathFromIDListW.SHELL32(?,?), ref: 00D25849
          • Part of subcall function 00CF8CA0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00CF8D3A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Folder$FromListLocationPathSpecial$BrowseInitializeIos_base_dtorString_base::_Xlenstd::_std::ios_base::_
        • String ID: A$SHBrowseForFolder returned 0$SHGetPathFromIDList failed: $SHGetSpecialFolderLocation failed:
        • API String ID: 3653647896-4115638718
        • Opcode ID: 4ea34839c6a5027fa551f9bcd962205ff6282e4935c94093db715a9611b20eba
        • Instruction ID: 9e4478c2c8c7b94b66551e01ff337ed133d1f2bd5b783627034ad118002804d0
        • Opcode Fuzzy Hash: 4ea34839c6a5027fa551f9bcd962205ff6282e4935c94093db715a9611b20eba
        • Instruction Fuzzy Hash: C4914BB1508741AFC720DF15E881AABBBE9EBD8704F404E1DF18993251DB75E9488BB2
        Function 00D1D000 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 221processpipeCOMMON
        Download Yara Rule
        APIs
        • CreatePipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,DFD45DFC), ref: 00D1D0A0
        • CreateProcessW.KERNEL32(00000000,-00000004,00000000,00000000,00000001,00000010,00000000,00000000,?,?,?,?,?,?,?,00D8C25D), ref: 00D1D160
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Create$PipeProcess
        • String ID: D
        • API String ID: 759506453-2746444292
        • Opcode ID: f4c9ea98967988063da2cda8676630173d43150b78dde9c781548c1760ec6025
        • Instruction ID: bb7abdcd2e510710148a8e1b760021b0a3e428be4a6471d2c332a82073b807f9
        • Opcode Fuzzy Hash: f4c9ea98967988063da2cda8676630173d43150b78dde9c781548c1760ec6025
        • Instruction Fuzzy Hash: 52814CB1508380AFD720DF59D980BABB7EABF89704F404A1EF19987241DB74E944CB63
        Function 00D57A80 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148libraryloaderCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleA.KERNEL32(kernel32,00000003,?,?,00D69C4E,secur32.dll), ref: 00D57A8A
        • GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 00D57AA2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: AddressHandleModuleProc
        • String ID: AddDllDirectory$LoadLibraryExA$kernel32
        • API String ID: 1646373207-3327535076
        • Opcode ID: bc8748a7b6669f1f4695e7321e656ffac9ae39ef0c47ab4cbe3136a3f4114c9c
        • Instruction ID: a9aa7b4832e723d3d666d47ffad92b006c0f4cc8d01dcfc074df36de83d5b767
        • Opcode Fuzzy Hash: bc8748a7b6669f1f4695e7321e656ffac9ae39ef0c47ab4cbe3136a3f4114c9c
        • Instruction Fuzzy Hash: 2241F43230A3116FDB115B287C08FB67799EB81723F28416AFD46C7351EE62C90C86B4
        Function 00D14130 Relevance: 16.8, APIs: 11, Instructions: 257commemoryCOMMON
        Download Yara Rule
        APIs
        • OleUninitialize.OLE32 ref: 00D141D2
        • OleInitialize.OLE32(00000000), ref: 00D141E0
        • GetWindowTextLengthW.USER32(?), ref: 00D141E7
        • GetWindowTextW.USER32(?,00000000,00000001), ref: 00D1423E
        • SetWindowTextW.USER32(?,Function_000B5924), ref: 00D1424A
        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00D14266
        • GlobalFix.KERNEL32(00000000), ref: 00D14282
        • GlobalUnWire.KERNEL32(00000000), ref: 00D1429D
        • SysFreeString.OLEAUT32(00000000), ref: 00D142D5
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: GlobalTextWindow$AllocFreeInitializeLengthStringUninitializeWire
        • String ID:
        • API String ID: 1289996212-0
        • Opcode ID: 4e1f6691467a07b253f541ec8b3a36959f60e56f2ed2931c79a81e7e5322a4b5
        • Instruction ID: c413266f83d9473708642abf5e6288692c901470959ae30317f2fac4e8e2e28a
        • Opcode Fuzzy Hash: 4e1f6691467a07b253f541ec8b3a36959f60e56f2ed2931c79a81e7e5322a4b5
        • Instruction Fuzzy Hash: C0916B75900209AFDB11DBA4EC84EEEBBB8EF49310F144649F916E7290DB749D81CB71
        Function 00CE8B00 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 310windowCOMMON
        Download Yara Rule
        APIs
        • GetTickCount.KERNEL32 ref: 00CE8B2D
        • PeekMessageW.USER32(?,00000000,00000400,00000400,00000000), ref: 00CE8B52
          • Part of subcall function 00D18EC0: IsUserAnAdmin.SHELL32 ref: 00D18EC0
        • SendMessageW.USER32(?,000007E9,00000000,00000000), ref: 00CE8C10
        • SendMessageW.USER32(?,000007E9,00000000,00000000), ref: 00CE8F49
          • Part of subcall function 00CE76B0: Sleep.KERNEL32(00000064,?,00000000), ref: 00CE7832
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Message$Send$AdminCountPeekSleepTickUser
        • String ID: browsersTerminated$installer$postMG
        • API String ID: 136132124-1007714630
        • Opcode ID: 1c92578c6f8ecb37688f0fabc6ca5ab8e67d53596345ca58ddecabdb733912d4
        • Instruction ID: f14d7aa2c56377e40174f0fa8c7793c9e92bb05026ae56467db51a91a5107929
        • Opcode Fuzzy Hash: 1c92578c6f8ecb37688f0fabc6ca5ab8e67d53596345ca58ddecabdb733912d4
        • Instruction Fuzzy Hash: D6B1C0B0604384AFDB20FBB5D856B6FB799AF85300F00491DF28A972D2DE34D9089776
        Function 00D0B9C0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 128comCOMMON
        Download Yara Rule
        APIs
        • GetStockObject.GDI32 ref: 00D0BA30
        • GetStockObject.GDI32(0000000D), ref: 00D0BA38
        • GetObjectW.GDI32(00000000,0000005C,?), ref: 00D0BA4A
        • 73A0A570.USER32(?), ref: 00D0BAAA
        • OleCreateFontIndirect.OLEAUT32(?), ref: 00D0BB2A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Object$Stock$A570CreateFontIndirect
        • String ID:
        • API String ID: 3222375704-3916222277
        • Opcode ID: ef74578be00d84f69f129b7d1c319270f197d3458b1b4b465e0bb878cbf94cee
        • Instruction ID: a48e4059d593a8f88dbdb165519deb3382ebf9f994fd50e465d79d143eced9ea
        • Opcode Fuzzy Hash: ef74578be00d84f69f129b7d1c319270f197d3458b1b4b465e0bb878cbf94cee
        • Instruction Fuzzy Hash: 27415871608301ABD720DF65D855B6BBBE8BF88350F04492AF889D7290EB74D904CBB2
        Function 00D0E4F0 Relevance: 15.3, APIs: 10, Instructions: 319COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ColorWindow
        • String ID:
        • API String ID: 4045458706-0
        • Opcode ID: 313c19c8c58f1c9e0da5d79fcae0ed86122d3ca89b2b711043adcb88f7c36597
        • Instruction ID: 3f2f15863dd27fc59324f5d208cc92e2e4c8b0606d6b614c90bba16b4c8b5d59
        • Opcode Fuzzy Hash: 313c19c8c58f1c9e0da5d79fcae0ed86122d3ca89b2b711043adcb88f7c36597
        • Instruction Fuzzy Hash: 42B18734604301AFD714DF58C884B6AB7A9AFC9700F48891DF9888B2E1DB75EC45CB72
        Function 00D668A0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 340COMMON
        Download Yara Rule
        Strings
        • Failed to connect to %s port %ld: %s, xrefs: 00D66D3D
        • L', xrefs: 00D66A40
        • After %I64dms connect time, move on!, xrefs: 00D66A32
        • Connection failed, xrefs: 00D66BB7
        • Connection time-out, xrefs: 00D6693F
        • connect to %s port %ld failed: %s, xrefs: 00D66B43
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: After %I64dms connect time, move on!$Connection failed$Connection time-out$Failed to connect to %s port %ld: %s$L'$connect to %s port %ld failed: %s
        • API String ID: 0-68081636
        • Opcode ID: a18bb8d124f222bc5b944bda25db3b07ecbafa295e86833318cd3a37cf278e10
        • Instruction ID: 286453d0b3ea535c468a18dc2b2234919ffd78849dc34d87100ba6c9dddf80af
        • Opcode Fuzzy Hash: a18bb8d124f222bc5b944bda25db3b07ecbafa295e86833318cd3a37cf278e10
        • Instruction Fuzzy Hash: B5D19F716043449FCB24DF58D881AAAB7E5EF88314F588A2DF9499B351DB30ED44CFA2
        Function 00CF2450 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 332COMMON
        Download Yara Rule
        APIs
        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00CF28F9
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Ios_base_dtorstd::ios_base::_
        • String ID: <?xml version="1.0" encoding="UTF-8"?>$action$afterInstallMg$file_name$mediagetInstaller$resaller$statVersion
        • API String ID: 323602529-1959298732
        • Opcode ID: 7a56f886a6235166e48b6214c4b847e8d1aab3eb9009b340b6626af8122bb5a5
        • Instruction ID: 5a48611febfda6177ab5f4a0a2efbfa7be3443048b06752cd41a056ca5fce6f6
        • Opcode Fuzzy Hash: 7a56f886a6235166e48b6214c4b847e8d1aab3eb9009b340b6626af8122bb5a5
        • Instruction Fuzzy Hash: 35C1C8B5848384AFD760EB649C56BAFB7E8AF98304F444D1DF69853242EB74910C8B73
        Function 00D6B960 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 193encryptionCOMMON
        Download Yara Rule
        APIs
        • CertFreeCRLContext.CRYPT32(?), ref: 00D6BB5F
        Strings
        • schannel: failed to store credential handle, xrefs: 00D6BAA8
        • schannel: failed to setup memory allocation, xrefs: 00D6B9E2
        • schannel: failed to setup stream orientation, xrefs: 00D6B9FC
        • schannel: failed to retrieve remote cert context, xrefs: 00D6BB72
        • schannel: failed to setup sequence detection, xrefs: 00D6B99A
        • schannel: failed to setup replay detection, xrefs: 00D6B9B1
        • schannel: failed to setup confidentiality, xrefs: 00D6B9C8
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CertContextFree
        • String ID: schannel: failed to retrieve remote cert context$schannel: failed to setup confidentiality$schannel: failed to setup memory allocation$schannel: failed to setup replay detection$schannel: failed to setup sequence detection$schannel: failed to setup stream orientation$schannel: failed to store credential handle
        • API String ID: 3569843879-3495321840
        • Opcode ID: 101823c01c118ce90689dc205a8b8501eb1e51e4382c39804c2da94e837035f6
        • Instruction ID: 35ad0b8f06119fe3a4354deae744d38de4606e5a98e6b274337efb64cd8281d3
        • Opcode Fuzzy Hash: 101823c01c118ce90689dc205a8b8501eb1e51e4382c39804c2da94e837035f6
        • Instruction Fuzzy Hash: 2451C7756403009FCB10DF64DC81E6A77A5EFC4365F48852AFC48DB242EB75EA898BB1
        Function 00D6D2B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
        Download Yara Rule
        APIs
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D6D2F0
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D6D320
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D6D37F
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D6D3B1
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
        • String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd$--:--:--
        • API String ID: 885266447-1858174321
        • Opcode ID: 99dbdd6aebb06aa92250545bf453c64b13a0eda37d9fe57036a9c5562718fe82
        • Instruction ID: cf2e3b5d441627fc9807a8b3205f70fdd3f7a80e53f1043a79f410f464c0a179
        • Opcode Fuzzy Hash: 99dbdd6aebb06aa92250545bf453c64b13a0eda37d9fe57036a9c5562718fe82
        • Instruction Fuzzy Hash: 983108B27447047FE210BA28BC82F7B779EDBC5F54F054529F604AB282D5A1EC0482B5
        Function 00CE82E0 Relevance: 13.9, APIs: 1, Strings: 8, Instructions: 412sleepCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00CEB030: std::_String_base::_Xlen.LIBCPMT ref: 00CEB08C
          • Part of subcall function 00D01E60: GetCurrentThreadId.KERNEL32 ref: 00D01F0D
          • Part of subcall function 00D01E60: SendMessageW.USER32(00000000), ref: 00D01F2E
          • Part of subcall function 00D01E60: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D01F44
          • Part of subcall function 00D01E60: Sleep.KERNEL32(00000064), ref: 00D01F52
          • Part of subcall function 00D01E60: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D01F5E
        • Sleep.KERNEL32(00000064,00000000,?,00D92A20,00000002,?,?,?), ref: 00CE87E5
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Message$PeekSleep$CurrentSendString_base::_ThreadXlenstd::_
        • String ID: 8$@$addFilesAssociations$addFirewallExceptionCheck$addWindowsAutostart$checked$playerCheck$soft_ok
        • API String ID: 3933562471-2272647988
        • Opcode ID: e2d0e776c06adc43c4848ab3e352540d3c8fa3aaef71b829f4de30cb4a08f88c
        • Instruction ID: 158cb7fe4b5e87b4cc2b050811474951610a62533c41f5fe0390d8be0a682b1d
        • Opcode Fuzzy Hash: e2d0e776c06adc43c4848ab3e352540d3c8fa3aaef71b829f4de30cb4a08f88c
        • Instruction Fuzzy Hash: B00279B18093C0AFE320DF6AD481B6BBBE4AF88704F44491EF19957292DB75D508CB63
        Function 00CF5790 Relevance: 13.8, APIs: 1, Strings: 8, Instructions: 347sleepCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00CEAD10: std::_String_base::_Xlen.LIBCPMT ref: 00CEAD4A
          • Part of subcall function 00CEAD10: std::_String_base::_Xlen.LIBCPMT ref: 00CEAD61
        • Sleep.KERNEL32(00000064,?,?,00000000,00000000,00000000,00000000), ref: 00CF5BC9
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: String_base::_Xlenstd::_$Sleep
        • String ID: &signature=$&soft=mediaget$&status=$&url=$749c4eeb900d5b934e55da9081b1b685$?bbls_client_id=$http://sub2.bubblesmedia.ru/client/mediaget_install$yes
        • API String ID: 3562441592-397168707
        • Opcode ID: d0c6023864cef27c1bd30c677188129789d7fec97b9b740acbf5d8a157132405
        • Instruction ID: a71ea169b72f30cd599cdfa6843550075a0693151cff441b7054fe24631f3d94
        • Opcode Fuzzy Hash: d0c6023864cef27c1bd30c677188129789d7fec97b9b740acbf5d8a157132405
        • Instruction Fuzzy Hash: CDE19FB14093859BD771EB25D881BABFBE8AF95700F404E2EF29942242D7709548CB73
        Function 00D00710 Relevance: 13.6, APIs: 9, Instructions: 103COMMON
        Download Yara Rule
        APIs
        • GetParent.USER32(?), ref: 00D0071D
        • 73A0A570.USER32(00000000), ref: 00D00726
        • GetClientRect.USER32(?,?), ref: 00D00759
        • GetWindowRect.USER32(?,?), ref: 00D00768
        • ScreenToClient.USER32(00000000,?), ref: 00D00774
        • ScreenToClient.USER32(00000000,?), ref: 00D00784
        • SelectObject.GDI32(?,00000000), ref: 00D007BA
        • 73A14D40.GDI32(?,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00D007EB
        • 73A14D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00D00815
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Client$RectScreen$A570ObjectParentSelectWindow
        • String ID:
        • API String ID: 3512479441-0
        • Opcode ID: 195c53b770ca3f332be5c94dcafeae522b51e28110f86f367b7f258f67b348cd
        • Instruction ID: 65b0de1c45bf9d94cf232bda1ac240cc614e65f8c6495a1d619524ae35ad31ab
        • Opcode Fuzzy Hash: 195c53b770ca3f332be5c94dcafeae522b51e28110f86f367b7f258f67b348cd
        • Instruction Fuzzy Hash: 0931BEB1108305AF9354DF69D988D2BBBF9FB8C745B408A1EF98AD2610D634E804CB62
        Function 00D227F0 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 392COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F47
        • _com_issue_errorex.COMSUPP ref: 00D22A1F
        • _com_issue_errorex.COMSUPP ref: 00D22AAE
          • Part of subcall function 00D85C00: GetErrorInfo.OLEAUT32(00000000,00000000,?,00D26622,00000000,?,00D968A0,?,HNetCfg.FwRule,00000000), ref: 00D85C50
        • _com_issue_errorex.COMSUPP ref: 00D22ADE
        • _com_issue_errorex.COMSUPP ref: 00D22B0E
        • _com_issue_errorex.COMSUPP ref: 00D22B5A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: _com_issue_errorex$ByteCharMultiWide$ErrorInfo
        • String ID: HNetCfg.FwPolicy2$HNetCfg.FwRule
        • API String ID: 2267157010-590769273
        • Opcode ID: 4dc5ac733c2981104935e0cda66f60e0991f7395a3f4d9f7b98c7d30ad0c2284
        • Instruction ID: 290cc77bf225f1f46e078435ece7b59e4e6843bd39a0a1276714dbe08de669b7
        • Opcode Fuzzy Hash: 4dc5ac733c2981104935e0cda66f60e0991f7395a3f4d9f7b98c7d30ad0c2284
        • Instruction Fuzzy Hash: C6D1A3B1D00258AFCF00EFA4E881AEEBBB4EF68308F54416DF909A7345D6349944CBB1
        Function 00CE76B0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 360sleepCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D1C650: GetTempPathW.KERNEL32(00000104,?,DFD45DFC,?,?), ref: 00D1C6D8
          • Part of subcall function 00CEB030: std::_String_base::_Xlen.LIBCPMT ref: 00CEB08C
          • Part of subcall function 00D1E5C0: FindResourceW.KERNEL32(00000000,?,?,?,?,0000000F,00000000,?,?,ARCHIVE_7Z,0000000A,?,00000010,00000000), ref: 00D1E62E
        • Sleep.KERNEL32(00000064,?,00000000), ref: 00CE7832
          • Part of subcall function 00D18F50: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,00000000,?), ref: 00D18FBD
        • SetForegroundWindow.USER32(?), ref: 00CE7BAE
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CreateFileFindForegroundPathResourceSleepString_base::_TempWindowXlenstd::_
        • String ID: ADMIN-PROXY$ARCHIVE_7Z$addFirewallExceptionCheck$admin-proxy.7z$checked
        • API String ID: 1219432678-629822595
        • Opcode ID: b40814d324192cbe24bcb444b90e2a1bd6896712316df4a0bba46d813606a8a5
        • Instruction ID: 5f899e7db9576b192c636a017b92a341b9bfcb663768c6e8180638abfc5b7bca
        • Opcode Fuzzy Hash: b40814d324192cbe24bcb444b90e2a1bd6896712316df4a0bba46d813606a8a5
        • Instruction Fuzzy Hash: 96E19FB180C3C0AED721EB659845B9FBBE8AF95304F044E1DF49947282EB759548CBB3
        Function 00D23110 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 246COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: __aulldiv__aulldvrm
        • String ID: %d%s$%d%s%d%s
        • API String ID: 2518046130-1634263421
        • Opcode ID: a66d8f034f1c04090c3b6f90452ae25661672bce36d5cccd6d44ddaad9144db3
        • Instruction ID: 1bfec1293fd97480a1acbb06e6147d6995d614a8ca581acd2f425babced8c534
        • Opcode Fuzzy Hash: a66d8f034f1c04090c3b6f90452ae25661672bce36d5cccd6d44ddaad9144db3
        • Instruction Fuzzy Hash: F591F4B1908344ABD720EF68D881B5FB7E9EBC5714F44092DF98857281EB75D9048BB3
        Function 00D23950 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 200fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00D23AA5
        • WriteFile.KERNEL32(00000000,test data,test data,?,00000000), ref: 00D23B29
        • CloseHandle.KERNEL32(00000000), ref: 00D23B73
        • DeleteFileW.KERNEL32(?), ref: 00D23B84
        • DeleteFileW.KERNEL32(?), ref: 00D23B8F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: File$Delete$CloseCreateHandleWrite
        • String ID: -tmp-%d.tmp$test data
        • API String ID: 4023221640-3021884096
        • Opcode ID: 73309b1eca8abd9a62375096435dde34049b96e1df772984a1e4392e54bb5364
        • Instruction ID: c9245515f3c8e93a449a223adeaa86c3a35f9a5a079832ff06354e7438ae814a
        • Opcode Fuzzy Hash: 73309b1eca8abd9a62375096435dde34049b96e1df772984a1e4392e54bb5364
        • Instruction Fuzzy Hash: 5E61A2B1508390ABD710DF64EC85B6BB7E8EB95708F44092DF58997241EB38DA08CB73
        Function 00D04CE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 195pipeCOMMON
        Download Yara Rule
        APIs
        • CreateNamedPipeW.KERNEL32(?,00000002,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00D04DB2
        • GetLastError.KERNEL32(?,?,\\.\pipe\,00000000,DFD45DFC,?,00000000,0000000F,00000000), ref: 00D04DBC
        • CreateNamedPipeW.KERNEL32(?,00000001,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00D04EA6
        • GetLastError.KERNEL32(?,?,\\.\pipe\,00000000,DFD45DFC,?,00000000,0000000F,00000000), ref: 00D04EB0
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharCreateErrorLastMultiNamedPipeWide
        • String ID: -admin-proxy-pipe-in$-admin-proxy-pipe-out$\\.\pipe\
        • API String ID: 2196609083-801823924
        • Opcode ID: 2aed8f1a8b88815ebd88976e3dc7f9712a7241c0e00796ffd95f9e0b110e0e1d
        • Instruction ID: aba105ef20deb9beb17665510fcadad4d0979da259cd8a20be497ba784e68ad3
        • Opcode Fuzzy Hash: 2aed8f1a8b88815ebd88976e3dc7f9712a7241c0e00796ffd95f9e0b110e0e1d
        • Instruction Fuzzy Hash: F251B2F2508380AFD710EBA4AC81F6BB7E9EB94714F444A2DF59592281DB75D9088B33
        Function 00D38D30 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 174sleepthreadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18C40: CreateToolhelp32Snapshot.KERNEL32 ref: 00D18C62
          • Part of subcall function 00D18C40: Process32FirstW.KERNEL32(00000000,00000010), ref: 00D18C77
        • Sleep.KERNEL32(000003E8,00000000,?,00000000,000000FF), ref: 00D38EAC
        • Sleep.KERNEL32(000003E8), ref: 00D38F75
        • TerminateThread.KERNEL32(?,00000002), ref: 00D38F81
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Sleep$CreateFirstProcess32SnapshotTerminateThreadToolhelp32
        • String ID: ; No fusion process$; Stage: $fusion-bundle.exe$fusion-cancel
        • API String ID: 3243831205-826279003
        • Opcode ID: 4d41ffd3554ba774efc091ba104c88d55a9c5fec1841af72a9b2692098ada2ff
        • Instruction ID: 376ccecaaf3832d0a2d8bd38d9dcaf9fe763b2cc71454f9e2368a1a9621069b2
        • Opcode Fuzzy Hash: 4d41ffd3554ba774efc091ba104c88d55a9c5fec1841af72a9b2692098ada2ff
        • Instruction Fuzzy Hash: A651A1B2908340AFD740EF54E885B6BB7E4AF84704F040A2DF595562C2DB79E948CBB3
        Function 00D381D0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 96windowCOMMON
        Download Yara Rule
        APIs
        • CreateWindowExW.USER32(00000000,Static,00D9A6F4,5000010E,00000172,00000104,000000B2,00000026,?,00000000,00000000,00000000), ref: 00D38220
        • GetModuleHandleW.KERNEL32(00000000,?,00000000,00000000,00000000,00000010), ref: 00D382CD
        • LoadImageW.USER32(00000000), ref: 00D382D4
        • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00D382E9
          • Part of subcall function 00D1C650: GetTempPathW.KERNEL32(00000104,?,DFD45DFC,?,?), ref: 00D1C6D8
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$CreateHandleImageLoadMessageModulePathSendTempWindow
        • String ID: Static$img\install-fusion-en.bmp$img\install-fusion-ru.bmp
        • API String ID: 3001717624-4127920877
        • Opcode ID: 1614eb4020d607483899cbc78a436946d8deddba7732cff3b1cbeb96191be635
        • Instruction ID: 45299509b40353eb926bbfd4bc1ceacd7229e7930742232a8b41a56b9fcf7450
        • Opcode Fuzzy Hash: 1614eb4020d607483899cbc78a436946d8deddba7732cff3b1cbeb96191be635
        • Instruction Fuzzy Hash: 3E3190B1648700BFE720EB68DD06F5B77E8EB84B40F044A09F645A62D1DBB5E8448B76
        Function 00D38320 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 96windowCOMMON
        Download Yara Rule
        APIs
        • CreateWindowExW.USER32(00000000,Static,00D9A744,5000010E,0000006E,00000104,000000B2,00000026,?,00000000,00000000,00000000), ref: 00D3836D
        • GetModuleHandleW.KERNEL32(00000000,?,00000000,00000000,00000000,00000010), ref: 00D3841A
        • LoadImageW.USER32(00000000), ref: 00D38421
        • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00D38436
          • Part of subcall function 00D1C650: GetTempPathW.KERNEL32(00000104,?,DFD45DFC,?,?), ref: 00D1C6D8
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$CreateHandleImageLoadMessageModulePathSendTempWindow
        • String ID: Static$img\cancel-fusion-en.bmp$img\cancel-fusion-ru.bmp
        • API String ID: 3001717624-1370779823
        • Opcode ID: e8990b355148661185909bc00023876c7dbd36a7b2b30cff16f9b9c0c6ad47db
        • Instruction ID: dc54fcebcb7c0e89b974a7e60ffb5ee59b63b2ecd06e79273f8bfe3c63f2cfdc
        • Opcode Fuzzy Hash: e8990b355148661185909bc00023876c7dbd36a7b2b30cff16f9b9c0c6ad47db
        • Instruction Fuzzy Hash: 9E319CB2648340BFE710EB68DC46F6B77E8EB84B40F044909F645A62D1DBB5E8448B76
        Function 00D07A40 Relevance: 12.2, APIs: 8, Instructions: 241commemoryCOMMON
        Download Yara Rule
        APIs
        • OleUninitialize.OLE32 ref: 00D07AE2
        • OleInitialize.OLE32(00000000), ref: 00D07AF0
        • GetWindowTextLengthW.USER32(?), ref: 00D07AF7
        • GetWindowTextW.USER32(?,00000000,00000001), ref: 00D07B4E
        • SetWindowTextW.USER32(?,Function_000B5924), ref: 00D07B5A
        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00D07B76
        • GlobalFix.KERNEL32(00000000), ref: 00D07B90
        • GlobalUnWire.KERNEL32(00000000), ref: 00D07BAB
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: GlobalTextWindow$AllocInitializeLengthUninitializeWire
        • String ID:
        • API String ID: 348548121-0
        • Opcode ID: fc37583e848d8580c1016d87d6f306796b6e84b57110c96521760bb8c61263ba
        • Instruction ID: a2709c8b28169287b24db95d88cd41c1cdee22392c751be05c6fe8a2528a4148
        • Opcode Fuzzy Hash: fc37583e848d8580c1016d87d6f306796b6e84b57110c96521760bb8c61263ba
        • Instruction Fuzzy Hash: 68814D75A04205AFDB10EFA4CC85FAFBBB8EF49310F184559E51AEB291DA34AD41CB70
        Function 00D75360 Relevance: 12.2, APIs: 8, Instructions: 202sleepnetworkCOMMON
        Download Yara Rule
        APIs
        • WSASetLastError.WS2_32(00002726,?,?,?), ref: 00D753C7
        • Sleep.KERNEL32(?,?,?,?), ref: 00D753DA
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLastSleep
        • String ID:
        • API String ID: 1458359878-0
        • Opcode ID: 59f2251b62cd19c0ff75dcbd53110a52c282cfce511409fc6e1ed7efcf9285bb
        • Instruction ID: ad562071787f0783f465f1375bc899c798c71aa399ef37ed7b30974b72bb8e4d
        • Opcode Fuzzy Hash: 59f2251b62cd19c0ff75dcbd53110a52c282cfce511409fc6e1ed7efcf9285bb
        • Instruction Fuzzy Hash: A351D5319047054BD734DF68B8806BFB2D9FB84325F588A2EE96DC2184F7B1998587B3
        Function 00D0F5E0 Relevance: 12.2, APIs: 8, Instructions: 188COMMON
        Download Yara Rule
        APIs
        • VariantInit.OLEAUT32(?), ref: 00D0F686
        • VariantClear.OLEAUT32(?), ref: 00D0F6FA
        • VariantInit.OLEAUT32(?), ref: 00D0F734
        • VariantChangeType.OLEAUT32 ref: 00D0F748
        • VariantClear.OLEAUT32(?), ref: 00D0F76F
        • VariantClear.OLEAUT32(?), ref: 00D0F78B
        • VariantClear.OLEAUT32(?), ref: 00D0F7BE
        • VariantClear.OLEAUT32(?), ref: 00D0F7DA
          • Part of subcall function 00D19BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000001,000000FF,00000000,00000000,00000000,00000000,00000000,?,00000001), ref: 00D19C1F
          • Part of subcall function 00D19BF0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000001,000000FF,?,00000000,00000000,00000000), ref: 00D19C3E
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Variant$Clear$ByteCharInitMultiWide$ChangeType
        • String ID:
        • API String ID: 3063415910-0
        • Opcode ID: b7e31ff2e0a217ecba47d02cc9e24adb4b3d3301e2d6a95c6f969acb916023fd
        • Instruction ID: a7a92681da455351b6b7d2eaa51bbba082c0b8b2692280b08b890dbdcdf63aa6
        • Opcode Fuzzy Hash: b7e31ff2e0a217ecba47d02cc9e24adb4b3d3301e2d6a95c6f969acb916023fd
        • Instruction Fuzzy Hash: 29617DB26083419FC710DF59DC80A5BB7E8EBD8710F144A2EF599C7290D775E909CBA2
        Function 00D123E0 Relevance: 12.1, APIs: 8, Instructions: 129registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D12427
        • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?), ref: 00D1243E
        • RegEnumKeyExW.ADVAPI32(?,00000000), ref: 00D12486
        • RegEnumKeyExW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00D124C6
        • RegCloseKey.ADVAPI32(?), ref: 00D124D5
        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00D124EB
        • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?), ref: 00D124FC
        • RegCloseKey.ADVAPI32(?), ref: 00D12524
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Close$Enum$DeleteOpen
        • String ID:
        • API String ID: 3743465055-0
        • Opcode ID: 9c4810f00108fdc423b5053d2621df94bd4e36ceabc5d46c31f4c3d567646936
        • Instruction ID: 7759307cd6f9076045ad494655705f25bd560a092a3c41003317d458d21b8776
        • Opcode Fuzzy Hash: 9c4810f00108fdc423b5053d2621df94bd4e36ceabc5d46c31f4c3d567646936
        • Instruction Fuzzy Hash: 82411971508200AB8724DF59E884CBBBBE9EBD8750F148A1EF989D3214EA31D944CB76
        Function 00D000C0 Relevance: 12.1, APIs: 8, Instructions: 112COMMON
        Download Yara Rule
        APIs
        • SelectObject.GDI32(00000000,?), ref: 00D00149
        • SelectObject.GDI32(00000000,?), ref: 00D00161
        • 73A14D40.GDI32(?,?,?,?,?,00000000,00000000,00000000,008800C6), ref: 00D0018E
        • 73A14D40.GDI32(?,?,?,?,00000000,00000000,00000000,00000000,00EE0086,?,00000000,00000000,00000000,008800C6), ref: 00D001B7
        • SelectObject.GDI32(00000000,?), ref: 00D001C9
        • SelectObject.GDI32(00000000,?), ref: 00D001D1
        • DeleteDC.GDI32(00000000), ref: 00D001DE
        • DeleteDC.GDI32(00000000), ref: 00D001E5
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ObjectSelect$Delete
        • String ID:
        • API String ID: 119191458-0
        • Opcode ID: b06cfe2ae77ecdc6b1b064668aaa0dba804b1891fe83f1ba77be5bfb2212cd2c
        • Instruction ID: 5f2198fcb1069fe5096949596dbf2506bbae71636cb65d86e2f2f3d76ef4f403
        • Opcode Fuzzy Hash: b06cfe2ae77ecdc6b1b064668aaa0dba804b1891fe83f1ba77be5bfb2212cd2c
        • Instruction Fuzzy Hash: 9B412771604304BFD650DB68DC84F6BBBECEB88744F14890EFA59D3250C671A90ACBA2
        Function 00D0AF90 Relevance: 12.1, APIs: 8, Instructions: 87COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: A570
        • String ID:
        • API String ID: 2526173095-0
        • Opcode ID: 9b8f385839152bc8e7f56c4fb2f2b3c2fa44c5a7e049b5275824c9a3e20a02d5
        • Instruction ID: c478e53a525f66d3f7e6e9c00e5e420d8e05983bf93d3070f16490abf83e54aa
        • Opcode Fuzzy Hash: 9b8f385839152bc8e7f56c4fb2f2b3c2fa44c5a7e049b5275824c9a3e20a02d5
        • Instruction Fuzzy Hash: 6231CEB1608302AFD315DF28C888B6BBBA8EF95354F04494AF959C7291E770D844CBB1
        Function 00D14F20 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 162stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D0A900: RtlInitializeCriticalSection.NTDLL ref: 00D0A93B
        • GetModuleHandleW.KERNEL32(00000000), ref: 00D15050
          • Part of subcall function 00D0A8B0: lstrlenW.KERNEL32(?), ref: 00D0A8B6
        • lstrlenW.KERNEL32(?), ref: 00D150B5
          • Part of subcall function 00D12730: RtlEnterCriticalSection.NTDLL(?), ref: 00D1273F
          • Part of subcall function 00D12730: RtlLeaveCriticalSection.NTDLL(?), ref: 00D12750
          • Part of subcall function 00D12730: RtlDeleteCriticalSection.NTDLL(?), ref: 00D12761
        • GetModuleFileNameW.KERNEL32(00CE0000,?,00000104), ref: 00D14FEA
          • Part of subcall function 00D12EC0: RtlEnterCriticalSection.NTDLL(?), ref: 00D12EFC
          • Part of subcall function 00D12EC0: RtlLeaveCriticalSection.NTDLL(?), ref: 00D12F19
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalSection$EnterLeaveModulelstrlen$DeleteFileHandleInitializeName
        • String ID: Module$Module_Raw$REGISTRY
        • API String ID: 1310854044-549000027
        • Opcode ID: 153fafbaecf29d75340db3cf72c1a6ebc4d9e50abe900138061c8bfcc7147c67
        • Instruction ID: 453932c40619d0b1ec5c9e532c7cd08ec4688a67a28823bd533cb22c2caa6162
        • Opcode Fuzzy Hash: 153fafbaecf29d75340db3cf72c1a6ebc4d9e50abe900138061c8bfcc7147c67
        • Instruction Fuzzy Hash: F7517171508341ABC720EF64E884AEBB7E5FFD8300F44492DF58993255DB3599888BB3
        Function 00D30110 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 160synchronizationCOMMON
        Download Yara Rule
        APIs
        • WaitForSingleObject.KERNEL32(?,00124F80,DFD45DFC,00000000), ref: 00D30170
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ObjectSingleWait
        • String ID: - $Bundle thread has not finished gracefully - $WAIT_ABANDONED$WAIT_FAILED - $WAIT_TIMEOUT
        • API String ID: 24740636-3605145387
        • Opcode ID: 574a59d97f1300f11332e7547d3d8e19ba069955eaf0eaeb2c05fd3a2d781594
        • Instruction ID: 515a2403722d85b45b7896a5765d43e6f007fff5486afbbde335b7bdbea8024f
        • Opcode Fuzzy Hash: 574a59d97f1300f11332e7547d3d8e19ba069955eaf0eaeb2c05fd3a2d781594
        • Instruction Fuzzy Hash: A9519D724083809FD775EB65D895BABBBE8AF94300F44491DF48D83282DB745948CBB3
        Function 00D15170 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 160stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D0A900: RtlInitializeCriticalSection.NTDLL ref: 00D0A93B
        • GetModuleHandleW.KERNEL32(00000000), ref: 00D15295
          • Part of subcall function 00D0A8B0: lstrlenW.KERNEL32(?), ref: 00D0A8B6
        • lstrlenW.KERNEL32(?), ref: 00D152FA
          • Part of subcall function 00D12730: RtlEnterCriticalSection.NTDLL(?), ref: 00D1273F
          • Part of subcall function 00D12730: RtlLeaveCriticalSection.NTDLL(?), ref: 00D12750
          • Part of subcall function 00D12730: RtlDeleteCriticalSection.NTDLL(?), ref: 00D12761
        • GetModuleFileNameW.KERNEL32(00CE0000,?,00000104), ref: 00D1522F
          • Part of subcall function 00D12EC0: RtlEnterCriticalSection.NTDLL(?), ref: 00D12EFC
          • Part of subcall function 00D12EC0: RtlLeaveCriticalSection.NTDLL(?), ref: 00D12F19
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalSection$EnterLeaveModulelstrlen$DeleteFileHandleInitializeName
        • String ID: Module$Module_Raw$REGISTRY
        • API String ID: 1310854044-549000027
        • Opcode ID: 0054138dce1b596b0238409ec55d9f367207928ac43d10f4f8acb9c5c1a50f96
        • Instruction ID: 8e677ed87e67204b24866a221dba5446a7c3bb4e5c818a079e46b108babeca28
        • Opcode Fuzzy Hash: 0054138dce1b596b0238409ec55d9f367207928ac43d10f4f8acb9c5c1a50f96
        • Instruction Fuzzy Hash: F2517E72508341EFC720EF64E8849EFB3E4EBD8300F44492DF59A93154DA7599888B73
        Function 00D077E0 Relevance: 10.6, APIs: 7, Instructions: 147COMMON
        Download Yara Rule
        APIs
        • InvalidateRect.USER32(?,00000000,00000001), ref: 00D077F0
        • GetClientRect.USER32(?,?), ref: 00D077FF
        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005), ref: 00D078BB
        • SetWindowPos.USER32(?,00000000,00000000,?,?,?,00000004), ref: 00D07954
        • CreateRoundRectRgn.GDI32(00000000,00000000,?,?,0000000F,0000000F), ref: 00D0796D
        • SetWindowRgn.USER32(?,00000000,00000001), ref: 00D0797F
        • DeleteObject.GDI32(00000000), ref: 00D0798A
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: RectWindow$ClientCreateDeleteInvalidateObjectRound
        • String ID:
        • API String ID: 1875782647-0
        • Opcode ID: 52b4dc35f32550d12f5858792bb66770b76a7196c22d5afb88be9233a06aa697
        • Instruction ID: 22fa8bc8a3b84763428fb01520bfa3a648558b86b491e53ddbed67032d5e08b8
        • Opcode Fuzzy Hash: 52b4dc35f32550d12f5858792bb66770b76a7196c22d5afb88be9233a06aa697
        • Instruction Fuzzy Hash: AE517035A046019FD715EF68DC89F6677A4EB44310F198558F9899F286CB30FD40CBB1
        Function 00D06670 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 140fileCOMMON
        Download Yara Rule
        APIs
        • ReadFile.KERNEL32(?,?,?,00000000,?,DFD45DFC), ref: 00D066CF
        • GetOverlappedResult.KERNEL32(?,?,?,00000001,?,?,00000000,?,DFD45DFC), ref: 00D066E5
        • GetLastError.KERNEL32(?,?,00000000,?,DFD45DFC), ref: 00D066ED
        • GetOverlappedResult.KERNEL32(?,?,?,00000001,?,?,00000000,?,DFD45DFC), ref: 00D0670A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: OverlappedResult$ErrorFileLastRead
        • String ID: GetOverlappedResult failed: $ReadFile failed:
        • API String ID: 1568971542-2303412416
        • Opcode ID: b0bb36b5ae07b307740f53026fe9edab7c050f017cac3a94cc9b04bda7f1c57b
        • Instruction ID: aa1ec9912e78a5ee0ea939183e4c4deb0fa33066097e8ef7617c3dac95b1c01e
        • Opcode Fuzzy Hash: b0bb36b5ae07b307740f53026fe9edab7c050f017cac3a94cc9b04bda7f1c57b
        • Instruction Fuzzy Hash: 1551BDB2508380AFD721DB25D845BABB7E9FBC5704F044A2EF58987281DB75E414CBB2
        Function 00D064C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 134fileCOMMON
        Download Yara Rule
        APIs
        • GetOverlappedResult.KERNEL32(000000FF,?,?,00000000,DFD45DFC), ref: 00D06517
        • GetLastError.KERNEL32 ref: 00D06521
          • Part of subcall function 00D1D850: FormatMessageW.KERNEL32(00001100,00000000,?,00000800,?,00000000,00000000,?,?,?,?), ref: 00D1D8DF
          • Part of subcall function 00D1D850: GetLastError.KERNEL32(?,?,?,?), ref: 00D1D8E9
          • Part of subcall function 00D1D850: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D1D98E
        • ReadFile.KERNEL32(000000FF,?,00000004,?,?,DFD45DFC), ref: 00D065B1
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLast$FileFormatIos_base_dtorMessageOverlappedReadResultstd::ios_base::_
        • String ID: GetOverlappedResult failed: $ReadFile failed:
        • API String ID: 4064563933-2303412416
        • Opcode ID: 9b95849f66500128e8f822967aebbef17eadcc6f09307e8ef2e406602afe61fa
        • Instruction ID: 062b69c51da0c34fa6ec3ffe2cf8bee08b9695eab53dd0b2db53e54cf6e1eae2
        • Opcode Fuzzy Hash: 9b95849f66500128e8f822967aebbef17eadcc6f09307e8ef2e406602afe61fa
        • Instruction Fuzzy Hash: AC41D5721087809FD325DF25D841BABB7E8FF94710F544A2EE18A836C1EB35A509CB72
        Function 00D18F50 Relevance: 10.6, APIs: 7, Instructions: 122fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,00000000,?), ref: 00D18FBD
        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00D18FFF
        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00D19009
        • ReadFile.KERNEL32(00000000,?,0000FFFF,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D19038
        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D1905D
        • CloseHandle.KERNEL32(00000000), ref: 00D19082
        • CloseHandle.KERNEL32(00000000), ref: 00D19085
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: File$CloseHandle$ByteCharCreateMultiWide$ReadWrite
        • String ID:
        • API String ID: 2626642813-0
        • Opcode ID: 7c6fb325c16cbb42d3ad61970870f1dd36ef02a7c59ee318ab9e296a55d61f03
        • Instruction ID: 131b244fd8f0fec8d83e8909a0da39fe7cf45c6291de94f812270da81d0a6f2e
        • Opcode Fuzzy Hash: 7c6fb325c16cbb42d3ad61970870f1dd36ef02a7c59ee318ab9e296a55d61f03
        • Instruction Fuzzy Hash: 1431D5312403047BE620EB24AC52FEBB3DCEF88710F080619F694A7181DFB5E94897B6
        Function 00D38660 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D385F0: LoadCursorW.USER32(00000000,00007F89), ref: 00D38635
          • Part of subcall function 00D385F0: LoadCursorW.USER32(00000000,00007F00), ref: 00D38643
        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000000), ref: 00D386DD
        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D3872B
        • TranslateMessage.USER32(?), ref: 00D38745
        • DispatchMessageW.USER32(?), ref: 00D3874C
        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D38759
        Strings
        • Fail create Fusion window, xrefs: 00D38675
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Message$CursorLoad$DispatchTranslateWindow
        • String ID: Fail create Fusion window
        • API String ID: 3996691576-1488218302
        • Opcode ID: c3a09c392564e05402462c6b6dc9ab169551cc0b435e0ad220ec434f378187b7
        • Instruction ID: 60b4e265f0489697aa1d0d6cc1e169999f9138aabe7382d6ef3afee530a44c60
        • Opcode Fuzzy Hash: c3a09c392564e05402462c6b6dc9ab169551cc0b435e0ad220ec434f378187b7
        • Instruction Fuzzy Hash: AC314CB1604340AFE310DF69DC46F6BB7E8AB88B04F044A1DF585D7691EB70E9058B75
        Function 00D0C950 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
        Download Yara Rule
        APIs
        • SysAllocString.OLEAUT32(?), ref: 00D0C98C
        • SysFreeString.OLEAUT32(00000000), ref: 00D0C9BE
        • SysStringLen.OLEAUT32(?), ref: 00D0C9CF
        • SysStringLen.OLEAUT32(?), ref: 00D0C9DA
        • SysFreeString.OLEAUT32(?), ref: 00D0C9F3
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: String$Free$Alloc
        • String ID:
        • API String ID: 986138563-0
        • Opcode ID: 690efd1a738539028132466b8f6bedcae185550f62ab245996a257c06b7173ad
        • Instruction ID: 98473d9505cc87301f6dfcd224b2cf3a22c205c15da8dc1ed16f7f4acdabca94
        • Opcode Fuzzy Hash: 690efd1a738539028132466b8f6bedcae185550f62ab245996a257c06b7173ad
        • Instruction Fuzzy Hash: F0215E72645219ABD310DB99EC80E6BB79CFFC8764F044A1AFA48D7241C675DD018BF1
        Function 00D1D850 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
        Download Yara Rule
        APIs
        • FormatMessageW.KERNEL32(00001100,00000000,?,00000800,?,00000000,00000000,?,?,?,?), ref: 00D1D8DF
        • GetLastError.KERNEL32(?,?,?,?), ref: 00D1D8E9
        • LocalFree.KERNEL32(?), ref: 00D1D951
        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D1D98E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorFormatFreeIos_base_dtorLastLocalMessagestd::ios_base::_
        • String ID: Error code: $FormatMessage error - code
        • API String ID: 3261245394-2103817664
        • Opcode ID: bf66c3567f08cb18a1e6357a13e7f02a01dc61ab0469ccee668edc1d060fd3d9
        • Instruction ID: 27b1cc135f78c2a678a47406af8a1eeb935cdf1773b95ff59861bc271c89450b
        • Opcode Fuzzy Hash: bf66c3567f08cb18a1e6357a13e7f02a01dc61ab0469ccee668edc1d060fd3d9
        • Instruction Fuzzy Hash: 4B31A476508340BBE760EB60EC46FAB77E8AF84704F00491DF68597281EB75A508CB73
        Function 00CFF680 Relevance: 10.6, APIs: 7, Instructions: 91windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00CFF570: DeleteObject.GDI32(?), ref: 00CFF592
          • Part of subcall function 00CFF570: DeleteObject.GDI32(?), ref: 00CFF59F
          • Part of subcall function 00CFF570: DeleteObject.GDI32(?), ref: 00CFF5B0
          • Part of subcall function 00CFF570: DeleteObject.GDI32(?), ref: 00CFF5CB
          • Part of subcall function 00CFF570: DeleteObject.GDI32(?), ref: 00CFF5E6
          • Part of subcall function 00CFF570: DeleteObject.GDI32(?), ref: 00CFF601
        • GetIconInfo.USER32(?,?), ref: 00CFF6C3
        • DeleteObject.GDI32(?), ref: 00CFF705
        • DeleteObject.GDI32(?), ref: 00CFF70C
        • GetIconInfo.USER32(?,?), ref: 00CFF738
        • DeleteObject.GDI32(?), ref: 00CFF75D
        • DeleteObject.GDI32(?), ref: 00CFF764
        • IsWindow.USER32(?), ref: 00CFF76A
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: DeleteObject$IconInfo$Window
        • String ID:
        • API String ID: 1247420620-0
        • Opcode ID: 0ddcd2e1db934c505900b629eb036d9d2da9a01d6e50f77a86bba2eb9126ef0b
        • Instruction ID: 86067e147f7c83743ae82bf7954e4fa1612f49154304523b03a6bd386e87abdc
        • Opcode Fuzzy Hash: 0ddcd2e1db934c505900b629eb036d9d2da9a01d6e50f77a86bba2eb9126ef0b
        • Instruction Fuzzy Hash: 12312BB56083069FC354EF29D880A6BB7E4EF98700F00492EF599C7250E771E909CF62
        Function 00D571E0 Relevance: 10.6, APIs: 7, Instructions: 83networkCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D67E00: getaddrinfo.WS2_32(?,?,?,?), ref: 00D67E28
          • Part of subcall function 00D67E00: FreeAddrInfoW.WS2_32(?), ref: 00D67F5A
        • WSAGetLastError.WS2_32 ref: 00D57233
        • WSAGetLastError.WS2_32 ref: 00D57239
        • RtlEnterCriticalSection.NTDLL(00000000), ref: 00D57250
        • RtlLeaveCriticalSection.NTDLL ref: 00D5725F
        • send.WS2_32(?,?,00000001,00000000), ref: 00D57290
        • WSAGetLastError.WS2_32 ref: 00D5729A
        • RtlLeaveCriticalSection.NTDLL(?), ref: 00D572A5
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalErrorLastSection$Leave$AddrEnterFreeInfogetaddrinfosend
        • String ID:
        • API String ID: 2807643743-0
        • Opcode ID: 3ac8f8b5a543548a252b99ff429cd041b9eea6231f66f9a50f6075794dca9a1e
        • Instruction ID: ba9496ac8bdec1bd4cf3e2f007c55636bc21a25b4f96a1d18a2d01681be2c2ed
        • Opcode Fuzzy Hash: 3ac8f8b5a543548a252b99ff429cd041b9eea6231f66f9a50f6075794dca9a1e
        • Instruction Fuzzy Hash: B4217CB1204700AFC720DF69DC45A27B7E9EF48705F148A1EF996D3250EA30E9088B75
        Function 00D38470 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowCOMMON
        Download Yara Rule
        APIs
        • CreateWindowExW.USER32(00000000,Static,00D9A784,5000010E,00000296,00000005,0000000D,0000000D,?,00000000,00000000,00000000), ref: 00D384BA
          • Part of subcall function 00D1C650: GetTempPathW.KERNEL32(00000104,?,DFD45DFC,?,?), ref: 00D1C6D8
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • GetModuleHandleW.KERNEL32(00000000,?,00000000,00000000,00000000,00000010), ref: 00D38528
        • LoadImageW.USER32(00000000), ref: 00D3852F
        • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00D38544
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$CreateHandleImageLoadMessageModulePathSendTempWindow
        • String ID: Static$img\close-fusion.bmp
        • API String ID: 3001717624-4147091464
        • Opcode ID: dcd00820cf31ed09aa41a7aa3babe7e221235b9f75f05a8663839e21f3a82108
        • Instruction ID: 93571bab77db8d1a7e51919eb16e49dca2fd3a727272c1b500cb29004a0f0085
        • Opcode Fuzzy Hash: dcd00820cf31ed09aa41a7aa3babe7e221235b9f75f05a8663839e21f3a82108
        • Instruction Fuzzy Hash: A62171B1648300BFE710DF68EC46F5777E8EB48B44F104919F645EA2D0D6B5E4448B76
        Function 00CFE250 Relevance: 9.4, APIs: 1, Strings: 5, Instructions: 371sleepCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D1F5F0: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000), ref: 00D1F670
          • Part of subcall function 00D1F5F0: WriteFile.KERNEL32(00000000,--quit-application,--quit-application,?,00000000), ref: 00D1F69B
          • Part of subcall function 00D1F5F0: CloseHandle.KERNEL32(00000000), ref: 00D1F6A2
          • Part of subcall function 00D1F5F0: WaitForSingleObject.KERNEL32(00000000,00002710,?,?,DFD45DFC,00000010,?,?,00000000), ref: 00D1F6D1
          • Part of subcall function 00D1F5F0: TerminateProcess.KERNEL32(00000000,00000001,?,?,DFD45DFC,00000010,?,?,00000000), ref: 00D1F6DE
          • Part of subcall function 00D1F5F0: WaitForSingleObject.KERNEL32(00000000,00002710,?,?,DFD45DFC,00000010,?,?,00000000), ref: 00D1F6F2
        • Sleep.KERNEL32(00000064,?,?,00000000), ref: 00CFE592
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FileObjectSingleWait$CloseCreateHandleProcessSleepTerminateWrite
        • String ID: - $Error while unpacking binaries to $Error while unpacking libs to $Not enough free space in target dir $Unable to write in target dir
        • API String ID: 2827360088-3840011116
        • Opcode ID: 7598e603afe24f3a896d89acff13fadd2e4232391d158424c71bef6487870333
        • Instruction ID: 69c7cf2495c9f4cb3ddde640b88ad3c628e8a85bb46d7bb522d548a473ac5be6
        • Opcode Fuzzy Hash: 7598e603afe24f3a896d89acff13fadd2e4232391d158424c71bef6487870333
        • Instruction Fuzzy Hash: 89D1B0B1509384AFD361EB64E842BBFB7E9EF88704F04491DF18983252EB71A9048773
        Function 00D12F50 Relevance: 9.2, APIs: 6, Instructions: 250stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D11F00: lstrcmpiW.KERNEL32(?,00004008), ref: 00D11F7E
        • lstrlenW.KERNEL32(?,?), ref: 00D13037
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: lstrcmpilstrlen
        • String ID:
        • API String ID: 3649823140-0
        • Opcode ID: b11029f10ee785be1f2dae7d745b2177936cfc49a7d8069ea0df2644efb5947f
        • Instruction ID: 93e8fb4c3850df2e187ea10c81e5e7f6863514ec28f540da318c5f5890123c49
        • Opcode Fuzzy Hash: b11029f10ee785be1f2dae7d745b2177936cfc49a7d8069ea0df2644efb5947f
        • Instruction Fuzzy Hash: B8918175A00249BBDB24EF64ED85BEE73B5EF58300F144129EA0997280EF749B84C7B5
        Function 00D27480 Relevance: 9.2, APIs: 6, Instructions: 180filethreadCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?), ref: 00D274FD
        • GetCurrentThreadId.KERNEL32 ref: 00D27532
        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00D275B1
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CreateCurrentFileQueryThreadVirtual
        • String ID:
        • API String ID: 1098341388-0
        • Opcode ID: ddee4860a3e8724bd98cc3d668ddb69db8e0bec1f021ea5d98d2e4005cdc7275
        • Instruction ID: 101d00d8d4a9b251f48a674c58d6732efe286542d2b550584852cf63213cdb6e
        • Opcode Fuzzy Hash: ddee4860a3e8724bd98cc3d668ddb69db8e0bec1f021ea5d98d2e4005cdc7275
        • Instruction Fuzzy Hash: 957116B1508340AFD724CF58D880BABBBE8BFC8714F048A1EF99997391D7759904CB62
        Function 00D14BC0 Relevance: 9.1, APIs: 6, Instructions: 127libraryCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,DFD45DFC,?,?,?,?,?,?,?,?,00D8B290,000000FF), ref: 00D14C27
        • FindResourceW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00D8B290,000000FF), ref: 00D14C45
        • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D8B290,000000FF), ref: 00D14D1E
          • Part of subcall function 00D0A980: GetLastError.KERNEL32 ref: 00D0A980
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Library$ErrorFindFreeLastLoadResource
        • String ID:
        • API String ID: 3418355812-0
        • Opcode ID: 3dbbb9b16e8f6c30f4cccb0b5ce5acac87b1c7ac578c91e32183f96f0e52f1ae
        • Instruction ID: 24ba043519687e7937c4aec44fdb6acecef6651588d92cf814594baf7431b78a
        • Opcode Fuzzy Hash: 3dbbb9b16e8f6c30f4cccb0b5ce5acac87b1c7ac578c91e32183f96f0e52f1ae
        • Instruction Fuzzy Hash: 58417FB1501249FBCB20DF54EC45BEEB7B9EF84710F14812AF909AB241DB349A858BB5
        Function 00D120C0 Relevance: 9.1, APIs: 6, Instructions: 126COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CharNext
        • String ID:
        • API String ID: 3213498283-0
        • Opcode ID: a2432bee5161a542ce1fc89b9e769e32e89796a8cb57e6e3c943faae5ce9f8e9
        • Instruction ID: 6e9af98097b4885542031775adf5a77c42544a7f564f18f97f7b4fc6e1bc1455
        • Opcode Fuzzy Hash: a2432bee5161a542ce1fc89b9e769e32e89796a8cb57e6e3c943faae5ce9f8e9
        • Instruction Fuzzy Hash: 2041B472604311AACB24DF38E8816B7B3E6EFA5710B584465E541CB258EB36D8E1C365
        Function 00D57910 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
        Download Yara Rule
        APIs
        • VerSetConditionMask.NTDLL(00000000,00000000,00000002,?), ref: 00D579E6
        • VerSetConditionMask.NTDLL(00000000,?,00000001,?), ref: 00D579F1
        • VerSetConditionMask.NTDLL(00000000,?,00000020,?), ref: 00D579FC
        • VerSetConditionMask.NTDLL(00000000,?,00000010,?), ref: 00D57A07
        • VerSetConditionMask.NTDLL(00000000,?,00000008,00000001), ref: 00D57A13
        • VerifyVersionInfoA.KERNEL32(?,00000033,00000000), ref: 00D57A1E
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ConditionMask$InfoVerifyVersion
        • String ID:
        • API String ID: 2793162063-0
        • Opcode ID: 9d21360c72424fc97164a8f5f91604b0f15108f2047a5491961f4ba8f0a12df3
        • Instruction ID: a4fda2b9ad030263522e1261a1a2102fd7437fe636a068375dec22a343b9878b
        • Opcode Fuzzy Hash: 9d21360c72424fc97164a8f5f91604b0f15108f2047a5491961f4ba8f0a12df3
        • Instruction Fuzzy Hash: 21314E7160C381ABE621DB689C45B6BBBE8ABD5700F14490EF9D857282CBB595088B73
        Function 00CFF570 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: DeleteObject
        • String ID:
        • API String ID: 1531683806-0
        • Opcode ID: 665ad8fc6f4c07ae16bc53ae8cd935ad120c554d96367815fafe6220404f0f6a
        • Instruction ID: 36435721f5bcb0790f28c44740832d23db56e3fca2eed82c7f06f813735944d9
        • Opcode Fuzzy Hash: 665ad8fc6f4c07ae16bc53ae8cd935ad120c554d96367815fafe6220404f0f6a
        • Instruction Fuzzy Hash: 5D3146B5906B459FD7A0DF798888BA7B7E4AF44340F24893ED2AEC6210DB31A541DF21
        Function 00D0AE10 Relevance: 9.1, APIs: 6, Instructions: 69COMMON
        Download Yara Rule
        APIs
        • ClientToScreen.USER32(?,?), ref: 00D0AE56
        • ClientToScreen.USER32(?,?), ref: 00D0AE65
        • GetParent.USER32(?), ref: 00D0AE6B
        • ScreenToClient.USER32(00000000,?), ref: 00D0AE84
        • ScreenToClient.USER32(00000000,?), ref: 00D0AE90
        • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00D0AEB1
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ClientScreen$MoveParentWindow
        • String ID:
        • API String ID: 2420994850-0
        • Opcode ID: 3d19fa9d68b4d96d0380cedcbbb8dcb52e3d3781855e0324c1096e498a31cd8e
        • Instruction ID: 8a5ebd8a95f82916c410753fcdeb3c05b797416adccc64912576cf396b51b1fd
        • Opcode Fuzzy Hash: 3d19fa9d68b4d96d0380cedcbbb8dcb52e3d3781855e0324c1096e498a31cd8e
        • Instruction Fuzzy Hash: 4A21C3B6608312AFD704DF69D894D6BB7E9FB88310F04891EF958C7354E770E9058BA2
        Function 00D27020 Relevance: 9.0, APIs: 6, Instructions: 41synchronizationthreadCOMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(?), ref: 00D2702B
        • RtlLeaveCriticalSection.NTDLL(?), ref: 00D2703B
        • GetCurrentThreadId.KERNEL32 ref: 00D27049
        • ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 00D27074
        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D27083
        • RtlLeaveCriticalSection.NTDLL ref: 00D270AE
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalSection$Leave$CurrentEnterObjectReleaseSemaphoreSingleThreadWait
        • String ID:
        • API String ID: 1205197067-0
        • Opcode ID: bef96c56a445f00485d14b0b548cde8c85c0da83e5c6150a879b1d939f039e7d
        • Instruction ID: cd69d0890fd597faaaf0a724ffe1e665961b9080b95ad23f864d956b74fbaab1
        • Opcode Fuzzy Hash: bef96c56a445f00485d14b0b548cde8c85c0da83e5c6150a879b1d939f039e7d
        • Instruction Fuzzy Hash: 2501E572106B00ABE3609F34E858BD7BBE5BB99711F004A0EE2AA93390C7746449CB61
        Function 00D662D0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 269COMMON
        Download Yara Rule
        Strings
        • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00D66373
        • Immediate connect fail for %s: %s, xrefs: 00D665B0
        • Trying %s:%ld..., xrefs: 00D6639E
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLastclosesockethtons
        • String ID: Trying %s:%ld...$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
        • API String ID: 94965660-2530429013
        • Opcode ID: 29d087cf5cffb7062367012a349b38fe14c5cdee913acd3ab1175a859d6e4de2
        • Instruction ID: 1c506cbbcd69e27a7cd95e2135bc65747ba3697d1b27f9b26fba586f23833355
        • Opcode Fuzzy Hash: 29d087cf5cffb7062367012a349b38fe14c5cdee913acd3ab1175a859d6e4de2
        • Instruction Fuzzy Hash: F09152715043409FD724EF64DC82BAF73E9EF88314F48492EF94A86245EA75E944CBB2
        Function 00D24010 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 244registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?), ref: 00D24191
        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,00000000,?), ref: 00D24240
          • Part of subcall function 00D1A5F0: RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?,0000000F,00000000,00D92949,00000000,DFD45DFC,0000000F,00000000,00000010,00000000), ref: 00D1A650
        Strings
        • SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules, xrefs: 00D24117
        • (?i), xrefs: 00D241CF
        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00D24068
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Open$EnumValue
        • String ID: (?i)$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
        • API String ID: 3377321004-1116535974
        • Opcode ID: d31f1a50de8b05f00e2fdf609f96c5ec49daa51dc28ecd168c2511ee00a9e728
        • Instruction ID: e33399fd70e48d1be25b97e917f0be6df66d74f46d506c3ded802cadd15befee
        • Opcode Fuzzy Hash: d31f1a50de8b05f00e2fdf609f96c5ec49daa51dc28ecd168c2511ee00a9e728
        • Instruction Fuzzy Hash: 5291ABB1548380DFD320EB64E845BABBBE8AFA5304F04491DF59987252EBB49548CB73
        Function 00D66989 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 197networkCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D75360: WSASetLastError.WS2_32(00002726,?,?,?), ref: 00D753C7
        • WSASetLastError.WS2_32(?), ref: 00D66AFD
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D66BD8
        Strings
        • Failed to connect to %s port %ld: %s, xrefs: 00D66D3D
        • L', xrefs: 00D66A40
        • After %I64dms connect time, move on!, xrefs: 00D66A32
        • connect to %s port %ld failed: %s, xrefs: 00D66B43
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLast$Unothrow_t@std@@@__ehfuncinfo$??2@
        • String ID: After %I64dms connect time, move on!$Failed to connect to %s port %ld: %s$L'$connect to %s port %ld failed: %s
        • API String ID: 1894359853-2124111555
        • Opcode ID: 565b98beefb4b01d9b6dcebd2cd6a7fd713b657f41481a85e29cf053e61fbab1
        • Instruction ID: 5e63f6c4b02c651361a582ed51a81f6d27e8e6b184c781df8a65f8a5ff14aed6
        • Opcode Fuzzy Hash: 565b98beefb4b01d9b6dcebd2cd6a7fd713b657f41481a85e29cf053e61fbab1
        • Instruction Fuzzy Hash: 79717F71A047409FD724DF58C885AABB7E5EF88310F188A1DF8589B391DB70E944CFA2
        Function 00D0ED20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145COMMON
        Download Yara Rule
        APIs
        • GetClassInfoExW.USER32(00000000,?,?), ref: 00D0EDFC
        • GetClassInfoExW.USER32(?,?,?), ref: 00D0EE0F
        • LoadCursorW.USER32(?,?), ref: 00D0EE51
          • Part of subcall function 00D08920: RtlEnterCriticalSection.NTDLL ref: 00D08926
          • Part of subcall function 00D08C40: RtlLeaveCriticalSection.NTDLL ref: 00D08C4C
        • GetClassInfoExW.USER32(?,00000000,?), ref: 00D0EE99
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ClassInfo$CriticalSection$CursorEnterLeaveLoad
        • String ID: 0
        • API String ID: 158815643-4108050209
        • Opcode ID: 4c12665dc034bcf706fd287f702c34f19eaca0f15715a4bab3c7f19c5b1ea88c
        • Instruction ID: f891f8c4a9edb5b9742d15ed1b3b52693b1967c9e6968f85063ebb6b099aa7f4
        • Opcode Fuzzy Hash: 4c12665dc034bcf706fd287f702c34f19eaca0f15715a4bab3c7f19c5b1ea88c
        • Instruction Fuzzy Hash: A2513475604349DBDB24CF25D840BAAB7E5FF88754F044A1DF98993380EB35E944CBA2
        Function 00D1ECA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131processsynchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F47
        • SetErrorMode.KERNEL32(00000001,?,00000000,00000044,DFD45DFC), ref: 00D1ED26
        • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00D1ED49
        • WaitForSingleObject.KERNEL32(?,000001F4), ref: 00D1ED62
        • GetExitCodeProcess.KERNEL32(?,?), ref: 00D1ED72
          • Part of subcall function 00D1E6B0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D1E742
          • Part of subcall function 00CEAD10: std::_String_base::_Xlen.LIBCPMT ref: 00CEAD4A
          • Part of subcall function 00CEAD10: std::_String_base::_Xlen.LIBCPMT ref: 00CEAD61
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$ProcessString_base::_Xlenstd::_$CodeCreateErrorExitIos_base_dtorModeObjectSingleWaitstd::ios_base::_
        • String ID: Process error:
        • API String ID: 2137553366-788130964
        • Opcode ID: 3fc3880d2266403a029735f6418e2826b06dc5ce00d4351ce79f0084b88e31b0
        • Instruction ID: d0fb4d8102be1ba27e0bf29f1c25dfc6e74d080912e32acc5289b0cb6a243726
        • Opcode Fuzzy Hash: 3fc3880d2266403a029735f6418e2826b06dc5ce00d4351ce79f0084b88e31b0
        • Instruction Fuzzy Hash: FF41B3B1108381AFD725EB55DC85FAFB7ECEB94700F044A1DF54992281DE74E94887B2
        Function 00D6C7D0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 104encryptionCOMMON
        Download Yara Rule
        APIs
        • CertFreeCRLContext.CRYPT32(?), ref: 00D6C8C8
        Strings
        • SSL: public key does not match pinned public key!, xrefs: 00D6C8B0
        • SSL: failed retrieving public key from server certificate, xrefs: 00D6C8E8
        • Z, xrefs: 00D6C7F6
        • schannel: Failed to read remote certificate context: %s, xrefs: 00D6C903
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CertContextFree
        • String ID: SSL: failed retrieving public key from server certificate$SSL: public key does not match pinned public key!$Z$schannel: Failed to read remote certificate context: %s
        • API String ID: 3569843879-3483829282
        • Opcode ID: 49ccf75de4e88b878af26d025753f5f6238805b318bcf40cc6a2a9ab12a1270d
        • Instruction ID: 0cc57695d94edf61f616bf3c1306c9002a4509176b7d6814199dc51d9d8cf183
        • Opcode Fuzzy Hash: 49ccf75de4e88b878af26d025753f5f6238805b318bcf40cc6a2a9ab12a1270d
        • Instruction Fuzzy Hash: 29318172615301ABE734EB24DC55E7B77A9EF88300F44861DF88997241EB75E900CBB2
        Function 00CEC140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON
        Download Yara Rule
        APIs
        • std::_Lockit::_Lockit.LIBCPMT ref: 00CEC16C
        • std::_Lockit::_Lockit.LIBCPMT ref: 00CEC192
        • std::_Lockit::_Lockit.LIBCPMT ref: 00CEC23E
        • std::locale::facet::facet_Register.LIBCPMT ref: 00CEC259
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: LockitLockit::_std::_$Registerstd::locale::facet::facet_
        • String ID: bad cast
        • API String ID: 3345047611-3145022300
        • Opcode ID: fbb591867993e69ba49ded8fa9f0da68ec5689cec094bc32133358cc49b951d7
        • Instruction ID: ef912eecbfd244a7fb887a3b463c2a6632e950bd4bc2ba412b58371379042382
        • Opcode Fuzzy Hash: fbb591867993e69ba49ded8fa9f0da68ec5689cec094bc32133358cc49b951d7
        • Instruction Fuzzy Hash: BD31AE71504780DFCB24EF19D891B6AB7A4FF54720F40061DF962972A2DB34E946CBB2
        Function 00CEB600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON
        Download Yara Rule
        APIs
        • std::_Lockit::_Lockit.LIBCPMT ref: 00CEB62C
        • std::_Lockit::_Lockit.LIBCPMT ref: 00CEB652
        • std::_Lockit::_Lockit.LIBCPMT ref: 00CEB6FE
        • std::locale::facet::facet_Register.LIBCPMT ref: 00CEB719
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: LockitLockit::_std::_$Registerstd::locale::facet::facet_
        • String ID: bad cast
        • API String ID: 3345047611-3145022300
        • Opcode ID: 5465a85cd001d092b4e797ab6ce83d572f96a5fb567ff4d7eede8e505525f0cb
        • Instruction ID: c9edd284bf1289abb6a6d9e4cf17ec99f7be8417c6e97aa78000a8b10d0286c5
        • Opcode Fuzzy Hash: 5465a85cd001d092b4e797ab6ce83d572f96a5fb567ff4d7eede8e505525f0cb
        • Instruction Fuzzy Hash: E531BD71408781DFDB18EF15D891B6BB7A4FB94320F000A2DF866972A1DB34AD44CBB2
        Function 00D38A90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82COMMON
        Download Yara Rule
        APIs
        • GetWindowRect.USER32(?), ref: 00D38ACB
          • Part of subcall function 00D37E20: LoadLibraryW.KERNEL32(?), ref: 00D37F85
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: LibraryLoadRectWindow
        • String ID: 1.50$Fail init Fusion dll$b6NjbxrNFzBuonxVAJ9NYjamf1YPkktbBfEkYyDO$mg14
        • API String ID: 2609908848-1128788587
        • Opcode ID: 61de5a1fcddfe74999cc3c20701380e422c6238ea592ccd0bd332ff5067e5899
        • Instruction ID: cfda577ef67db8c26c9fc8feef25fe0a3ea4c5a6b6c22b48d93f537e4a842f71
        • Opcode Fuzzy Hash: 61de5a1fcddfe74999cc3c20701380e422c6238ea592ccd0bd332ff5067e5899
        • Instruction Fuzzy Hash: 2631DFB2204341EFD700DF28C986B56BBE4FB44714F480929F445AB2D2DB74E908DBB2
        Function 00D24BE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60synchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • CreateEventW.KERNEL32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,-install-event), ref: 00D24C63
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,-install-event), ref: 00D24C6B
        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,-install-event), ref: 00D24C7B
        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,-install-event), ref: 00D24C84
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$CloseCreateErrorEventHandleLastObjectSingleWait
        • String ID: -install-event
        • API String ID: 2894420377-3182879268
        • Opcode ID: e1bfdf22a16d7e0e3d5b654587e972a88aede5c3c206d58f9f296cd4958e12aa
        • Instruction ID: 4f8ec495a493e37d6ad34eaaa0aa36ee2529919ca54c6641abf7480e9cefd7cf
        • Opcode Fuzzy Hash: e1bfdf22a16d7e0e3d5b654587e972a88aede5c3c206d58f9f296cd4958e12aa
        • Instruction Fuzzy Hash: 6D11D0B1408340BFD700EB28EC86B6B7BE8EB58714F104A19F859E22D0EB79D4448B72
        Function 00D65360 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58networkCOMMON
        Download Yara Rule
        APIs
        • setsockopt.WS2_32(?,0000FFFF,00000008,00000004,00000004), ref: 00D65381
        • WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 00D653F7
        • WSAGetLastError.WS2_32(?,?), ref: 00D65401
        Strings
        • Failed to set SO_KEEPALIVE on fd %d, xrefs: 00D6538C
        • Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 00D65409
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorIoctlLastsetsockopt
        • String ID: Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d
        • API String ID: 1819429192-277924715
        • Opcode ID: 318524e2f9600815051cb44f181d65cc5a21c72c11cf715d39d35abd57f4643b
        • Instruction ID: 7eb364fb3a3d914a2b16f27c1fbe4c63ceae4a586d0f700242d8c04daf031f06
        • Opcode Fuzzy Hash: 318524e2f9600815051cb44f181d65cc5a21c72c11cf715d39d35abd57f4643b
        • Instruction Fuzzy Hash: 8C1142B1A447017BE310EBB49D06F2B7AE8EF94B00F40492DB549D62C1EBB496048772
        Function 00CFD4F0 Relevance: 8.0, APIs: 1, Strings: 4, Instructions: 484COMMON
        Download Yara Rule
        APIs
        • CoInitialize.OLE32(00000000), ref: 00CFD551
          • Part of subcall function 00D1A390: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000010,00000001,0000000F,00000000), ref: 00D1A41C
        Strings
        • Unable to create uninstaller shortcut in programm group - , xrefs: 00CFDB4B
        • Unable to create shortcut on desktop - , xrefs: 00CFD671
        • Unable to create shortcut in all programms - , xrefs: 00CFD7DB
        • Unable to create shortcut in programm group - , xrefs: 00CFD945
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FolderInitializePathSpecial
        • String ID: Unable to create shortcut in all programms - $Unable to create shortcut in programm group - $Unable to create shortcut on desktop - $Unable to create uninstaller shortcut in programm group -
        • API String ID: 2677077979-120842546
        • Opcode ID: d7c16440557c188ade3da5561d33d76ba114daba7decdd344a1e9445a1f1f84c
        • Instruction ID: 37ad25df6b56afb11d0529b4cc6615674b4c3cada846dc9af29fa1aa535ae82e
        • Opcode Fuzzy Hash: d7c16440557c188ade3da5561d33d76ba114daba7decdd344a1e9445a1f1f84c
        • Instruction Fuzzy Hash: A81260B18093C0AED351EB649881A6FBBE9AFD9704F444D1EF1C943212EA359548CB73
        Function 00D18610 Relevance: 7.7, APIs: 5, Instructions: 213fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D1AEB0: GetTempPathW.KERNEL32(00000104,?,DFD45DFC,00000000,00000000), ref: 00D1AF38
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00D187FF
        • GetLastError.KERNEL32 ref: 00D18810
        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00D188A8
        • SetEndOfFile.KERNEL32(00000000), ref: 00D188AF
        • CloseHandle.KERNEL32(00000000), ref: 00D188B6
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: File$ByteCharMultiWide$CloseCreateErrorHandleLastPathTempWrite
        • String ID:
        • API String ID: 1912570573-0
        • Opcode ID: 4b4f00ca4d9981959bd454e22cad00d464adb4c73d527d4858bae8a7171d72f2
        • Instruction ID: ce80b48770b1990d09a9cc1ee12d3949137eb82192d1cf83a8038e2427d0f368
        • Opcode Fuzzy Hash: 4b4f00ca4d9981959bd454e22cad00d464adb4c73d527d4858bae8a7171d72f2
        • Instruction Fuzzy Hash: F08191B5508380AFD721EB54E889BEBB7E8EB99304F14091DF58987281DF35A944CB73
        Function 00D755C0 Relevance: 7.7, APIs: 5, Instructions: 188sleepnetworkCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLastSleep
        • String ID:
        • API String ID: 1458359878-0
        • Opcode ID: 10ff49c567e9db3aea203ed2c9b04eef21fd16d4cd7db87bfee61b8f00baa815
        • Instruction ID: df770b9eb26ee0599591ca7352a9f1d2615f568b34fcb8450f0fd40e2069c5e4
        • Opcode Fuzzy Hash: 10ff49c567e9db3aea203ed2c9b04eef21fd16d4cd7db87bfee61b8f00baa815
        • Instruction Fuzzy Hash: 2151C474504B058BC739DF28F8846AEB3D5FF84320F94892DD59D82184F7B599858BB3
        Function 00CF9610 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 169sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(000003E8,DFD45DFC), ref: 00CF965C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Sleep
        • String ID: back$close$currentState$skip
        • API String ID: 3472027048-4238961454
        • Opcode ID: 5fa3c9aa65f75a5eb38f5ea98de5ead580e291b85e5e73217a149190e0f4fd46
        • Instruction ID: caa5b28e977ff90a2109d726ee313a0346686d7f1d269f6509a1747aaf89d4a1
        • Opcode Fuzzy Hash: 5fa3c9aa65f75a5eb38f5ea98de5ead580e291b85e5e73217a149190e0f4fd46
        • Instruction Fuzzy Hash: C95179B1908384AFCB50EF659881B6BFBE8BF95740F40491EF58587291DB74D508CB63
        Function 00D18C40 Relevance: 7.6, APIs: 5, Instructions: 105processCOMMON
        Download Yara Rule
        APIs
        • CreateToolhelp32Snapshot.KERNEL32 ref: 00D18C62
        • Process32FirstW.KERNEL32(00000000,00000010), ref: 00D18C77
        • Process32NextW.KERNEL32(00000000,?), ref: 00D18CF8
        • Process32NextW.KERNEL32(00000000,?), ref: 00D18D53
        • CloseHandle.KERNEL32(00000000,00000010,?), ref: 00D18D5D
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
        • String ID:
        • API String ID: 2284531361-0
        • Opcode ID: abb2f98dbb66343d29ca38b0c5f9ca325f05049394fe45331123f6f8228ab7d0
        • Instruction ID: aaf08245e8654262d300249d4336cab487d63c43bddd9b5ecb76c83f3e314ece
        • Opcode Fuzzy Hash: abb2f98dbb66343d29ca38b0c5f9ca325f05049394fe45331123f6f8228ab7d0
        • Instruction Fuzzy Hash: 4431F6762043817AC721EF34A891BFB77AB9FE5310F484659F885C7181EF26C94993B2
        Function 00D19440 Relevance: 7.6, APIs: 5, Instructions: 95registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.ADVAPI32(?,?,00000000,000F003F,DFD45DFC,DFD45DFC), ref: 00D1947D
        • RegEnumKeyW.ADVAPI32 ref: 00D194BE
        • RegCloseKey.ADVAPI32(?), ref: 00D194EE
          • Part of subcall function 00D19440: RegEnumKeyW.ADVAPI32(?,00000000,00000000,000003E8), ref: 00D194E3
        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00D19503
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Enum$CloseDeleteOpen
        • String ID:
        • API String ID: 2095303065-0
        • Opcode ID: 079fb724925caadac3087e515a33080d7c11de97192e9ba53930a5949d83d170
        • Instruction ID: d67a492fa6f4a9ca88730b0cc7dc7cd06c8ec5b5ef89c06da392738d1ccf7625
        • Opcode Fuzzy Hash: 079fb724925caadac3087e515a33080d7c11de97192e9ba53930a5949d83d170
        • Instruction Fuzzy Hash: 1421D272644304BBD611AF15FC41F6BB7DCEB84B55F04062AF949A3281DA29E909C7B2
        Function 00D0C2D0 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Focus$ChildWindow
        • String ID:
        • API String ID: 501040988-0
        • Opcode ID: 5cf72a7a0ddcd8cc9410abdca301664cec3827c249c280616c688942912cc668
        • Instruction ID: 94bb8a8b62a9c351f229c417a439c4a92a84efa5a7cc4ab7391072967a24b0a2
        • Opcode Fuzzy Hash: 5cf72a7a0ddcd8cc9410abdca301664cec3827c249c280616c688942912cc668
        • Instruction Fuzzy Hash: 7C31E7B5214701AFD724CF64C885B2BB7E8FB89714F148A0DE5AAC77A0D774E844CB61
        Function 00D0DAF0 Relevance: 7.6, APIs: 5, Instructions: 58threadCOMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(?), ref: 00D0DB08
        • GetCurrentThreadId.KERNEL32 ref: 00D0DB15
        • RtlLeaveCriticalSection.NTDLL(?), ref: 00D0DB2F
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalSection$CurrentEnterLeaveThread
        • String ID:
        • API String ID: 2351996187-0
        • Opcode ID: 2dfdc812de76b067f70271a6ac5d1864031a84c83f5eb5e0188e5cba9b1c11e0
        • Instruction ID: 79bc56adba2fc5c8c7b626761b0bcb8ff4844ab10dc30b0aae3042afa6bd3c08
        • Opcode Fuzzy Hash: 2dfdc812de76b067f70271a6ac5d1864031a84c83f5eb5e0188e5cba9b1c11e0
        • Instruction Fuzzy Hash: 4B01AD33305714AFC320DF59E880A66F3A9FF98724305862FE94AD3615C731B851CBA4
        Function 00D0DA80 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON
        Download Yara Rule
        APIs
        • RaiseException.KERNEL32(C0000005,00000001,?,?), ref: 00D0DA92
        • GetCurrentThreadId.KERNEL32 ref: 00D0DAAC
        • RtlEnterCriticalSection.NTDLL(?), ref: 00D0DAB9
        • RtlLeaveCriticalSection.NTDLL(?), ref: 00D0DAC9
        • RaiseException.KERNEL32(C0000005,00000001,00000000,00000000), ref: 00D0DAE0
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CriticalExceptionRaiseSection$CurrentEnterLeaveThread
        • String ID:
        • API String ID: 2580436124-0
        • Opcode ID: 6a2b2db7fefb08c40506202ac74bef311edcf150dc370af9d40c0120b7387f7a
        • Instruction ID: 500128e57a123cfbd78e12f2025ec1316a926ce4129e950a485ee9610a5ec396
        • Opcode Fuzzy Hash: 6a2b2db7fefb08c40506202ac74bef311edcf150dc370af9d40c0120b7387f7a
        • Instruction Fuzzy Hash: D5F03C71A01701BBDB209F659C88B17B7ADEF55B11F05841FB645E7290C7B098148B71
        Function 00CFF520 Relevance: 7.5, APIs: 5, Instructions: 27COMMON
        Download Yara Rule
        APIs
        • GetSysColor.USER32(0000000F), ref: 00CFF52C
        • GetSysColor.USER32(00000012), ref: 00CFF533
        • GetSysColor.USER32(0000000F), ref: 00CFF53A
        • GetSysColor.USER32(00000012), ref: 00CFF541
        • InvalidateRect.USER32(?,00000000,00000001), ref: 00CFF555
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Color$InvalidateRect
        • String ID:
        • API String ID: 1573920590-0
        • Opcode ID: 98d0b4fc1b562a62e6c059b71955cbc029dabe982c86d469e187520fbf521c41
        • Instruction ID: 7b58cf1f602019a133c4fa1d038ba265a358e53a00e5488d238291de2f73752b
        • Opcode Fuzzy Hash: 98d0b4fc1b562a62e6c059b71955cbc029dabe982c86d469e187520fbf521c41
        • Instruction Fuzzy Hash: 93E0C971A40754AAE730AB769C09B97BBA4AB80B10F05482AE2858BA91D6B6E4419F50
        Function 00D79140 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 282networkCOMMON
        Download Yara Rule
        APIs
        • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 00D793E6
        • setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 00D79402
        Strings
        • Failed to alloc scratch buffer!, xrefs: 00D792FB
        • We are completely uploaded and fine, xrefs: 00D7947E
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Ioctlsetsockopt
        • String ID: Failed to alloc scratch buffer!$We are completely uploaded and fine
        • API String ID: 1903391676-607151321
        • Opcode ID: 0060558045285a4e5741d4222e585457d968563203b029869178242d15cc0e86
        • Instruction ID: e2223275b3e23142e1dc319c63c29bcd88534d169d47d0265220ca49a11552e6
        • Opcode Fuzzy Hash: 0060558045285a4e5741d4222e585457d968563203b029869178242d15cc0e86
        • Instruction Fuzzy Hash: 59B19BB2600B019FD324DF34C895BA7B7E4FF85315F58892DE4AE86292E730B945CB61
        Function 00CE7450 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 173COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D19670: GetFileAttributesW.KERNEL32(00000000,?,00000000,00000000,000000FF,?,?,?,00D92949,00000000,DFD45DFC,0000000F,00000000,00000010,00000000), ref: 00D1969C
        • AllowSetForegroundWindow.USER32(000000FF), ref: 00CE7559
          • Part of subcall function 00CEB030: std::_String_base::_Xlen.LIBCPMT ref: 00CEB08C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: AllowAttributesFileForegroundString_base::_WindowXlenstd::_
        • String ID: --installer$--test$Error launching soft -
        • API String ID: 1630284597-260646120
        • Opcode ID: 0f099c7f06870b574188ec8da42cce39659582509a7b57d2b968ac676de480dd
        • Instruction ID: 5348ede4959324b339f429c802b82682c8c7a739299386f1fc9c53ecd5fe5c9b
        • Opcode Fuzzy Hash: 0f099c7f06870b574188ec8da42cce39659582509a7b57d2b968ac676de480dd
        • Instruction Fuzzy Hash: 325180B2408380ABD721EB65E842B6BB7E8BF95704F504E2DF49587252EB35D508CB73
        Function 00D3A160 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 61threadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18C40: CreateToolhelp32Snapshot.KERNEL32 ref: 00D18C62
          • Part of subcall function 00D18C40: Process32FirstW.KERNEL32(00000000,00000010), ref: 00D18C77
        • CreateThread.KERNEL32(00000000,00000000,Function_00059EA0,?,00000000,?), ref: 00D3A20E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Create$FirstProcess32SnapshotThreadToolhelp32
        • String ID: Fail create server pipe: $Fusion is already runing$fusion-bundle.exe
        • API String ID: 950523040-1335275362
        • Opcode ID: 9863b7e41a1fd7b7f567011a7850565861e183e16ca4562ad0d1e4b6d8cbdf0e
        • Instruction ID: 7f0497d413979f40e456e63a5f28c9e1fb985f3fce148e7294a02a3b6f710384
        • Opcode Fuzzy Hash: 9863b7e41a1fd7b7f567011a7850565861e183e16ca4562ad0d1e4b6d8cbdf0e
        • Instruction Fuzzy Hash: 5711DF72544740AFD720EB28CC42BA773E4FB08720F000B1DF4A6922C1EBB4A5488BB3
        Function 00D04C30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57pipeCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D04AF0: WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,WIN7_ADD_FW_RULE,00000010), ref: 00D04B5F
          • Part of subcall function 00D04AF0: WriteFile.KERNEL32 ref: 00D04B7B
        • DisconnectNamedPipe.KERNEL32(?,DFD45DFC), ref: 00D04CA6
        • CloseHandle.KERNEL32(?), ref: 00D04CB8
        • CloseHandle.KERNEL32(?), ref: 00D04CC4
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CloseFileHandleWrite$DisconnectNamedPipe
        • String ID: TERMINATE
        • API String ID: 3910351949-676853503
        • Opcode ID: bf95ab9c038268eabe09b7f70ace826c6adedbf32589c90b0e47cf927f2a3ebd
        • Instruction ID: 5180a7d5545dcc067ac65461602208d172512a49652e045da1b9afe8b6c283ed
        • Opcode Fuzzy Hash: bf95ab9c038268eabe09b7f70ace826c6adedbf32589c90b0e47cf927f2a3ebd
        • Instruction Fuzzy Hash: A51163B55487419FD314DF29D881B17BBE8FB88710F404A1EF5A693791D734E4488B61
        Function 00D612D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55networkCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D61220: recv.WS2_32(?,?,?,00000000), ref: 00D612AF
        • send.WS2_32(?,?,?,00000000), ref: 00D6131C
        • WSAGetLastError.WS2_32(?,?), ref: 00D6132F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLastrecvsend
        • String ID: EncryptMessage$Send failure: %s
        • API String ID: 3418755260-327157101
        • Opcode ID: 13bf868ab92ef604ddc3f0fe9b03e95b35620d444b6f34b224dc0b9b6a8fb23b
        • Instruction ID: d14d287d6aa5c091aeb3af3b652197ec7c04b259a59f1b16a2782cf82683be15
        • Opcode Fuzzy Hash: 13bf868ab92ef604ddc3f0fe9b03e95b35620d444b6f34b224dc0b9b6a8fb23b
        • Instruction Fuzzy Hash: AE115E752042409FC730EF68DC85BAAB7E8EB8D310F444619E689D7391D6B4A8448BB2
        Function 00D087F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
        Download Yara Rule
        APIs
        • MonitorFromPoint.USER32(?,?,00000000), ref: 00D08808
        • MonitorFromPoint.USER32(?,?,00000002), ref: 00D08812
        • GetMonitorInfoW.USER32 ref: 00D0884C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Monitor$FromPoint$Info
        • String ID: (
        • API String ID: 1942056148-3887548279
        • Opcode ID: d566711dfbf328bbcd1f65ad7d5d168a8163fc89290b2c497dd90a58087387ba
        • Instruction ID: 9e17fadcf0a76e11385939e7fc272f13cf5704d82a58764df36435d14c61749d
        • Opcode Fuzzy Hash: d566711dfbf328bbcd1f65ad7d5d168a8163fc89290b2c497dd90a58087387ba
        • Instruction Fuzzy Hash: 8B01ED71909341AFC314DF5AA880A4BBBE4EB8C750F84452EF589E3350D774DA448BAA
        Function 00CFFAB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37stringCOMMON
        Download Yara Rule
        APIs
        • InvalidateRect.USER32(?,00000000,00000001), ref: 00CFFAD7
        • lstrlenW.KERNEL32(?), ref: 00CFFAE7
        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000003), ref: 00CFFAFF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ExecuteInvalidateRectShelllstrlen
        • String ID: open
        • API String ID: 2238680937-2758837156
        • Opcode ID: 25bbd497aed675e4cfac4f07bb27891c0cf86c8d9d9081fa22c1259dec6e3d60
        • Instruction ID: 2bd5319a7a2e8f475ae39d8d0941ec1f3eda0acf9915a6b4ab96eff95eedf621
        • Opcode Fuzzy Hash: 25bbd497aed675e4cfac4f07bb27891c0cf86c8d9d9081fa22c1259dec6e3d60
        • Instruction Fuzzy Hash: D5F0E2353453007EE7918B349CC9FD22B56CF16B19F521009B204EB1D2D186950FC7F0
        Function 00D0A9F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON
        Download Yara Rule
        APIs
        • GetParent.USER32(DFD45DFC), ref: 00D0AA01
        • GetClassNameW.USER32(00000000,00000008,00000008), ref: 00D0AA0F
        • lstrcmpW.KERNEL32(?,#32770), ref: 00D0AA32
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ClassNameParentlstrcmp
        • String ID: #32770
        • API String ID: 3513268407-463685578
        • Opcode ID: b1e12dc8b330135ba1fcab328049f82c13a1879bbce6f318ad2ea355153d94fd
        • Instruction ID: 59176435b61119b06e909adc473047636ddd9ad8cab1ca7c442669d6658ea6ef
        • Opcode Fuzzy Hash: b1e12dc8b330135ba1fcab328049f82c13a1879bbce6f318ad2ea355153d94fd
        • Instruction Fuzzy Hash: 62F05EB1654300AFCA04EF78DC4A92A33A4BB88701FC04D5DB146C7295EB34D5088B72
        Function 00D30C10 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 259sleepCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D19C90: GetFileAttributesW.KERNEL32(?,00000010,00000000), ref: 00D19D7F
          • Part of subcall function 00D19C90: DeleteFileW.KERNEL32(?), ref: 00D19D8B
        • Sleep.KERNEL32(00000064), ref: 00D30D8C
        • Sleep.KERNEL32(000003E8), ref: 00D30F29
        Strings
        • Bundle is already installing now: , xrefs: 00D30CAC
        • Unable to download bundle :, xrefs: 00D30E50
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FileSleep$AttributesDelete
        • String ID: Bundle is already installing now: $Unable to download bundle :
        • API String ID: 235145485-532362104
        • Opcode ID: 6392e9e0626bfd623b4eb226ebae896db283c735d07e6fadc37c3384fb1a1499
        • Instruction ID: e8be14c0cf780df21b7d1bf549788857d22592ea82ace6c0f77bf42c04805600
        • Opcode Fuzzy Hash: 6392e9e0626bfd623b4eb226ebae896db283c735d07e6fadc37c3384fb1a1499
        • Instruction Fuzzy Hash: 57A1F5B15083809BD720EB68E845BAFBBE9AF95704F044D1DF18987242EA75D548C7B3
        Function 00D089C0 Relevance: 6.2, APIs: 4, Instructions: 158COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: String$Free
        • String ID:
        • API String ID: 1391021980-0
        • Opcode ID: 15209a19816eab0605632e77b0b8dcb30613b7be2b5932ce329dfc03960e7b61
        • Instruction ID: af06fc95185ca3c149ce36cec3134e20d186a1ebd631718ace4835b6d78c01f1
        • Opcode Fuzzy Hash: 15209a19816eab0605632e77b0b8dcb30613b7be2b5932ce329dfc03960e7b61
        • Instruction Fuzzy Hash: 3C516FB12042429FD314DF14C884F6BB3E8EB98714F048A1DF689D7290EB34E905CBB6
        Function 00D0F220 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
        Download Yara Rule
        APIs
        • GetClientRect.USER32(?,?), ref: 00D0F303
        • GetClientRect.USER32(?,?), ref: 00D0F30E
        • CreateAcceleratorTableW.USER32(?,00000001), ref: 00D0F333
        • GetParent.USER32(?), ref: 00D0F359
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ClientRect$AcceleratorCreateParentTable
        • String ID:
        • API String ID: 2716292469-0
        • Opcode ID: 35bec98852b82bfb1d529d70271b2c329baeeb78f5cdd5e9ffc6088d93e4b314
        • Instruction ID: 05639a1a8e6802c9f7514e4a8ffd3bb782eaaebaaa2efc58be9f53cfc9acee2e
        • Opcode Fuzzy Hash: 35bec98852b82bfb1d529d70271b2c329baeeb78f5cdd5e9ffc6088d93e4b314
        • Instruction Fuzzy Hash: 9B4134712047059FD724DF69C880B6BB3E9FF88314F18892DE88997690E774E949CBB1
        Function 00D003A0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00CFF570: DeleteObject.GDI32(?), ref: 00CFF592
          • Part of subcall function 00CFF570: DeleteObject.GDI32(?), ref: 00CFF59F
          • Part of subcall function 00CFF570: DeleteObject.GDI32(?), ref: 00CFF5B0
          • Part of subcall function 00CFF570: DeleteObject.GDI32(?), ref: 00CFF5CB
          • Part of subcall function 00CFF570: DeleteObject.GDI32(?), ref: 00CFF5E6
          • Part of subcall function 00CFF570: DeleteObject.GDI32(?), ref: 00CFF601
        • DeleteObject.GDI32(?), ref: 00D003D1
          • Part of subcall function 00D014C0: DeleteObject.GDI32(?), ref: 00D014D3
        • GetObjectW.GDI32(?,00000018,?), ref: 00D003EB
        • DeleteObject.GDI32(?), ref: 00D0043D
        • GetObjectW.GDI32(?,00000018,?), ref: 00D00487
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Object$Delete
        • String ID:
        • API String ID: 774837909-0
        • Opcode ID: 631c9b98815408b0aa8fb1b1b2ab9ab5cb05a6ef18f9c6b7dc57d0c4babb995c
        • Instruction ID: 7616a72667bacd3087311fdef52371396231a9d8c644f3b2e0b14b41689b1ffe
        • Opcode Fuzzy Hash: 631c9b98815408b0aa8fb1b1b2ab9ab5cb05a6ef18f9c6b7dc57d0c4babb995c
        • Instruction Fuzzy Hash: B6317C75700705ABD660EB29DC85FABB7E8EB84710F44482EF64DC7291EA71E8098B71
        Function 00D19190 Relevance: 6.1, APIs: 4, Instructions: 101registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,0000000F,00000000,00000014,DFD45DFC,00000010,0000000F,00000000), ref: 00D191C6
        • RegQueryValueExW.ADVAPI32 ref: 00D19225
        • RegCloseKey.ADVAPI32(?), ref: 00D19234
        • RegCloseKey.ADVAPI32(?), ref: 00D19265
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharCloseMultiWide$OpenQueryValue
        • String ID:
        • API String ID: 3924453400-0
        • Opcode ID: fd3601983f5e809eb4ea552bee517c80c85e94837093bac7a5c35e5045c12396
        • Instruction ID: 709dbd5450359e90ec3f25aef9883affd31338b2b6809f9e18132eab3a2d90ec
        • Opcode Fuzzy Hash: fd3601983f5e809eb4ea552bee517c80c85e94837093bac7a5c35e5045c12396
        • Instruction Fuzzy Hash: 3A21E5B6A043007BD710EF25BC818AFB7A9EBC4314F48452DF94993201EA35EA49C7B6
        Function 00D7C700 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95COMMON
        Download Yara Rule
        APIs
        • GetLastError.KERNEL32(00000000,?,?), ref: 00D7C704
        • GetLastError.KERNEL32 ref: 00D7C7D3
        • SetLastError.KERNEL32(?), ref: 00D7C7E2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLast
        • String ID: Unknown error %d (%#x)
        • API String ID: 1452528299-2414550090
        • Opcode ID: 7603d1dba2613a326e62a890f822c6cf6a0d94ea2433f5b159d03128d7477267
        • Instruction ID: 436de6a50b883e985057832f0b1d6ecc000237699fb5dfe0fea4289c8f106ef8
        • Opcode Fuzzy Hash: 7603d1dba2613a326e62a890f822c6cf6a0d94ea2433f5b159d03128d7477267
        • Instruction Fuzzy Hash: 4121D030610301AFD7156B38AC85B2E77E8EF96705F08942DF909D3351FB35E8098AB6
        Function 00D00F80 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
        Download Yara Rule
        APIs
        • GetSysColor.USER32(0000000F), ref: 00D01057
        • GetSysColor.USER32(00000012), ref: 00D0105E
        • GetSysColor.USER32(0000000F), ref: 00D01065
        • GetSysColor.USER32(00000012), ref: 00D0106C
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Color
        • String ID:
        • API String ID: 2811717613-0
        • Opcode ID: af1cb10e3e3dbd0813245bb6b1c15ad1bd2c74732b7ae200f65fa24b6dc0f7db
        • Instruction ID: ae32b3e6c80ff2fb9bb9d7275da0b0c4fee095d384f7b20b6803a7b85662ae1d
        • Opcode Fuzzy Hash: af1cb10e3e3dbd0813245bb6b1c15ad1bd2c74732b7ae200f65fa24b6dc0f7db
        • Instruction Fuzzy Hash: F14108B1905B559FD3A0DF2AC945742FFE0FB49B10F904A2EE1AA83A91D771B004CF95
        Function 00D1E5C0 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F47
        • FindResourceW.KERNEL32(00000000,?,?,?,?,0000000F,00000000,?,?,ARCHIVE_7Z,0000000A,?,00000010,00000000), ref: 00D1E62E
        • SizeofResource.KERNEL32(00000000,00000000,?,?,0000000F,00000000,?,?,ARCHIVE_7Z,0000000A,?,00000010,00000000), ref: 00D1E650
        • LoadResource.KERNEL32(00000000,00000000,?,?,0000000F,00000000,?,?,ARCHIVE_7Z,0000000A,?,00000010,00000000), ref: 00D1E65A
        • LockResource.KERNEL32(00000000,?,?,0000000F,00000000,?,?,ARCHIVE_7Z,0000000A,?,00000010,00000000), ref: 00D1E665
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Resource$ByteCharMultiWide$FindLoadLockSizeof
        • String ID:
        • API String ID: 1289833662-0
        • Opcode ID: da77e141c391b8efc7e1b93e31d18e9f96d1ae28dbf3da7a887c340cb02b5e9c
        • Instruction ID: d011c9417b8ad1f7e1593c658172f9c28fc688e5b993d894b3b5a8f87d75c10a
        • Opcode Fuzzy Hash: da77e141c391b8efc7e1b93e31d18e9f96d1ae28dbf3da7a887c340cb02b5e9c
        • Instruction Fuzzy Hash: B72191B2504348BFC610EF65AC84A6FBBECEB94B04F440A1DF84593241DA35ED448BBA
        Function 00D190C0 Relevance: 6.1, APIs: 4, Instructions: 69registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
        • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,00020019,?,?,00000010,0000000B,DFD45DFC,75920F00,00D30F47,00000000), ref: 00D190FC
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F47
        • RegQueryValueExW.ADVAPI32 ref: 00D19140
        • RegCloseKey.ADVAPI32(?), ref: 00D1914F
        • RegCloseKey.ADVAPI32(?,0000000F), ref: 00D1916F
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$Close$OpenQueryValue
        • String ID:
        • API String ID: 3834392745-0
        • Opcode ID: eefe3461b3d66fa258d85a60edbbf15a9af03d445592715775ec13c7fd2a7b27
        • Instruction ID: 9e24d9dffe2d902cc622330be50eea6cdbe4cd2382d6d5de9e264397382944b9
        • Opcode Fuzzy Hash: eefe3461b3d66fa258d85a60edbbf15a9af03d445592715775ec13c7fd2a7b27
        • Instruction Fuzzy Hash: 1B215BB1A04301BBD610DF15EC59BABB7A8AFC4B14F04891CF54997240EB74EA48CBB6
        Function 00D3AFF0 Relevance: 6.1, APIs: 4, Instructions: 68synchronizationwindowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00D3B036
        • WaitForSingleObject.KERNEL32(?,00001388,?,00000000,?,00000000,00D3D7A5,DFD45DFC,000000FF,?,?,?), ref: 00D3B071
        • TerminateProcess.KERNEL32(00000000,00000001,?,00000000,?,00000000,00D3D7A5,DFD45DFC,000000FF,?,?,?), ref: 00D3B081
        • WaitForSingleObject.KERNEL32(?,000007D0,?,?,?,?,?,?,?,00000000,00D8FE3F,000000FF,00D3D8B4,75920F00,?,00000010), ref: 00D3B08F
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ObjectSingleWait$MessageProcessSendTerminate
        • String ID:
        • API String ID: 2718398898-0
        • Opcode ID: c65e52b6c0dcf4676f5766c4181417169fe82e272d537af65e05fb7da5d83ab0
        • Instruction ID: b8ef7238c26cd3988a96210afd3e1c9e73bd2580ae46cd708bdd76f8362655e4
        • Opcode Fuzzy Hash: c65e52b6c0dcf4676f5766c4181417169fe82e272d537af65e05fb7da5d83ab0
        • Instruction Fuzzy Hash: EE118B31700714ABCB39AB64DC81F2BB364EF06760F190557FB90AB655C761EC808BB1
        Function 00D00640 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: DeleteObject$CursorDestroySelect
        • String ID:
        • API String ID: 3321866220-0
        • Opcode ID: d8e24ba09b9e5dcf7ca75e5b70bcd4ab303977fe200302379f1c7c05e6826597
        • Instruction ID: 1dc6d68ae89c5ab941d6143d2ba35b231a389fa194ed4ff2056ab3eb27b00cef
        • Opcode Fuzzy Hash: d8e24ba09b9e5dcf7ca75e5b70bcd4ab303977fe200302379f1c7c05e6826597
        • Instruction Fuzzy Hash: ED215B70604B10AFD7209F24D944B67BBE8FB44B10F444A1EB99AE77C0DB75E8048B71
        Function 00D02C00 Relevance: 6.1, APIs: 4, Instructions: 61memoryCOMMON
        Download Yara Rule
        APIs
        • MultiByteToWideChar.KERNEL32(?,?,00000003,00000000,?,000000FF,00000000,00000000), ref: 00D02C2C
        • SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 00D02C36
        • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,00000003,00000000,?,000000FF,00000000,00000000), ref: 00D02C4B
        • SysFreeString.OLEAUT32(00000000), ref: 00D02C52
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiStringWide$AllocFree
        • String ID:
        • API String ID: 447844807-0
        • Opcode ID: 7a1f4343e0df31d322866f3ee3af1efc09693019066ac9c29a011a8244cb0459
        • Instruction ID: 66da8bd946c824ce8248887e9ff3f48a79e21026e8d7c3929499de568339810b
        • Opcode Fuzzy Hash: 7a1f4343e0df31d322866f3ee3af1efc09693019066ac9c29a011a8244cb0459
        • Instruction Fuzzy Hash: EA11C47220A3027AE2109B148C8DF7BB7A8EBD4760F30462EF619962D0DAB19804C679
        Function 00D7C800 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54COMMON
        Download Yara Rule
        APIs
        • GetLastError.KERNEL32(00000000,00000000,00000000,?), ref: 00D7C805
        • GetLastError.KERNEL32(?,?,00000000), ref: 00D7C868
        • SetLastError.KERNEL32(?,?,?,00000000), ref: 00D7C877
        Strings
        • Unknown error %u (0x%08X), xrefs: 00D7C84B
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLast
        • String ID: Unknown error %u (0x%08X)
        • API String ID: 1452528299-1058733786
        • Opcode ID: d1cc883b9f57ab961d9d5d3e1198035147d493c3769b88773fe9db6184f1a680
        • Instruction ID: abad9adc36099a9db1490138066fc705d8f7377582e3a4d3051a43a51e1b36d6
        • Opcode Fuzzy Hash: d1cc883b9f57ab961d9d5d3e1198035147d493c3769b88773fe9db6184f1a680
        • Instruction Fuzzy Hash: 8F01CC75604300AFC300AF69AC4582AB7A8EF85711F88442AF94993311EA35E8088AB3
        Function 00D07200 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
        Download Yara Rule
        APIs
        • ShowWindow.USER32(?,00000005), ref: 00D07217
        • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00D07226
        • GetCursorPos.USER32 ref: 00D0725D
        • TrackPopupMenu.USER32(?,00000004,00000000,00000000,00000000,?,00000000), ref: 00D07287
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CursorIconMenuNotifyPopupShell_ShowTrackWindow
        • String ID:
        • API String ID: 665688669-0
        • Opcode ID: 471a2853464b2257172c639a0d3ab7b1a2f876228ac9ed4c9eebd898de5f0b11
        • Instruction ID: 6c52a2cd820b9ed0705e33264792ebea9a190243c4a0e8e7a92ea4e1e05bef9a
        • Opcode Fuzzy Hash: 471a2853464b2257172c639a0d3ab7b1a2f876228ac9ed4c9eebd898de5f0b11
        • Instruction Fuzzy Hash: F60192756043006FE310DB68ED49F6777E8EB94715F00881AF999D7381E7B0A8088BB6
        Function 00D18DE0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
        Download Yara Rule
        APIs
        • GetDesktopWindow.USER32 ref: 00D18DEA
        • GetClientRect.USER32(00000000), ref: 00D18DF1
        • SystemParametersInfoW.USER32(00000030,00000000,00000000,00000000), ref: 00D18E02
        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000000), ref: 00D18E45
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: Window$ClientDesktopInfoParametersRectSystem
        • String ID:
        • API String ID: 3430677559-0
        • Opcode ID: 06dd7da8aed35c4e2cc81b0300bf05aa0eb9dbf79041604dbec7eff9d58c8792
        • Instruction ID: 4bee5afca7ab7d25d38643df71f6bd6664e135421744f0e9ae332b3ee016c468
        • Opcode Fuzzy Hash: 06dd7da8aed35c4e2cc81b0300bf05aa0eb9dbf79041604dbec7eff9d58c8792
        • Instruction Fuzzy Hash: B7014F76304A006FD748DB7CDD59BAB7AEAEBC8611F484A1CB545D72D4EA20E8048661
        Function 00D225C0 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
        Download Yara Rule
        APIs
        • SHGetPathFromIDListW.SHELL32(?,00DB71F0), ref: 00D225D8
        • SendMessageW.USER32(?,00000465,00000000,00000000), ref: 00D225EB
        • SendMessageW.USER32(?,00000467,00000001,?), ref: 00D22614
        • SendMessageW.USER32(?,0000046A,00000001,?), ref: 00D2261F
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: MessageSend$FromListPath
        • String ID:
        • API String ID: 1178215338-0
        • Opcode ID: 055fddb118994c70d9a78a2270612a41e1cd75a83b5e29b1bbe1acce1e5482cd
        • Instruction ID: 81c56c16eb2cbe360444bf383132e7fef3cf870f61ded369ceeb6ee855bc957f
        • Opcode Fuzzy Hash: 055fddb118994c70d9a78a2270612a41e1cd75a83b5e29b1bbe1acce1e5482cd
        • Instruction Fuzzy Hash: CCF05473745311BBD220CB68AC89F7BA7ACFB9AB15F058909F245E6180C7B1D8009A76
        Function 00D30640 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 365COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18EC0: IsUserAnAdmin.SHELL32 ref: 00D18EC0
        • SetForegroundWindow.USER32(?), ref: 00D3088A
          • Part of subcall function 00D196C0: ShellExecuteExW.SHELL32 ref: 00D1973B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: AdminExecuteForegroundShellUserWindow
        • String ID: - $Can't launch installation
        • API String ID: 335441542-981529950
        • Opcode ID: 85215ea4a08e92e75a3d60628469b74b73fc1ac3e0042253dfbe3c65e6477a45
        • Instruction ID: 2c33aeac5bef0b2cf9d9087f4bc05b78aecbf6e3da5f71f9983a40437cbd70c0
        • Opcode Fuzzy Hash: 85215ea4a08e92e75a3d60628469b74b73fc1ac3e0042253dfbe3c65e6477a45
        • Instruction Fuzzy Hash: 65E17DB14083C09BD731EB64E895BABBBE8AF95304F448D2DE1C947242EA759548CB73
        Function 00D6D050 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 193COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID:
        • String ID: SSL/TLS connection timeout$select/poll on SSL/TLS socket, errno: %d
        • API String ID: 0-3791222319
        • Opcode ID: 84ba191e74954298b8b64dcf8e1f85b6c711fb05a5085d7aa28635e0aa9e689e
        • Instruction ID: 4dd0f8384e29231a2c6c80f14bbb5e2a053a5dc9755157251dd4a86eca38da90
        • Opcode Fuzzy Hash: 84ba191e74954298b8b64dcf8e1f85b6c711fb05a5085d7aa28635e0aa9e689e
        • Instruction Fuzzy Hash: BB510972B443019BEB24CE18FC8176BB3D6EB85369F28462AF502C7281D776DD45C6B1
        Function 00D25AB0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 139COMMON
        Download Yara Rule
        APIs
        • GetCurrentProcessId.KERNEL32(DFD45DFC,00000000), ref: 00D25B29
          • Part of subcall function 00D8614D: __onexit.MSVCRT ref: 00D86155
          • Part of subcall function 00CF8CA0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00CF8D3A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CurrentIos_base_dtorProcess__onexitstd::ios_base::_
        • String ID: err: $err: ppid=0
        • API String ID: 280058837-150683369
        • Opcode ID: 84e3cfc257a12541cf91aa1ffb5cd97d8b0f1149dc0fb1cce3f5ecf9c2df9292
        • Instruction ID: 6eb268e8c67768bd7fd0da576d4ab4970b8fac322ea95c22f087e5a19920c753
        • Opcode Fuzzy Hash: 84e3cfc257a12541cf91aa1ffb5cd97d8b0f1149dc0fb1cce3f5ecf9c2df9292
        • Instruction Fuzzy Hash: B741F3B140C340EFD724AB28AC45EAB77D9EB94318F004B2CF466963D5EA3584089B73
        Function 00D054F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136COMMON
        Download Yara Rule
        APIs
        • ResetEvent.KERNEL32(?,DFD45DFC), ref: 00D0553A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: EventReset
        • String ID: CREATE_PROCESS$^OK.*?:\d+:(\d+)
        • API String ID: 2632953641-2476907915
        • Opcode ID: 7bea3faa38caad59be99a29f72290492013f85a4633a4da26b5798a050d2683c
        • Instruction ID: 0d45c3935a29c8e58f2dd4aa49dcb854986c1d4e12e48327c506f7f027984479
        • Opcode Fuzzy Hash: 7bea3faa38caad59be99a29f72290492013f85a4633a4da26b5798a050d2683c
        • Instruction Fuzzy Hash: CE417F71108B809FD724DF68D481B6FB7E4FB88720F504A1DF5AA832D1DB75A5098FA2
        Function 00D058B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON
        Download Yara Rule
        APIs
        • ResetEvent.KERNEL32(?,DFD45DFC,?,0000000F,0000000F,00000000), ref: 00D0590D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: EventReset
        • String ID: WIN7_ADD_FW_RULE$^OK.*
        • API String ID: 2632953641-3882624681
        • Opcode ID: 20c0f20f818a42d87daeb493ce617ae2b817ab88699afc7a460b87f010ecc48c
        • Instruction ID: f6c1680be504e887b872055bb1a3560e33a7ffa45ca0c2c50afb364a967fd614
        • Opcode Fuzzy Hash: 20c0f20f818a42d87daeb493ce617ae2b817ab88699afc7a460b87f010ecc48c
        • Instruction Fuzzy Hash: D5418D716087809FC710DB69A451B1FBBE8AB89710F044E1DF59A43382DB79A508CB77
        Function 00D06B90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132fileCOMMON
        Download Yara Rule
        APIs
        • WriteFile.KERNEL32(?,?,?,?,?,00000001,DFD45DFC), ref: 00D06C6B
        • GetLastError.KERNEL32 ref: 00D06C9E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorFileLastWrite
        • String ID: WriteFile failed:
        • API String ID: 442123175-2416479103
        • Opcode ID: cc780582c54f1a2e774dea782f3724906ef265a51e261fbcb049759c66324bef
        • Instruction ID: 36336550af3c6b605cf574461e55eb74fa35f1837a634c0a7b6029f267703015
        • Opcode Fuzzy Hash: cc780582c54f1a2e774dea782f3724906ef265a51e261fbcb049759c66324bef
        • Instruction Fuzzy Hash: DE419CB15047409FD720EF65D844B5BBBE8FB88700F004A2DF99997281EB30E9148BB2
        Function 00D10390 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON
        Download Yara Rule
        APIs
        • GetDlgItem.USER32(?,000003E8), ref: 00D103D5
          • Part of subcall function 00D101F0: RtlEnterCriticalSection.NTDLL(00DB78D0), ref: 00D101FC
          • Part of subcall function 00D101F0: RegisterClipboardFormatW.USER32(WM_ATLGETHOST), ref: 00D1020D
          • Part of subcall function 00D101F0: RegisterClipboardFormatW.USER32(WM_ATLGETCONTROL), ref: 00D10219
          • Part of subcall function 00D101F0: GetClassInfoExW.USER32(00CE0000,AtlAxWin90,?), ref: 00D10240
          • Part of subcall function 00D101F0: LoadCursorW.USER32 ref: 00D1027E
          • Part of subcall function 00D101F0: RegisterClassExW.USER32 ref: 00D102A1
          • Part of subcall function 00D101F0: GetClassInfoExW.USER32(00CE0000,AtlAxWinLic90,?), ref: 00D102EA
          • Part of subcall function 00D101F0: LoadCursorW.USER32 ref: 00D10322
          • Part of subcall function 00D101F0: RegisterClassExW.USER32 ref: 00D10345
        Strings
        • Can't fetch IID_IOleObject interface, xrefs: 00D10437
        • Can't create IWebBrowser2 instance, xrefs: 00D10401
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ClassRegister$ClipboardCursorFormatInfoLoad$CriticalEnterItemSection
        • String ID: Can't create IWebBrowser2 instance$Can't fetch IID_IOleObject interface
        • API String ID: 1128274796-2566292147
        • Opcode ID: 9a9dfd4104b53bdb3c96d5fc663b18a6051c0a9dc635abd911f51bccd18ca9b5
        • Instruction ID: ead025f803c543d29e6264227f20a9d0f734d0614dede13afe8cfc6576c485f2
        • Opcode Fuzzy Hash: 9a9dfd4104b53bdb3c96d5fc663b18a6051c0a9dc635abd911f51bccd18ca9b5
        • Instruction Fuzzy Hash: D3411571204741AFC750EF68D881E5BBBE8BF88704F144A2DF259C7291DB70E949CB62
        Function 00D05330 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON
        Download Yara Rule
        APIs
        • ResetEvent.KERNEL32(?,DFD45DFC,00000000,00000000), ref: 00D05379
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: EventReset
        • String ID: SHELLEXECUTE$^OK.*
        • API String ID: 2632953641-3511153457
        • Opcode ID: 89032701fce05ffc41473e4181e3b75dc9f12d7cbfd26177a89773fb00385751
        • Instruction ID: a38736e84c37d46f0e1385ea64ad666070257e4a2a1ab54606f6401e2725bcf8
        • Opcode Fuzzy Hash: 89032701fce05ffc41473e4181e3b75dc9f12d7cbfd26177a89773fb00385751
        • Instruction Fuzzy Hash: 43417DB2208B409FD714DF68D841A5FB7E4EB88710F404A1DF5AA433D2DB75A9098F76
        Function 00D056F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON
        Download Yara Rule
        APIs
        • ResetEvent.KERNEL32(?,DFD45DFC,00000000,00000000), ref: 00D05739
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: EventReset
        • String ID: WRITE_HKLM_KEY$^OK.*
        • API String ID: 2632953641-1393937896
        • Opcode ID: 3e8f87d2476afbb3e5bd9ec7f4b4106c8367709d96f9743d88d254f17d577699
        • Instruction ID: 085272442205c069fcd44a013dafed3b6c58f787f2530e0e581c3a8d0d0f2540
        • Opcode Fuzzy Hash: 3e8f87d2476afbb3e5bd9ec7f4b4106c8367709d96f9743d88d254f17d577699
        • Instruction Fuzzy Hash: 05418CB2208B409FD614DF28D441A5FB7E4EB88710F004A1DF5AA833D2DB75A805CFB6
        Function 00D05190 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
        Download Yara Rule
        APIs
        • ResetEvent.KERNEL32(?,DFD45DFC), ref: 00D051D9
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: EventReset
        • String ID: TERMINATE_PROCESS$^OK.*
        • API String ID: 2632953641-2434239159
        • Opcode ID: 71f1271b191a9b97424c2e5a91ee074067144231bc120f3b1094356b9e731515
        • Instruction ID: 3156935cda5ffdff0f06f815e3a986ce5c413a6a188c39cbe893b91ed02a61e8
        • Opcode Fuzzy Hash: 71f1271b191a9b97424c2e5a91ee074067144231bc120f3b1094356b9e731515
        • Instruction Fuzzy Hash: 04316BB21087409FC714DF68A881A5BB7E4FB98710F404A1DF5AA433C2DB35A909CF76
        Function 00D39890 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93threadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00CE8FA0: CreateThread.KERNEL32(00000000,00000000,Function_00008B00,00000000), ref: 00CE8FDD
        • CreateThread.KERNEL32(00000000,00000000,Function_000594A0,?,00000000,0000000B), ref: 00D399B0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: CreateThread
        • String ID: Fail server command show fusion$fusion-show
        • API String ID: 2422867632-1126247115
        • Opcode ID: 1b620b33b096c908130efae4f3b023c49a1749d6ebd8d184f60f01bcf3732bcd
        • Instruction ID: 130903fc95a02e0fd6f6188d993447b8c6b1fc9d2c1ace8c3a57c6c584580b1d
        • Opcode Fuzzy Hash: 1b620b33b096c908130efae4f3b023c49a1749d6ebd8d184f60f01bcf3732bcd
        • Instruction Fuzzy Hash: 203190B1118380AFD704DB68D895B6BFBE4EB85754F444A1DF49543382DBB9E808CB63
        Function 00D05050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85synchronizationCOMMON
        Download Yara Rule
        APIs
        • WaitForSingleObject.KERNEL32(?,00001388), ref: 00D05099
        • ResetEvent.KERNEL32(?), ref: 00D05148
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: EventObjectResetSingleWait
        • String ID: ^TERMINATED
        • API String ID: 3162950495-744291783
        • Opcode ID: 14e5117b4bd564bee328972b92596fc0686ffcda97ec815262dc15d7e11cdb44
        • Instruction ID: e54e0b7fdcebc4faa27f9e26daf58f05c0cfa957524136e7c4a04a2487e22de6
        • Opcode Fuzzy Hash: 14e5117b4bd564bee328972b92596fc0686ffcda97ec815262dc15d7e11cdb44
        • Instruction Fuzzy Hash: 15219871208B41AFC700DF59D851B5AB7E8FB98720F104A1DF999837C0DBB5A908CBB2
        Function 00D196C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,00D048E6,?,DFD45DFC,DFD45DFC), ref: 00D18EFB
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F32
          • Part of subcall function 00D18ED0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D18F47
        • ShellExecuteExW.SHELL32 ref: 00D1973B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWide$ExecuteShell
        • String ID: <$L
        • API String ID: 4114931494-1555180027
        • Opcode ID: 5b61fd7dbff0c718b95f95e1125f6c49083a7a11fb07561b1a0c264b944afa9b
        • Instruction ID: a8bb958cdc8720adba84c5ca969fb58bc46046be36e8f12a7145424a35abe6a5
        • Opcode Fuzzy Hash: 5b61fd7dbff0c718b95f95e1125f6c49083a7a11fb07561b1a0c264b944afa9b
        • Instruction Fuzzy Hash: 0A2180B1514300ABD201EF19AC818AFFBE8EFD4750F480A1EF58492204EB75DA49CBB7
        Function 00D22730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
        Download Yara Rule
        APIs
        • FormatMessageW.KERNEL32(00001100,00000000,00000000,00000800,?,00000000,00000000,75293D70,00000000,?,00D03233), ref: 00D2274D
        • LocalFree.KERNEL32(?,?,?,?,00000000,?,?), ref: 00D227DB
        Strings
        • ormatMessage Native Error, xrefs: 00D22780
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FormatFreeLocalMessage
        • String ID: ormatMessage Native Error
        • API String ID: 1427518018-327778693
        • Opcode ID: ce26337c38035fc337af965cb7bcab7237cff10eaeb67214d07fe1f6403be93a
        • Instruction ID: 8356ef772a64fdb80652ead1ea04594a511d36200b524c7d78897123737c117f
        • Opcode Fuzzy Hash: ce26337c38035fc337af965cb7bcab7237cff10eaeb67214d07fe1f6403be93a
        • Instruction Fuzzy Hash: A82158B6604302AFC724DF28D805A67B7E5EFD8711F24496DF586D7294EA70A804CB71
        Function 00D1EBA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D1E8F0: EnumProcesses.PSAPI(?,00001000,?,DFD45DFC,00000000,?,0000000F,00000000,00000000,00D8C67D,000000FF,00D1FD74,00000000,00100001), ref: 00D1E945
        • TerminateProcess.KERNEL32(00000000,00000001,?,DFD45DFC), ref: 00D1EBFF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: EnumProcessProcessesTerminate
        • String ID: Process is not found$TerminateProcess failed:
        • API String ID: 3965109945-3139234549
        • Opcode ID: 1aae8062e37bb73ae5425f10303ab90820244dbf73a35523e181bc0f01353ff7
        • Instruction ID: 63be748cb171c316af1e10611ace3dd3ac50206c3d0ac1d4e3ab3bf7d8469b5b
        • Opcode Fuzzy Hash: 1aae8062e37bb73ae5425f10303ab90820244dbf73a35523e181bc0f01353ff7
        • Instruction Fuzzy Hash: BC21D1B1508340AFDB14EB24DC46B9BB7E5EB84708F40491DF856873D2EBB9D4448BB2
        Function 00D60F30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ErrorLastrecv
        • String ID: Recv failure: %s
        • API String ID: 2514157807-4276829032
        • Opcode ID: 5c0d68ad84db0affa4c3a217ce598024ee96b6077ee66beb8391d0411e00ade8
        • Instruction ID: 5b54e0e631d66cb5d4617f4282b8b35889b3087240f259c6c2a79ca8e86cb871
        • Opcode Fuzzy Hash: 5c0d68ad84db0affa4c3a217ce598024ee96b6077ee66beb8391d0411e00ade8
        • Instruction Fuzzy Hash: 04117FB12442449FD7309F58DC81BEBB7E8EF89310F44451AFA8997381D6B4A8048BB2
        Function 00D016E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: MessageParentSend
        • String ID: 0
        • API String ID: 928151917-4108050209
        • Opcode ID: 807fa0f8fb654a362d7295cb94988cb9671f403a423b14a6d1259a6610e88dd3
        • Instruction ID: ddc1d084f165416d2df37aa9b869ed8240db8325f8e5f3371ea7210ee8af10f5
        • Opcode Fuzzy Hash: 807fa0f8fb654a362d7295cb94988cb9671f403a423b14a6d1259a6610e88dd3
        • Instruction Fuzzy Hash: EB01B0B4508301AFD344DF59D855B5BBBF4AFC8744F50891EF598862A0E3B09905CFA2
        Function 00D38150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35threadCOMMON
        Download Yara Rule
        APIs
        • FreeLibrary.KERNEL32(00000000), ref: 00D38196
        • TerminateThread.KERNEL32(?,00000002), ref: 00D381A7
          • Part of subcall function 00D380F0: Sleep.KERNEL32(00000064), ref: 00D3811E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: FreeLibrarySleepTerminateThread
        • String ID: installer aborted
        • API String ID: 3157352780-562507505
        • Opcode ID: ec12bfe4ed233110ae6331ed0c12e11db2731b1ec84b5a50acd6c2b2d0a94b92
        • Instruction ID: 9936d9843c00c871f7e3a0ff717a095c56dc8eb15a9fb9d3fa83fbeea2d0e4c0
        • Opcode Fuzzy Hash: ec12bfe4ed233110ae6331ed0c12e11db2731b1ec84b5a50acd6c2b2d0a94b92
        • Instruction Fuzzy Hash: A8013C31519300EFEB359B74DD4DBAA7BD0AB45741F08450AF242D12A1CBB4E885EB71
        Function 00D26890 Relevance: 5.1, APIs: 4, Instructions: 92stringCOMMON
        Download Yara Rule
        APIs
        • lstrlen.KERNEL32(00000000,?,0000000F,00000000,00000000,00000017,?,?,?,?,0000000F,00000000,00D2464C,00000000,00000000,00000009), ref: 00D268B8
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,?,?,?,?,0000000F,00000000,00D2464C,00000000,00000000,00000009), ref: 00D268CB
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWidelstrlen
        • String ID:
        • API String ID: 3109718747-0
        • Opcode ID: 9782583edabaf714e350beca3def01826b75f31fc9d0e896d541d329c489f437
        • Instruction ID: 4669a8eca98a62545d9168354f41144b208c01213acf64f677eb490e5e3d02b7
        • Opcode Fuzzy Hash: 9782583edabaf714e350beca3def01826b75f31fc9d0e896d541d329c489f437
        • Instruction Fuzzy Hash: B321F1B2A00325ABE7209F55EC41F6B36A8DF65714F180129FA09EB380EA34DD408BF5
        Function 00D26990 Relevance: 5.1, APIs: 4, Instructions: 92stringCOMMON
        Download Yara Rule
        APIs
        • lstrlen.KERNEL32(00000000,?,0000000F,00000000,00000000,00000017,?,?,?,?,0000000F,00000000,00D2464C,00000000,00000000,00000009), ref: 00D269B8
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,?,?,?,?,0000000F,00000000,00D2464C,00000000,00000000,00000009), ref: 00D269CB
        Memory Dump Source
        • Source File: 00000000.00000002.4602957418.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
        • Associated: 00000000.00000002.4602938512.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000DB5000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4602957418.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603099738.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.4603120427.0000000000E35000.00000004.00000001.01000000.00000003.sdmpDownload File
        Similarity
        • API ID: ByteCharMultiWidelstrlen
        • String ID:
        • API String ID: 3109718747-0
        • Opcode ID: 730527aa0a9edb526f64ce41d4812cfe47cd2d36f25766ac06eae2841088b4b1
        • Instruction ID: 976b4cfa91bb814fd351adbe012d3ac5d18ed85cc97c598086ad17358117c6ed
        • Opcode Fuzzy Hash: 730527aa0a9edb526f64ce41d4812cfe47cd2d36f25766ac06eae2841088b4b1
        • Instruction Fuzzy Hash: 2D21D372A00325ABDB20AF55EC41F6B36A8DF61754F148129FA09FB380EA34DD1087F5